[BreachExchange] Telcom Company Three Mobile Breached in Scam

[Audrey McNeil]

http://www.databreachtoday.com/telcom-company-three-
mobile-breached-in-scam-a-9551

Three Mobile, one of the largest U.K. mobile providers, has apologized
after scammers gained access to its systems, ordering new phones for a
handful of the company's customers with the intent of intercepting the
deliveries and committing fraud.

The fraudsters accessed a database that's used for upgrading consumers to
new devices. All told, 133,827 accounts were at risk, but only eight
customers had been upgraded without their knowledge.

"I understand that our customers will be concerned about this issue, and I
would like to apologize for this and any inconvenience this has caused,"
writes Three Mobile CEO David Dyson in a Nov. 18 statement posted on the
company's website.

The breach also exposed some customer information, Dyson writes. No bank
account details, passwords, PINs or payment card information were stored on
the upgrade system. Three Mobile has since put in place additional security
measures.

"We believe the primary purpose of this was not to steal customer
information but was criminal activity to acquire new handsets
fraudulently," Dyson writes. 'We are contacting all of these customers
today to individually confirm what information has been accessed and
directly answer any questions they have."

Slow To Notify

Three Mobile didn't provide an explanation for how attackers managed to
gain access to so many accounts.

In a Q&A on its website, Three Mobile says "upgrade fraud of this type is
an ongoing industry issue." Three has been notifying customers via text
message, who have been advised to change their account passwords.

Three Mobile says it has also notified regulators. The company has already
been hit with some criticism for waiting too long to notify customers,
according to The Daily Telegraph. Three Mobile responded to queries about
the breach on Twitter and news stories popped up before the company
published information on its website.

Three Arrests Made

Dyson writes that the company has been working closely with law
enforcement, which has made three arrests.

The BBC reported the National Crime Agency arrested a 48-year-old man from
Kent and two men from greater Manchester. All were released on bail. A
Three Mobile spokesman told the broadcaster that the online fraud came
concurrently with a spike in burglaries of retail stores, which has so far
caused the loss of 400 phones.

Mobile phones are an attractive item to steal, as the resale value can be
high and the devices can be easy to offload.

TalkTalk Update

Three Mobile's breach comes just a month after regulators levied a record
fine against the London-based mobile and broadband provider formerly known
as TalkTalk. Six suspects, nearly all teenagers, were arrested in
connection with attempts to try to blackmail the company.

The week-long cyberattack in October 2015 allowed the attackers to access
names, birthdates, addresses, phone numbers and email addresses for 156,959
TalkTalk customers. Bank account details and sort codes were exposed for
15,656 accounts, according to the Information Commissioner's Office.

TalkTalk was stung last month with a £400,000 fine, largest-ever penalty
from the ICO (see TalkTalk Slammed with Record Fine Over Breach).

TalkTalk's vulnerabilities stemmed from weak infrastructure that fell under
its wing with its acquisition of Tiscali UK in 2009. The ICO found the
attackers used SQL injection flaws in web pages that were part of Tiscali's
infrastructure.

SQL injection is a technique where malicious commands are inputted into
web-based forms. SQL databases may respond to those commands and reveal
sensitive data if not securely configured. The TalkTalk attackers managed
to reach a customer database, which was outdated and no longer supported by
the manufacturer, the ICO says.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161121/2ce89a19/attachment.html>