Cyber Incident Victim: Three Mobile
Date:
Nov 2016
Location:
United Kingdom
Summary
A major UK telecommunications provider experienced a cyber breach where attackers used compromised employee credentials to access its customer upgrade database, potentially exposing personal information including names, phone numbers, addresses, and dates of birth for millions of individuals. The intrusion facilitated fraudulent handset upgrades, with perpetrators intercepting high-value devices—resulting in approximately 400 stolen phones from retail stores and eight illegally obtained through upgrade fraud. While financial data remained uncompromised, the incident raised concerns about potential misuse of personal data. Law enforcement arrested three individuals linked to computer misuse and obstruction offenses, with investigations ongoing. The company implemented enhanced security measures following the attack, which also involved coordinated burglaries targeting its physical stores.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In November 2016, Three Mobile disclosed a cybersecurity breach involving unauthorized access to its customer upgrade database. Attackers used compromised employee credentials to infiltrate the system, potentially exposing the personal data of up to six million customers—approximately two-thirds of the company’s nine million subscribers. The compromised information included names, telephone numbers, addresses, and dates of birth, though financial data such as payment card details or bank account information remained unaffected. The breach was detected after the company observed a surge in attempted handset fraud over the preceding four weeks, including burglaries at retail stores and efforts to intercept upgraded devices. Hackers exploited the system to fraudulently upgrade customer accounts and divert high-value phones, likely for resale. Three Mobile confirmed approximately 400 handsets were stolen through physical burglaries, while eight devices were illicitly obtained via the upgrade fraud. The company did not initially notify affected customers and declined to confirm whether data had been exfiltrated or specify the exact number of impacted accounts during its initial disclosure on November 17, 2016.
The National Crime Agency (NCA) launched an investigation, resulting in the arrest of three individuals on November 16, 2016: two men aged 48 and 39 for suspected computer misuse offenses and a 35-year-old man for allegedly attempting to pervert the course of justice. All suspects were released on bail pending further inquiries. Three Mobile emphasized collaboration with law enforcement and stated it had implemented additional security controls to fortify its systems, though specific technical measures were not disclosed. The breach highlighted concerns that stolen personal data could be sold to criminal networks, echoing similar risks seen in prior incidents like the 2015 TalkTalk hack, which affected 157,000 customers. Three Mobile reiterated that the attack targeted its upgrade infrastructure exclusively and did not compromise broader customer financial ecosystems. The company’s network handled over 37% of UK mobile data traffic at the time, amplifying the incident’s visibility. No subscriber losses or direct financial impacts to Three Mobile were reported in the immediate aftermath, contrasting with TalkTalk’s experience of significant customer attrition and remediation costs.