Just to spell it out – if anyone from Three with any influence is reading these comments – there are broadly two ways to respond to incidents like this:
(1) 'Oh this is all a silly load of fuss about nothing really I mean it's not like loads of people were complaining about it or anything.'
A response like that would result in technical people like me thinking that Three are total fuckwits who don't get security and I would henceforth not touch them with a bargepole or encourage anyone else I know to touch them with a bargepole either.
(2) 'We experienced a problem with a software upgrade on our website during which for a short period a subset of user account information became viewable to other non logged in users. We have fixed the problem and have informed the ICO of the incident. We are continuing to investigate but at present we believe the number of users affected was a very small proportion of our UK customer base. We will provide further details once we are clearer as to how this happened and would like to thank members of the public who alerted us early to this problem.'
A response like that is going to result in technical people like me thinking that Three understand security, takes it seriously, understand that you can't always get things right and realise that what really matters is how you respond once something has gone wrong.