Three UK does it again: Random folk on network website are still seeing others' account data

Once is an unfortunate cockup. Twice needs stamping on

35 Got Tips?

British telco Three UK has once again let random people viewing its homepage view its customers' account details as if they were logged in, exposing personal and billing data to casual browsing.

Several Reg readers got in touch with us on Friday afternoon and Saturday after noticing that when visiting Three's website, they appeared to be logged into accounts that were not their own.

The blunder is a carbon copy of an event in February which we exclusively revealed.

Reg reader Keith told us on Friday: "This happened to me this morning. Hotspotted on to Three with phone and laptop. Went to Three website (never been there before on device) and I could see someone else's account loaded up. Someone other side of country I do not know – same as your article [from February] but could see pdf bills with all call details."

El Reg has been shown recent screenshots of the CK Hutchison Holdings subsidiary's website displaying various people's names and access to the "My3 Home" area. That login-protected part of the website contains one's personal details and billing information.

Yet another customer took to Twitter to complain about the issue:

Three UK claims to have around 10 million customers.

It is unknown whether the privacy blunder was linked to the website falling offline in the middle of last week. A number of people contacted Three last week to say they were unable to log into their accounts, with some doing so via Twitter:

We asked Three if it wanted to comment on the fact that yet again its customers' personal and billing information had been bared to anyone driving past on the information superhighway.

A spokesbeing said: "We are aware of an issue with my3 where fewer than 10 customers have reported being able to view another customer's account information. No sensitive financial information was viewable at any time, we are investigating the matter and we apologise for any inconvenience caused."

So that's alright, then.

An Information Commissioner's Office (ICO) spokesperson told The Register: "We are aware of an incident concerning 3 Mobile and will be assessing the information provided."

That assessment is being carried out with an eye on Regulation 5a of the Privacy and Electronic Communication Regulations, which deals with "personal data breaches" and says that telcos must explain to the ICO precisely how big the breach was and what they have done to fix the damage.

Regulation 5a(3) says that "… if a personal data breach is likely to adversely affect the personal data or privacy of a subscriber or user, the service provider shall also, without undue delay, notify that breach to the subscriber or user concerned."

Given that anyone was able to view Three customers' data intermittently during the affected period, we at El Reg suggest the ICO asks Three to supply it with the number of people accessing the My3 account information area of the website during that time. After all, a well-designed user account area means it should be trivial for a service provider to track when a particular account was last logged into or accessed … shouldn't it? ®

Sign up to our NewsletterGet IT in your inbox daily


Keep Reading

Man arrested over UK's Lancaster University data breach hack allegations

Updated 25-year-old Bradfordian cuffed by NCA over '20k' records breach

At the Supreme Court, Morrisons pops data breach liability win into its trolley – but it's not a get-out-of-compo free card for businesses

Vicarious liability now applies to intentional leaks, top court says

Lancaster Uni data breach hits at least 12,500 wannabe students

Must have been the cyber security course's day off

UK public sector IT chiefs shrug off breach threats: The data we hold isn't that important

Are you for real? splutters surveyor Sophos

2015-member database floats off through breach in Royal Yachting Association's hull

Change your passwords, ye scurvy-free non-landlubbers

UK Info Commish quietly urged court to swat away 100k Morrisons data breach sueball

Supermarket says it's innocent and we don't need more than that, ICO told judges

Wide of the net: Football Association of Ireland says player, manager data safe after breach

It was a game of two halves

Have I Been Pwned breach report email pwned entire firm's helldesk ticket system

That's one way of making people check for updates

UK data watchdog slaps a £500,000 fine on Cathay Pacific for 2018 9.4m customer data leak

ICO probe found backup files not password-protected, unpatched web-facing servers, out-of-date OS and more

MI5 slapped on the wrist for 'serious' surveillance data breach

Auditors poked around for a week after too many Peeping Toms had a trawl

Tech Resources

Unlocking the Cloud-Native Data Layer

Being able to exceed customer expectations is essential to a successful business.

Navigating the CTI Noise

We all want better threat intelligence, but it’s not easy to build a CTI program and deliver it considering all the moving parts, people, processes, and technology. Sure you need to gather the data, but how do you separate intel and priorities from the noise? How do you turn this into actionable information that improves the security of your business?

Ransomware Realities for Small and Medium-Sized Businesses

All organizations can be the target of ransomware, where users’ files or computers are taken hostage or system access is hindered until a ransom demand is met.

How to Achieve AWS, Azure, or GCP Observability at Scale

The adoption of multi-cloud is on the rise among enterprises.