Data Breaches Put Customers at Risk of Identity Fraud
March 28, 2017
Imagine for a moment that, at the end of your mobile cycle month, you log onto your online account to access your billing information and see how much you owe your provider. However, when the screen comes up, it’s not your information you see, but that of another customer. All of that person’s mobile account details are there, except for the financial details, and you can easily go through all of it as if it were your own. Doesn’t that sound like an identity fraud nightmare waiting to happen?
Unfortunately, that nightmare is Three UK’s reality at the moment. The telecommunications and Internet service provider announced recently that it is “aware of a small number of customers who may have been able to view the mobile account details of other three users using My3.” This breach follows just months after another in November, when the data of six million customers was stolen.
Although this is scary, it’s important for customers to remember that Three UK is just as much of a victim in this scenario as well. In the previous breach, hackers used employee credentials to get into the company’s upgrade database. While it’s unclear how this latest incident occurred, it’s important to remember that hackers are determined criminals who will find any and all cracks in a security system, no matter how small.
While it’s good that no financial details are visible to those customers that are affected, Chris Hodson, EMEA CISO at Zscaler, pointed out the fraudulent possibilities to SC Media UK, saying, “Reassuring customers that no financial details were exposed is irrelevant. If users are able to see other customers' bills, then there's a totally feasible scenario where one user could ask for a replacement SIM based on the billing details, get a replacement phone and reset passwords for major accounts – including banking. This has real implications for identity fraud. ”
Thus, what was likely a small crack in Three UK’s security defenses opened users up to mobile identity fraud. We can hope that customers with this power choose not to exploit it, but there’s still a chance. That’s why it’s so important for service providers to be prepared for a breach like this. Three UK did everything right—it strengthened its security efforts after the first breach, has secure online accounts, etc.—and yet, hackers still found a way in.
So, service providers, take this unfortunate event as a warning. The potential for identity fraud—or any fraud, for that matter— is something everyone needs to be concerned about and prepared for. When it comes to customer data, there’s no such thing as being overprotective. Yes, customers may find extra verification measures somewhat annoying at first, but it’s almost a guarantee that they’d prefer added security to having their bank accounts drained.
Article comments powered by