Three UK does it again: Random folk on network website are still seeing others' account data

Once is an unfortunate cockup. Twice needs stamping on

By Gareth Corfield


British telco Three UK has once again let random people viewing its homepage view its customers' account details as if they were logged in, exposing personal and billing data to casual browsing.

Several Reg readers got in touch with us on Friday afternoon and Saturday after noticing that when visiting Three's website, they appeared to be logged into accounts that were not their own.

The blunder is a carbon copy of an event in February which we exclusively revealed.

Reg reader Keith told us on Friday: "This happened to me this morning. Hotspotted on to Three with phone and laptop. Went to Three website (never been there before on device) and I could see someone else's account loaded up. Someone other side of country I do not know – same as your article [from February] but could see pdf bills with all call details."

El Reg has been shown recent screenshots of the CK Hutchison Holdings subsidiary's website displaying various people's names and access to the "My3 Home" area. That login-protected part of the website contains one's personal details and billing information.

Yet another customer took to Twitter to complain about the issue:

Three UK claims to have around 10 million customers.

It is unknown whether the privacy blunder was linked to the website falling offline in the middle of last week. A number of people contacted Three last week to say they were unable to log into their accounts, with some doing so via Twitter:

We asked Three if it wanted to comment on the fact that yet again its customers' personal and billing information had been bared to anyone driving past on the information superhighway.

A spokesbeing said: "We are aware of an issue with my3 where fewer than 10 customers have reported being able to view another customer's account information. No sensitive financial information was viewable at any time, we are investigating the matter and we apologise for any inconvenience caused."

So that's alright, then.

An Information Commissioner's Office (ICO) spokesperson told The Register: "We are aware of an incident concerning 3 Mobile and will be assessing the information provided."

That assessment is being carried out with an eye on Regulation 5a of the Privacy and Electronic Communication Regulations, which deals with "personal data breaches" and says that telcos must explain to the ICO precisely how big the breach was and what they have done to fix the damage.

Regulation 5a(3) says that "… if a personal data breach is likely to adversely affect the personal data or privacy of a subscriber or user, the service provider shall also, without undue delay, notify that breach to the subscriber or user concerned."

Given that anyone was able to view Three customers' data intermittently during the affected period, we at El Reg suggest the ICO asks Three to supply it with the number of people accessing the My3 account information area of the website during that time. After all, a well-designed user account area means it should be trivial for a service provider to track when a particular account was last logged into or accessed … shouldn't it? ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Man arrested over UK's Lancaster University data breach hack allegations

Updated 25-year-old Bradfordian cuffed by NCA over '20k' records breach

UK public sector IT chiefs shrug off breach threats: The data we hold isn't that important

Are you for real? splutters surveyor Sophos

Lancaster Uni data breach hits at least 12,500 wannabe students

Must have been the cyber security course's day off

UK Info Commish quietly urged court to swat away 100k Morrisons data breach sueball

Supermarket says it's innocent and we don't need more than that, ICO told judges

Wide of the net: Football Association of Ireland says player, manager data safe after breach

It was a game of two halves

MI5 slapped on the wrist for 'serious' surveillance data breach

Auditors poked around for a week after too many Peeping Toms had a trawl

Strewth: Hackers slurp 19 years of Oz student data in uni's second breach within a year

Upgraded its systems after attack in early '18, just enough to detect attack in late '18

ICO, forgive me – it has been three weeks since I discovered my breach

Businesses slow to detect, report data leaks pre-GDPR

Healthcare billing biz AccuDoc 'fesses up to breach that blabbed 2.65m people's data

Names, addresses, social security numbers exposed

Happy Thursday! 770 MEEELLLION email addresses and passwords found in yuge data breach

Now is a good time to get a password manager app


Endpoint Protection Buyers Guide

According to the 2018 SANS Endpoint Security Survey, more than 80 percent of known breaches involve an endpoint.

Detecting cyber attacks as a small to medium business

If security by obscurity is no longer an option, and inaction is a risk in itself, what can smaller enterprises do to protect themselves? Endpoint Detection and Response (EDR) solutions can go a long way towards minimising the level of threat, but they need to be chosen and used in the right way.

Evolving Datacenters without Complexity

In this session, we’ll talk about how IT leaders are advancing the capabilities of their datacenters to rise to today’s challenges. Our guest speaker, Chris Bradford, Product Manager at DataStax will bring first-hand expertise to a discussion with The Register host Elena Perez.

Secrets To A Stronger Strategy For Container Security

Download this eBook to learn how you can develop a stronger security strategy for your AWS container deployments, from start to finish.