Three Mobile Cyber Attack: Six Million Customers’ Details Exposed

One of Britain’s biggest mobile phone companies, Three, has admitted to a major cyber-security breach which could have exposed six million customers’ personal data at risk. Three Mobile admitted that hackers have successfully accessed its customer upgrade database after using an employee login. IT security experts from Ping Identity, NSFOCUS, Security Company Centrify, Alert Logic, Lieberman Software, Redscan, Informatica, Intercede, ESET, Certes Networks, RES, Verizon, WhiteHat Security, Barracuda Networks, ForgeRock, ZoneFox, Glasswall Solutions, Post-Quantum, Vectra Networks, WinMagic and Ipswitch commented below.
Hans Zandbelt, Senior Technical Architect at Ping Identity:
“Another high-profile data breach such as this reminds us that our identities are increasingly becoming the target for many sophisticated hackers, today. With the rise in ‘phantom employees’ and the insider threat, organisations must implement and invest in two-factor and multi-factor authentication to safeguard data and maintain customer loyalty. Our recent survey found that 90 percent of IT decision makers say identity and access management technologies are critical to succeeding at digital transformation. Businesses across the UK must prioritise this in 2017 and beyond.”

Stephen Gates, Chief Research Intelligence Analyst at NSFOCUS:
“Here is yet another case of lackadaisical security controls. The first question is, how did hackers gain access to an employee’s credentials in the first place, and why wasn’t two factor authentications enforced for every employee? If so, this hack would have never taken place. A little inconvenience for employees logging in would have likely saved hundreds of thousands of pounds in fines. In this case, an ounce of prevention would have been much less, than the “pounds” of the cure they’ll likely have to consume.”

Barry Scott, CTO EMEA at Security Company Centrify:
“Valid credentials were used for the Three data breach, but was the perpetrator a hacker from outside, or an employee gone bad? The extent of the breach is currently unclear – was the stolen data a list of customers eligible for an upgrade, or was it an entire customer database? Maybe only the data of those people eligible for an upgrade has been used so far? Has data not used for the phone upgrade scam made its way onto the dark web, where it may be used for future phishing and hacking attacks?
Compromised credentials are the cause of many major breaches, and the way into the target network is often through trusted third-party suppliers or contractors who are breached first, and may not have such rigorous security as the real target.
Should the user whose credentials were used have had access to whatever data was stolen? Corporate networks often allow far too much access, to too much data, and to too many systems, rather than only allowing the access appropriate for someone’s job.
Multi-factor authentication, where entering a password is combined with other authentication methods, such as acknowledging a notification on your phone, can be used to stop the use of stolen credentials, and full session recording acts both as a strong deterrent to insider threats and a great tool for forensic analysis.
Three should advise affected customers how they can protect themselves against repercussions of this breach. Changing passwords, especially if using the same one on different websites, is often advised and people should have a heightened awareness of suspicious activity on bank accounts, and be especially vigilant for phishing mails.”
Oliver Pinson-Roxburgh, EMEA Director at Alert Logic:
“This breach reinforces two things:
1. Enforce least privileges
2. Know where your data is and who has access
So many organisations we speak to know they have a problem, but find it a real struggle to control access, especially in these larger organisations. To mitigate:
Get visibility on how many records have been accessed and monitor who and why they have been accessing data
Get exposure to communication streams to ensure you can spot exfiltration
Enforce least privileges”

Jonathan Sander, VP of product strategy at Lieberman Software:
“All chains break at their weakest link, and the insider login used to steal new phones at Three was clearly what broke for thousands of Three customers. As we see the convergence of systems meant for employees only, the disappearance of the wall between internal networks and the Internet as we all move to the cloud and the sand-old approach to protecting employee logins, we will see more of this fraud. What Three saw as ‘business as usual’, a clever attacker saw as a way to make money. Allowing an agent to send a new phone to a specific location seems like an innocent enough power to grant them with a few clicks of their mouse, but when the wrong person was clicking, it meant Three was shipping new phones to the bad guys.”
Gubi Singh, COO at Redscan:
“High-profile attacks seem to be a weekly occurrence at the moment and stress the need for businesses to rally behind the government’s National Cyber Security Strategy.
“Companies need to realise that they have a duty to protect their customers by advocating tighter security controls and improving employee education of threats.
“Leaders need to head warnings now ahead of the EU’s General Data Protection Regulation which could see organisations landed with huge fines for suffering a breach.”

