Message from Dave Dyson:
18 November 2016 - Updated 25 November 2016.
As you may already know, we recently became aware of suspicious activity on the system we use to upgrade existing customers to new devices and I wanted to update all our customers on what happened and what we have done.
I understand that our customers will be concerned about this issue and I would like to apologise for this and any inconvenience this has caused.
Once we became aware of suspicious activity on the upgrade system, we took immediate steps to block it and add additional layers of security while we investigated the issue.
On 17th November we were able to confirm that 8 customers had been unlawfully upgraded to a new device by fraudsters who intended to intercept and sell on those devices.
I can now confirm that the people carrying out this activity were also able to obtain some customer information. In total, information from 133,827 customer accounts was obtained but no bank details, passwords, pin numbers, payment information or credit/debit card information are stored on the upgrade system in question.
We believe the primary purpose of this was not to steal customer information but was criminal activity to acquire new handsets fraudulently.
We have contacted all of these customers to individually confirm what information has been accessed and directly answer any questions they have.
As an additional precaution we have put in place increased security for all these customer accounts.
We have been working closely with law enforcement agencies on this matter and three arrests have been made.
We also contacted affected customers and took immediate steps to block this activity and added additional layers of security on the upgrade system and, as a precaution, additional security on all customer accounts.
We have continued to work closely with law enforcement to support the ongoing investigation into this issue.
During the course of the investigation additional files were recovered which we have analysed and identified that information from a number of other customer accounts were obtained as part of the same activity.
We can re-confirm that no financial information, bank details, passwords or pin numbers were viewed or obtained as they are not stored on the upgrade system.
We have written to these affected customers to tell them what information was obtained and apologise for the inconvenience and concern this may cause.
If you are concerned about the impact this may have on you, there are a number of steps you can take.
We would recommend you monitor all your accounts for any suspicious activity, you should be wary of people calling and asking for any personal information or banking details – even if they say they are from a company you regularly deal with and you should change any passwords you have regularly.
Is this related to the activity discovered in November 2016?
Yes. During the course of the investigation into that activity law enforcement recovered additional files as part of the same activity which we have analysed. No fraudulent activity has been identified against the customers we have contacted.
When did you discover additional information had been obtained?
We contacted affected customers once we identified them from the additional files recovered by law enforcement.
When will I know if I am impacted?
We have contacted the additional customers affected by this issue by text message and by letter. We have put in place enhanced controls to protect your mobile account and assure you that Three takes the security of your data very seriously.
If I am one of those whose details were compromised, how can I make myself more secure?
The primary purpose of this was not to steal customer information but was criminal activity to order and sell on new handsets fraudulently.
However, we ask customers to be cautious about anyone contacting them. If it is a call from Three and you are in any doubt that it is genuine, end the call and call us back on 333 from your Three mobile. We advise caution when dealing with other service providers you may use.
We have contacted those customers who have been affected by this incident. We would recommend that, if you haven’t created passwords or an account PIN (personal identification number) on your Three account that you do so as a precaution. You may wish to change any existing PINs or passwords on your account to further safeguard your details.
Are you working with law enforcement on this matter?
Yes. We have been working with external law enforcement agencies, specifically the NCA and the NCSC. Both organisations provide advice to consumers on how to keep your data safe and protect yourself from fraud. Details of these organisations and what they do can be found at www.ncsc.gov.uk and www.nationalcrimeagency.gov.uk
Three is very grateful for the support these organisations have provided during this investigation.
Should customers cancel their credit/debit cards?
We would reassure customers that no financial or card information has been accessed.
If you are concerned about the impact this may have on you, there are a number of steps you can take. We would recommend you monitor all your accounts for any suspicious activity, you should be wary of people calling and asking for any personal information or banking details – even if they say they are from a company you regularly deal with and you should change any passwords you have regularly.