Three UK does it again: Random folk on network website are still seeing others' account data
Once is an unfortunate cockup. Twice needs stamping on
British telco Three UK has once again let random people viewing its homepage view its customers' account details as if they were logged in, exposing personal and billing data to casual browsing.
Several Reg readers got in touch with us on Friday afternoon and Saturday after noticing that when visiting Three's website, they appeared to be logged into accounts that were not their own.
The blunder is a carbon copy of an event in February which we exclusively revealed.
Reg reader Keith told us on Friday: "This happened to me this morning. Hotspotted on to Three with phone and laptop. Went to Three website (never been there before on device) and I could see someone else's account loaded up. Someone other side of country I do not know – same as your article [from February] but could see pdf bills with all call details."
El Reg has been shown recent screenshots of the CK Hutchison Holdings subsidiary's website displaying various people's names and access to the "My3 Home" area. That login-protected part of the website contains one's personal details and billing information.
Yet another customer took to Twitter to complain about the issue:
@ThreeUK hi, i tried to contact the support team yesterday but no response. You sent me a bill reminder via SMS. When I follow the link it logs me in to someone else's account with full access to their bills, usage, phone number. Seems like a huge DPA breach. No password required— ian martin (@juan_martinez) October 29, 2019
Three UK claims to have around 10 million customers.
It is unknown whether the privacy blunder was linked to the website falling offline in the middle of last week. A number of people contacted Three last week to say they were unable to log into their accounts, with some doing so via Twitter:
@ThreeUK how long is your website and app down for?? It's been 2 days now.— Madalina Brait (@braitmadalina) October 31, 2019
Hi @ThreeUK I'm trying to top up my data for my mobile broadband, but your website seems to be down and I can't find anywhere which tells me the SIM number in order to top up via the app. Please can you help?— Rhiannon Meredith (@r_m_meredith) October 31, 2019
We asked Three if it wanted to comment on the fact that yet again its customers' personal and billing information had been bared to anyone driving past on the information superhighway.
A spokesbeing said: "We are aware of an issue with my3 where fewer than 10 customers have reported being able to view another customer's account information. No sensitive financial information was viewable at any time, we are investigating the matter and we apologise for any inconvenience caused."
So that's alright, then.
An Information Commissioner's Office (ICO) spokesperson told The Register: "We are aware of an incident concerning 3 Mobile and will be assessing the information provided."
That assessment is being carried out with an eye on Regulation 5a of the Privacy and Electronic Communication Regulations, which deals with "personal data breaches" and says that telcos must explain to the ICO precisely how big the breach was and what they have done to fix the damage.
Regulation 5a(3) says that "… if a personal data breach is likely to adversely affect the personal data or privacy of a subscriber or user, the service provider shall also, without undue delay, notify that breach to the subscriber or user concerned."
Given that anyone was able to view Three customers' data intermittently during the affected period, we at El Reg suggest the ICO asks Three to supply it with the number of people accessing the My3 account information area of the website during that time. After all, a well-designed user account area means it should be trivial for a service provider to track when a particular account was last logged into or accessed … shouldn't it? ®