Greg Hanson, Vice President Worldwide Consulting at Informatica:
“The Three data breach highlights the urgency with which companies must address the state of their data security. All data must be protected, wherever it is stored and whatever form it takes. In this case the attackers gained access with a valid login – a clear indication that companies must expand their definition of sensitive data if they are to safeguard this kind of key information.
“Companies must move away from a damage-control mindset to a deep understanding of their sensitive information, so that they can implement data-centric security and protect it wherever it moves in the organisation. Unless companies understand exactly where their valuable assets originate, proliferate and reside, it is extremely likely that they will lose control of that data. And as the Three breach proves, companies must even prepare for an attack from the inside.”
Richard Parris, CEO at Intercede:
“The news of yet another security breach, this time at Three Mobile, makes depressing reading and it seems to be a story without an end. These sort of breaches, whether carried out by employees, customers or third parties all appear to have something in common – fundamentally insecure approaches to identity, credential and application management.
“Driven perhaps by a slavish devotion to short term margin and revenue growth, we now have what amounts to corporate blindness. The risks are well known, and the solutions are available, but rather than sort the issue, C-level executives and board members the world over simply hope their company isn’t next on the hit list.
“Digital trust is essential in an increasingly digital world and, if company executives and board members refuse to take action to protect their customers, it may be time for governments and regulators to get much more involved.”
Mark James, Security Specialist at ESET:
“Three men have been arrested after Three announced a data breach had occurred that allowed fraudsters to steal phones. They state no credit card or payment information had been stolen, but what could have been stolen is actually a lot worse, personal data, including names, addresses and important upgrade information regarding mobile contracts.
Whenever there is a breach we always ask about credit card and bank info being stolen because it’s tangible data we all relate to but you can change that. You can cancel cards, you could even change banks if you really wanted to, but some things are not so easy to change, your name, address, date of birth are all things we can’t just change because there’s a data breach. These things are tied intricately into our lives, and these details are the data that WILL be used in ongoing phishing and scam attacks. Mobile phones are an integral part of our lives, we as humans are nearly always on the lookout for a deal or a bargain and sadly cybercriminals are always on the lookout for a scam or a victim. Put the two together and with the three data you have some very nice bait to entice you into that bargain upgrade phone, all you need to do is follow the link and enter some details…….”
Please be very careful of emails or phone calls that offer deals that seem too good to be true, do some checks, make a phone call yourself, if the deal is genuine it will still be available in a few hours, after you have verified its validity.”
Dan Panesar, VP EMEA at Certes Networks:

“The Three breach bears the hallmark of every major data breach of the last decade – hackers have stolen credentials to gain unauthorized access to sensitive data. They can then bypass firewalls, intrusion detection and a host of other defences becoming a ‘trusted’ insider at which point traditional cybersecurity defences are rendered useless. It means that anyone at all within an organisation can become the steppingstone to a goldmine of sensitive data.

