La notizia girava negli ultimi giorni e ieri anche il CEO di Three ha confermato che un database contenente dati della clientela è stato compromesso da un attacco hacker e sono stati violati poco più di 130.000 clienti: “[..] As you may already know, we recently became aware of suspicious activity on the system we use to upgrade existing customers to new devices, and I wanted to update all our customers on what happened and what we have done. I understand that our customers will be concerned about this issue and I would like to apologize for this and any inconvenience this has caused.
Once we became aware of the suspicious activity, we took immediate steps to block it and add additional layers of security to the system while we investigated the issue. On 17th November we were able to confirm that 8 customers had been unlawfully upgraded to a new device by fraudsters who intended to intercept and sell those devices.
I can now confirm that the people carrying out this activity were also able to obtain some customer information. In total, information from 133,827 customer accounts was obtained, but no bank details, passwords, pin numbers, payment information or credit/debit card information are stored on the upgrade system in question.
We believe the primary purpose of this was not to steal customer information but was criminal activity to acquire new handsets fraudulently.
We are contacting all of these customers today to individually confirm what information has been accessed and directly answer any questions they have. As an additional precaution, we have put in place increased security for all these customer accounts. We have been working closely with law enforcement agencies on this matter and three arrests have been made.
I understand that this will have caused some concern and inconvenience for our customers and for that I sincerely apologize.”
In pratica David Dyson, CEO della filiale Tre britannica, dice che gli hacker – che si ritiene essere due uomini di Kent e Manchester – abbiano utilizzato le informazioni – compresi nomi, indirizzi e date di nascita – per ordinare nuovi telefoni per gli account che erano ammissibili per il cambio telefono riuscendo pure a portare a termine per un piccolo lotto le consegne degli smartphone (a loro volta intercettato).
Il lato positivo della vicenda è che, stando alla ricostruzione di 3UK, i dati violati non contenevano alcun tipo di informazioni su modalità di pagamento o password.
3Uk inoltre si impegna a informare individualmente della violazione tutti i clienti coinvolti.
Intanto la giustizia fa il suo corso: oltre ai due arrestati come sospettati della violazione, anche un terzo uomo è finito in manette per intralcio.