back to article Mobile network Three UK's customer details exposed in homepage blunder

Mobile operator Three UK's website was showing visitors other customers' names, postal addresses, phone numbers, email addresses and more – all without asking for a login. Alarmed Reg reader Chris immediately tweeted at Three to ask what on Earth was going on, querying why Three's site was displaying different people's data to …

  1. Bibbit

    Only 3? Does not sound serious.

    1. Stripes the Dalmatian
      WTF?

      Only four out of three 3 customers complained? That's nearly 100%, at least!

      1. theunregistered

        More than 100%

      2. BebopWeBop

        Three UK wanted to make it known that only four people had complained about being able to view any random Three customer's personal data

        The others just said a silent thanks and got on using them to steal personal details.

      3. TonyJ

        I once did an anti money laundering and corruption "course" online.

        At the end was a four question test. The pass rate was 80%...they were baffled when I explained the pass rate therefore was 100% since getting a single question wrong meant you feel below the threshold given.

        And they still struggled.

        I'm not sure if I am amazed or not at the cavalier "Only 4 people complained" response...like the number of complaints is directly proportional to the problem.

        It appears, to me, that the full name and mobile numbers were displayed, and that alone is a GDPR breach.

        Time to bring out the big stick

    2. Mark 85
      Facepalm

      Nicely done El Reg

      I read the headline as "Three UK customers" as in 3 customers. Didn't realize the company was named "Three UK"....

      1. Anonymous Coward
        Anonymous Coward

        Re: Nicely done El Reg

        see that .co.uk in the address bar?

    3. Skwosh

      Just to spell it out – if anyone from Three with any influence is reading these comments – there are broadly two ways to respond to incidents like this:

      (1) 'Oh this is all a silly load of fuss about nothing really I mean it's not like loads of people were complaining about it or anything.'

      A response like that would result in technical people like me thinking that Three are total fuckwits who don't get security and I would henceforth not touch them with a bargepole nor would encourage anyone else I know not to touch them with a bargepole either.

      (2) 'We experienced a problem with a software upgrade on our website during which for a short period a subset of user account information became viewable to other non logged in users. We have fixed the problem and have informed the ICO of the incident. We are continuing to investigate but at present we believe the number of users affected was a very small proportion of our UK customer base. We will provide further details once we are clearer as to how this happened and would like to thank members of the public who alerted us early to this problem.'

      A response like that is going to result in technical people like me thinking that Three understand security, takes it seriously, understand that you can't always get things right and realise that what really matters is how you respond once something has gone wrong.

    4. This post has been deleted by its author

      1. Robert Helpmann??

        Just to spell it out – if anyone from Three with any influence is reading these comments – there are broadly two ways to respond to incidents like this:

        (1) 'Oh this is all a silly load of fuss about nothing really...

        The vast majority of people are going to accept this and move on.

        (2) 'We experienced a problem with a software upgrade...

        That same group of people, if you hit them with this will have their eyes roll up in their heads and start frothing if it goes on for too long.I try to educate friends and family concerning these issues, but it is truly an uphill battle.

  2. GnuTzu
    Unhappy

    So Many Web Sites...

    So little oversight. Isn't it fun to just be a statistic?

  3. Will Godfrey Silver badge
    Angel

    Only three of them?

    Well that's not so bad then.

  4. fidodogbreath

    Testing?

    We don't need no steenkin' testing!

    1. Anonymous Coward
      Anonymous Coward

      Re: Testing?

      This is CI/CD! The user is the tester!

      1. yoganmahew

        Re: Testing?

        "This is CI/CD! The user is the tester!"

        That seems to be the plan :( If it passes the unit tests, and all the APIs return expected values in expected fields, then you don't need to do that messy E2E integration testing...

        Anyone with more CI/CD knowledge care to say different?

        1. Anonymous Coward
          Anonymous Coward

          Re: Testing?

          CI would normally include all tests, not just unit tests. It is called Continuous *Integration* after all. The problem here was likely more of a "devops" problem as was mentioned in the article. E.g. something was linked up or pushed to production that shouldn't have been. Or it might imply that their testing suite was insufficient. But that's not the same as assuming that they didn't do integration tests at all, which we have no warrant to assume, given the evidence available.