“The only way to halt such breaches is for the industry to rethink trust. The industry needs to adopt a “Zero Trust” model in which it is assumed that every user might be compromised, and that no user is implicitly trusted. Any user might be a hacker in disguise. Organisations must adopt a ‘need to know’ access strategy, meaning users can only access the data they need to do their job. This means that when, not if, a hacker does pass a company’s outer defences, as has happened time and time again, they do not have free rein over the systems of a company holding the personal data of millions of customers.”
Jason Allaway, VP of UK & Ireland at RES:
“Another month and another major mobile network being hacked – and it seems no lessons have been learnt.
It appears the vulnerability came from a legitimate employee log-in, which provided the gang with easy access to critical information. On top of this, it bought them valuable time before anyone at Three noticed the unusual behaviour. These are both factors why an insider threat can prove far more dangerous than brute-forcing your way into a network. Any log-in or access details need to be strictly monitored by companies to prevent these kinds of attacks happening.
I believe this points to an issue with the on- and off-boarding processes at Three. Such issues should be addressed by refining and automating such processes to ensure they are protected against risk. New joiners should be granted the correct access, and leavers should be stripped of access entirely. If companies secure the lifecycle, new joiners and those exiting the company will not expose an access point leaving open the door to an opportunistic cybercriminal.
Technology in this sense is one piece of the puzzle, but it isn’t the whole picture. It may be that this log-in was not given out maliciously. Someone may have left themselves logged in or ticked “remember my details” on a public computer – or left a device on the train in their rush to get off at the right stop. By educating staff, the likelihood of these sensitive details falling into the wrong hands can be drastically reduced.”
Laurance Dine, Managing Principal, Investigative Response at Verizon:
“Despite advances in information security research and cyber detection solutions and tools, we continue to see many of the same errors we’ve known about for more than a decade now. The latest DBIR shows that 63% of confirmed data breaches involve using weak, default or stolen passwords – and here we are again. Our research shows that attackers are getting even quicker at compromising their victims and the detection deficit (i.e. the time between a company being compromised and the time it takes for that to be uncovered) is getting worse.
At this stage, we do not know how the password was acquired, but it has the hallmark of the increasingly common ‘three prong attack’ identified in our research. Many organisations are falling prey to these attacks that include: Sending a phishing email with a link pointing to the malicious website or mainly a malicious attachment; downloading malware onto an individual’s PC that establishes the initial foothold, and can be used to look for secrets and internal information (such as password) to steal or encrypt files; then using the credentials for further attacks, for example, to log into third party websites like banking or retail sites or in this instance ordering upgrades and stealing the phones.
Companies really need to get back to basics to stop such threats taking hold. For example: use two-factor authentication for systems and encourage users to use two-factor when logging into popular social networking apps; monitor all inputs and review all logs to help identify malicious activity; encrypt your data; train your staff and develop security awareness within your organization; and last but not least know your data and protect it accordingly, limiting who has access to it.”
Ryan O’Leary, VP Threat Research Centre at WhiteHat Security:
“It appears that an employee has had their credentials compromised. This could have been caused a direct attack, where the attacker attempted to steal the credentials of a specific user, or by using compromised credentials from an entirely different data breach. The simple truth is that people often use the same username and password combinations on a variety of different sites and systems. With the high number of password leak incidents recently, attackers will no doubt be trying to use compromised credentials on a variety of websites, to see if they work. Users must make sure they’re using different passwords on every site.”
Paul Lyden, VP Northern Europe at Barracuda Networks:
“All businesses have a duty of care to ensure that they have robust security systems in place to protect their own and their customers’ data. The latest hack against Three highlights that not enough is being done to get the correct security procedures and systems in place. We are entering a golden age for digital crime. Experience tells us that when faced with a potential security incident, companies and IT security teams must over-communicate the threat, advise staff accordingly and review their security posture to prevent and contain any damage. Businesses have injected change at accelerating speed into all elements of IT and many organisations are fighting an increasingly challenging battle to keep their security stable. It has now become easy for attackers to find an unprotected door.”
Jonathan Scudder, Chief Architect & Co-Founder at ForgeRock:
“The importance of digital security has never been higher. The volume of personal data is growing at an unprecedented rate and locking all this information in a filing cabinet is no longer an option. Ensuring that hackers cannot gain access to a system isn’t actually enough; no system is perfect.
“Whether the incident at Three proves to be an insider breach or an external hack, there are steps that every business should be taking to ensure that they both recognise and can prevent the abuse of privileged access. For many companies, this is still an afterthought, and yet the cost of breaches is significant – $21,000 per day according to the Ponemon Institute’s 2015 report on the cost of cyber crime.
“Access control for employee accounts is not an on-off switch. As custodians of our data, companies need to actively review and manage their internal access controls using appropriate services and products. Protecting personal data is a significant challenge that cannot be taken lightly.”
Dr Jamie Graves, CEO at ZoneFox:
“while details are still emerging around the Three attack, most suggestions point towards the fact an employee login was used to gain access to critical information. This is seriously worrying for Three and highlights the danger of insider threats, which in effect open a backdoor for criminals to burst through and get hold of highly sensitive customer data.
“The criminals plan appears to have revolved around ordering phone upgrades, intercepting them and selling them on for profit. This might sound like a farfetched idea – but that’s often why such cyber gangs succeed –their plans are so audacious, no one expects them to actually implement them.
