[BreachExchange] Three UK does it again: Random folk on network website are still seeing others' account data

Destry Winant destry at riskbasedsecurity.com
Thu Nov 7 09:45:26 EST 2019


https://www.theregister.co.uk/2019/11/05/three_uk_data_breach_homepage_again/

British telco Three UK has once again let random people viewing its
homepage view its customers' account details as if they were logged
in, exposing personal and billing data to casual browsing.

Several Reg readers got in touch with us on Friday afternoon and
Saturday after noticing that when visiting Three's website, they
appeared to be logged into accounts that were not their own.

The blunder is a carbon copy of an event in February which we
exclusively revealed.

Reg reader Keith told us on Friday: "This happened to me this morning.
Hotspotted on to Three with phone and laptop. Went to Three website
(never been there before on device) and I could see someone else's
account loaded up. Someone other side of country I do not know – same
as your article [from February] but could see pdf bills with all call
details."

El Reg has been shown recent screenshots of the CK Hutchison Holdings
subsidiary's website displaying various people's names and access to
the "My3 Home" area. That login-protected part of the website contains
one's personal details and billing information.

Yet another customer took to Twitter to complain about the issue:
ian martin at juan_martinez

@ThreeUK hi, i tried to contact the support team yesterday but no
response. You sent me a bill reminder via SMS. When I follow the link
it logs me in to someone else's account with full access to their
bills, usage, phone number. Seems like a huge DPA breach. No password
required

Three UK claims to have around 10 million customers.

It is unknown whether the privacy blunder was linked to the website
falling offline in the middle of last week. A number of people
contacted Three last week to say they were unable to log into their
accounts, with some doing so via Twitter:

Madalina Brait at braitmadalina

@ThreeUK how long is your website and app down for?? It’s been 2 days now.

Rhiannon Meredith at r_m_meredith

Hi @ThreeUK I’m trying to top up my data for my mobile broadband, but
your website seems to be down and I can’t find anywhere which tells me
the SIM number in order to top up via the app. Please can you help?


We asked Three if it wanted to comment on the fact that yet again its
customers' personal and billing information had been bared to anyone
driving past on the information superhighway.

A spokesbeing said: "We are aware of an issue with my3 where fewer
than 10 customers have reported being able to view another customer's
account information. No sensitive financial information was viewable
at any time, we are investigating the matter and we apologise for any
inconvenience caused."

So that's alright, then.

An Information Commissioner's Office (ICO) spokesperson told The
Register: "We are aware of an incident concerning 3 Mobile and will be
assessing the information provided."

That assessment is being carried out with an eye on Regulation 5a of
the Privacy and Electronic Communication Regulations, which deals with
"personal data breaches" and says that telcos must explain to the ICO
precisely how big the breach was and what they have done to fix the
damage.

Regulation 5a(3) says that "… if a personal data breach is likely to
adversely affect the personal data or privacy of a subscriber or user,
the service provider shall also, without undue delay, notify that
breach to the subscriber or user concerned."

Given that anyone was able to view Three customers' data
intermittently during the affected period, we at El Reg suggest the
ICO asks Three to supply it with the number of people accessing the
My3 account information area of the website during that time. After
all, a well-designed user account area means it should be trivial for
a service provider to track when a particular account was last logged
into or accessed … shouldn't it?


More information about the BreachExchange mailing list