        2. matjaggard

          Re: Testing?

          You can't be blamed for not testing when it's been put live accidentally. I also doubt it's CI/CD because pipelines don't click the wrong button and end up with a test version live.

    2. macjules

      Re: Testing?

      Let me guess ... someone deployed on a Friday night.

  5. N2

    A small number of customers...

    They always say that, even if its half of Europe affected.

    Prove it you fucking liars.

    1. Paul 87

      Re: A small number of customers...

      Re-read their statement

      They said only four people *complained*

      That isn't to say that's the same number of people who accessed the data, nor is it the number of customer accounts displayed incorrectly.

      It's just the number of people who could be bothered to contact Three about the issue.

    2. tin 2

      Re: A small number of customers...

      I LOL that they've clearly specifically demanded that the reg make it clear only 4 people complained.

      Like that's somehow representative of something. Fucking liars.

  6. Dan Atkinson
    Joke

    Only three?!

    Sounds like a storm in a teacup if it only affected three customers.

    1. AndrueC Silver badge
      Joke

      Re: Only three?!

      At least it wasn't a three for all.

      1. Nolveys

        Re: Only three?!

        It's like they can't tell the three from the fourest.

  7. GrapeBunch

    Dear Three

    I think you should change your name to Kazillion. Because there's no such thing as bad publicity.

  8. Ken Moorhouse Silver badge

    ...that only four people had complained...

    STBO but they need to be looking through their logs, rather than the number actually complaining.

    La La La I can't hear you...

    1. robidy

      Re: ...that only four people had complained...

      PR dept "What's the smallest number involved in the data breach?"

      Techie "Three..."

      PR dept "Okay that's our brand...we'll use 4 to avoid jokes from The Reg"

  9. max allan

    Security? Really.

    Hmm. Three seem to not understand security. I had to phone up to get my PAC code today. As it says on the page "Call 333 and have your password and DOB ready" I was expecting to be disappointed.

    (On the login page, if you click for password help it says "we'll never ask for your password".)

    Sure enough, call them up and the first thing they do is ask for my password. I declined, but I wonder how many people just read out their password over the phone. They then asked for a memorable name or place. I guessed at my place of birth, I don't recall ever giving them that but they seemed happy with it.

    I would have put those details from their site with quotes and URLs, but my3 currently says it is down for maintenance. I think they may still be leaking details if they were online.

    1. Anonymous Coward
      Anonymous Coward

      So you would rate them a 3 for customer service?

    2. Martin-73 Silver badge

      Re: Security? Really.

      333 isn't a valid number. I don't trust anyone i find on the end of non compliant numbers.

      Compliant here means a valid uk LOCAL number (currently between 5 and 8 digits). Preferably with an area code.

      OR a service level code beginning 1. 100 for operator 112 for emergency, 150 for engineering, etc.

      1. Anonymous Coward Silver badge
        Facepalm

        Re: Security? Really.

        So, because the number is non-routable, you assume that it will be routed to a miscreant. Rather than realising that it can only connect to a service provided by the carrier?

        The key here is that you dial 333 from your '3' phone. It's not an incoming call with a spoofed number. All carriers in the UK operate similar shortcodes.

    3. Lee D Silver badge

      Re: Security? Really.

      If only they had a way to determine that the device in question was in your possession and/or that the payment details you had previously given them belonged to you and/or that you could log into a secure portal to request such a thing automatically.

      Of course, that would reduce the possibility of them actually being able to try to upsell you as you go, but I can't really see a downside in that either...

      Personally, I'm much more concerned that data usage has accelerated for no reason (I've actually been turning off devices on my 3 Wifi box trying to work out which it is, but if anything it's getting even bigger) and their portal shows that my daily data usage only up to the 25th Jan (it's the 2nd Feb now) and for some stupid reason they sort by day-of-month, which means that to plot my usage means a lot of jiggery pokery as the 26th, 27th, 28th, 29th, 30th, 31st December come just above the 22nd, 23rd, 24th, 25th Jan...