“Attacks like this often happen stealthily and wreak havoc rapidly – it’s important companies become more alert to such breaches and realise that they are all vulnerable. Too many businesses focus on threats that come from outside their organisations, which while a warranted focus, simply does not cover all their bases.
“Insider threats can stem from both malicious behaviour from within, but also through unintentional carelessness from even the most diligent of employees. Organisations like Three must ensure they are educating all staff to the importance of secure login details, but also go a step further and ensure they have visibility and control of data flow, within the organisation, so that any unusual or suspicious behaviour can be immediately uncovered and combated. In Three’s case, two-factor authentication and IT user account monitoring should be improved moving forward, to bolster its existing security processes and reduce the likelihood of a similar breach occurring.”
Greg Sim, CEO at Glasswall Solutions:
“The recent cyber-attack on mobile phone company Three really highlights the constant threat companies face from cyber criminals and the importance of robust and measurable cyber security system across all areas of their IT systems. This is a 24 7 challenge that is not going to go away and as custodians of customer data and financial information companies must put cyber security front and centre in their business and technology planning.
It’s no longer good enough to simply roll out the usual security products and assume that you will be safe, by their own admission the anti-virus industry have accepted that they cannot stop a targeted and sophisticated malware attack and an entire industry has grown out of the forensic analysis and damage limitation tasks. But by the time this process takes place it could be too late and customer data is compromised. Organisations need to look to innovation to secure their systems and protect their customers,”
Andersen Cheng, CEO at Post-Quantum:
“Over the last few years scores of businesses have been brutally exposed to insider threats, often with devastatingly public consequences. This is because too many digital security offerings are deployed primarily to protect against external threats and as such, are insufficient when it comes to dealing with attacks that happen from within an organisation.
Three is just another example in a long line of similar incidents, including most recently Tesco Bank and at a larger scale Mossack Fonseca, the law firm at the centre of the Panama Paper leaks. All have one thing in common – a single point of failure from within their organisations that was readily exploited.
Organisations like Three must reconsider how they protect their highest-value data and intellectual property and who accesses it as, there is a risk someone who works at the company was either part of a criminal gang, or was careless with critical logins. They have to assume data will be stolen or compromised, however secure they may seem and however loyal an employee may be.
In the physical world, it is harder for an asset to be stolen in critical organisations, given the level of security that is naturally in place. People have to sign into a building just to gain access, let alone get their hands on important company assets, which are guarded and tracked at all times. It is this kind of preventative techniques that must be replicated in the digital world at large companies like Three, to ensure their reputation and revenues remain intact.”
Oliver Tavakoli, CTO at Vectra Networks:
“Cyber criminals seeking the keys to the kingdom, may not need to rely upon the co-operation of an insider. In most cases, cyber attackers are gunning for what trusted users already have – authorised access credentials. Detecting a threat requires security teams to proactively identify when abnormal behavior occurs or in a way that could expose data or assets. The most common way to access unauthorised systems is through the acquisition and mis-use of legitimate credentials. Anyone with legitimate access to systems – physical or remote, is an insider threat.
“It’s troubling that Three only discovered the scale of the breach after receiving complaints from customers that scammers were fishing for their bank account details. With the availability of real-time detection methods today that provide insights needed to identify what’s happening at any given moment, and can analyse evidence of targeted attacks and data exfiltration, this lack of awareness is shocking.
“The most reputational damage comes not from the breach itself, but from how quickly an organisation can detect, understand and respond to the in-progress attack, as well how confidently it can advise customers of what exactly has gone wrong. With cyber attacks now being an inevitable eventuality, defence is desirable but detection is a must.”
Mark Hickman, COO at WinMagic:
“When data is taken from inside a company, it highlights the need for them to ensure that data is protected at rest, rather than simply protecting the perimeter of an organisation. So much effort is placed in stopping hackers getting in, that IT departments can lose sight of the fact that someone with authorised access, or credentials, can easily walk in and take what they want. Securing folders is not enough: Any data that you would fear losing, or is sensitive in any way, should always be encrypted at the end point in the organisation. Through a policy engine you can also ensure that data leaving the organisation is encrypted at external end points – access to the files remains completely under the control of the organisation.
“You may not be able to remove human factors from the variables that impact security, but with the correct application of encryption technology and policy control you can ensure that your data has a final line of defence, that will remain when all others fall.”
Michael Hack, Senior Vice President of EMEA Operations at Ipswitch:
“The Three data breach demonstrates that perimeter defences are not enough. Any organisation that handles customer data is at risk from insider threats. The way that files are managed, monitored and shared is key. An authorised login will enable someone with malicious intent to download data to a disc or USB key, unless there are safeguards built in to the infrastructure that flag this movement of data.
“Under new proposed EU data protection law (GDPR) fines for this kind of breach are set to increase drastically for private sector organisations to up to 4% of global turnover. Organisations can’t take chances when it comes to IT security and must make sure critical information is kept safe. By automating, managing and controlling all file transfers from a central point of control, employees can easily send and share files using IT approved methods. The IT department also gains complete control over activity. It’s no longer good enough just to have the right policies in place for secure data transfer, an organisation must ensure it has the right file transfer technologies, security systems, processes, and most importantly, staff training.”