Mobile network Three UK's customer details exposed in homepage blunder Mobile operator Three UK's website was showing visitors other customers' names, postal addresses, phone numbers, email addresses and more – all without asking for a login. Alarmed Reg reader Chris immediately tweeted at Three to ask what on Earth was going on, querying why Three's site was displaying different people's data to …
I once did an anti money laundering and corruption "course" online.
At the end was a four question test. The pass rate was 80%...they were baffled when I explained the pass rate therefore was 100% since getting a single question wrong meant you feel below the threshold given.
And they still struggled.
I'm not sure if I am amazed or not at the cavalier "Only 4 people complained" response...like the number of complaints is directly proportional to the problem.
It appears, to me, that the full name and mobile numbers were displayed, and that alone is a GDPR breach.
Time to bring out the big stick
Just to spell it out – if anyone from Three with any influence is reading these comments – there are broadly two ways to respond to incidents like this:
(1) 'Oh this is all a silly load of fuss about nothing really I mean it's not like loads of people were complaining about it or anything.'
A response like that would result in technical people like me thinking that Three are total fuckwits who don't get security and I would henceforth not touch them with a bargepole nor would encourage anyone else I know not to touch them with a bargepole either.
(2) 'We experienced a problem with a software upgrade on our website during which for a short period a subset of user account information became viewable to other non logged in users. We have fixed the problem and have informed the ICO of the incident. We are continuing to investigate but at present we believe the number of users affected was a very small proportion of our UK customer base. We will provide further details once we are clearer as to how this happened and would like to thank members of the public who alerted us early to this problem.'
A response like that is going to result in technical people like me thinking that Three understand security, takes it seriously, understand that you can't always get things right and realise that what really matters is how you respond once something has gone wrong.
This post has been deleted by its author
Just to spell it out – if anyone from Three with any influence is reading these comments – there are broadly two ways to respond to incidents like this:
(1) 'Oh this is all a silly load of fuss about nothing really...
The vast majority of people are going to accept this and move on.
(2) 'We experienced a problem with a software upgrade...
That same group of people, if you hit them with this will have their eyes roll up in their heads and start frothing if it goes on for too long.I try to educate friends and family concerning these issues, but it is truly an uphill battle.
"This is CI/CD! The user is the tester!"
That seems to be the plan :( If it passes the unit tests, and all the APIs return expected values in expected fields, then you don't need to do that messy E2E integration testing...
Anyone with more CI/CD knowledge care to say different?
CI would normally include all tests, not just unit tests. It is called Continuous *Integration* after all. The problem here was likely more of a "devops" problem as was mentioned in the article. E.g. something was linked up or pushed to production that shouldn't have been. Or it might imply that their testing suite was insufficient. But that's not the same as assuming that they didn't do integration tests at all, which we have no warrant to assume, given the evidence available.
Re-read their statement
They said only four people *complained*
That isn't to say that's the same number of people who accessed the data, nor is it the number of customer accounts displayed incorrectly.
It's just the number of people who could be bothered to contact Three about the issue.
Hmm. Three seem to not understand security. I had to phone up to get my PAC code today. As it says on the page "Call 333 and have your password and DOB ready" I was expecting to be disappointed.
(On the login page, if you click for password help it says "we'll never ask for your password".)
Sure enough, call them up and the first thing they do is ask for my password. I declined, but I wonder how many people just read out their password over the phone. They then asked for a memorable name or place. I guessed at my place of birth, I don't recall ever giving them that but they seemed happy with it.
I would have put those details from their site with quotes and URLs, but my3 currently says it is down for maintenance. I think they may still be leaking details if they were online.
333 isn't a valid number. I don't trust anyone i find on the end of non compliant numbers.
Compliant here means a valid uk LOCAL number (currently between 5 and 8 digits). Preferably with an area code.
OR a service level code beginning 1. 100 for operator 112 for emergency, 150 for engineering, etc.
So, because the number is non-routable, you assume that it will be routed to a miscreant. Rather than realising that it can only connect to a service provided by the carrier?
The key here is that you dial 333 from your '3' phone. It's not an incoming call with a spoofed number. All carriers in the UK operate similar shortcodes.
If only they had a way to determine that the device in question was in your possession and/or that the payment details you had previously given them belonged to you and/or that you could log into a secure portal to request such a thing automatically.
Of course, that would reduce the possibility of them actually being able to try to upsell you as you go, but I can't really see a downside in that either...
Personally, I'm much more concerned that data usage has accelerated for no reason (I've actually been turning off devices on my 3 Wifi box trying to work out which it is, but if anything it's getting even bigger) and their portal shows that my daily data usage only up to the 25th Jan (it's the 2nd Feb now) and for some stupid reason they sort by day-of-month, which means that to plot my usage means a lot of jiggery pokery as the 26th, 27th, 28th, 29th, 30th, 31st December come just above the 22nd, 23rd, 24th, 25th Jan...
Only 4 people complained.
Well, that kinda missed the point didn’t it.
Most are probably non technical and wouldn’t know how to report things or understand what this means, then there are the hacking type, well, they aren’t going to look a gift horse in the mouth and start complaining are they ?
Oh and there is the little tiny issue that they overlooked - THIS SHOULDNT HAVE F’KIN HAPPENED IN THE FIST PLACE. Have fun explaining that when you submit the paperwork for the GDPR breach. Personal information is personal information after all.
"Three UK wanted to make it known that only four people had complained about being able to view any random Three customer's personal data by simply visiting its website and not even needing to log in. El Reg is very happy to make this clear."
Yeah... like... words fail me in describing why that statement from Three is the worse they could say.
Only 3 people complained, but how many peoples data was displayed to those 3 users.
Unless Three can say with certainty they know whose data was exposed to those 3 users this breach potentially impacts more than the number of people who complained.
Leaking peoples data is a serious problem that companies don't seem to take seriously enough. I've had a Three support person tell me there is no way that data they hold can be leaked. There as so many levels that that statement was wrong and used as standard communication doesn't help.
If their website logs are as good as their PAYG balance logs, then good luck.
Here's my train of thought:
I asked them where 24p went, since I never really spend anything* except for a monthly Internet add-on. I topped up 5, I spent the 5 on the add-on, so it's zero sum. They came back with this: I topped up 5 pounds, then spent 0.24 on buying a Internet add-on, and that's why I have 4.76 credit.
Given that it costs 3p/min to call a foreign country, and the nice fit of that in 0.24, I think I know where the money went, but they were unable to tell me.
*My setup: Android phone. Ye olde 3Pay plan. Prefixer app configured to use 18185 via their 0800 number for most calls. Voicemail using Instavoice, with a double redirect through a "Pay as you go on Three" SIM to reduce costs. Why the complicated setup? Because I get 2GB for 5 pounds on 3Pay, and that's not available on the new plan or anywhere else.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