  10. Doctor Syntax Silver badge

    "Three UK wanted to make it known that only four people had complained"

    It's those that didn't complain they need to worry about.

    1. Dwarf

      Whoooshh

      Only 4 people complained.

      Well, that kinda missed the point didn’t it.

      Most are probably non technical and wouldn’t know how to report things or understand what this means, then there are the hacking type, well, they aren’t going to look a gift horse in the mouth and start complaining are they ?

      Oh and there is the little tiny issue that they overlooked - THIS SHOULDNT HAVE F’KIN HAPPENED IN THE FIST PLACE. Have fun explaining that when you submit the paperwork for the GDPR breach. Personal information is personal information after all.

  11. zaax

    Only a small part, the whole lot was

  12. LateAgain

    Only three!

    Did they record the logins, sorry IP, sorry browser string of the rest who either assumed it was normal or downloaded as much as possible?

    Or is three people really the average number of visitors per day?

    1. Anonymous Coward
      Headmaster

      Re: Only three!

      Not visitor numbers, but I can think of another number I'd now like to link their ability to. ;)

  13. Anonymous Coward
    Anonymous Coward

    WHAT?!

    "Three UK wanted to make it known that only four people had complained about being able to view any random Three customer's personal data by simply visiting its website and not even needing to log in. El Reg is very happy to make this clear."

    Yeah... like... words fail me in describing why that statement from Three is the worse they could say.

  14. Martin-73 Silver badge

    Who?

    This outfit called me back in the early days of their existence. They claimed to offer better service than my existing provider (BT Cellnet back then, O2 now).

    Me: did i answer your call?

    them: yes

    me: there's your answer, bye

  15. Anonymous Coward
    Anonymous Coward

    how much?

    £8 for an 8GB hotspot, this poor bitch kathleen is getting robbed.

  16. Nitro

    So how many peoples data did those 3 users see?

    Only 3 people complained, but how many peoples data was displayed to those 3 users.

    Unless Three can say with certainty they know whose data was exposed to those 3 users this breach potentially impacts more than the number of people who complained.

    Leaking peoples data is a serious problem that companies don't seem to take seriously enough. I've had a Three support person tell me there is no way that data they hold can be leaked. There as so many levels that that statement was wrong and used as standard communication doesn't help.

  17. Octavo

    Probably caused by a misconfigured load-balancer. This is why you use configuration management tools like Ansible.

  18. Anonymous Coward
    Anonymous Coward

    few complaints

    only 3 people complained - but the dozen or so miscreants who hoovered up as many personal details as they could during the incident

    were very happy and didn't complain at all :/

  19. Uplink

    Three's logs aren't so great

    If their website logs are as good as their PAYG balance logs, then good luck.

    Here's my train of thought:

    I asked them where 24p went, since I never really spend anything* except for a monthly Internet add-on. I topped up 5, I spent the 5 on the add-on, so it's zero sum. They came back with this: I topped up 5 pounds, then spent 0.24 on buying a Internet add-on, and that's why I have 4.76 credit.

    Given that it costs 3p/min to call a foreign country, and the nice fit of that in 0.24, I think I know where the money went, but they were unable to tell me.

    *My setup: Android phone. Ye olde 3Pay plan. Prefixer app configured to use 18185 via their 0800 number for most calls. Voicemail using Instavoice, with a double redirect through a "Pay as you go on Three" SIM to reduce costs. Why the complicated setup? Because I get 2GB for 5 pounds on 3Pay, and that's not available on the new plan or anywhere else.

  20. Mike 137 Silver badge

    "Good thinking, Batman"

    "When you load their site over your mobile internet connection, it recognises you and automatically logs you in"

    What a brilliantly secure mechanism! So anyone who nicks you phone can access your account.

    1. MattP1821

      Re: "Good thinking, Batman"

      You assume that there is no face id, touch id, pin, pattern or passcode lock on the device that would be a little premature, as the saying goes "Assumption is the mothre of all f***k ups".

  21. Velv
    Facepalm

    Agile (tm) continuous development.

    Put stuff in. Doesn't quite work as expected, shit, just change it out.

    Because that's OK, isn't it?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like