Incident: Cyber Security Breach at Three Mobile Network: Customer Data Compromised

Published Date: 2016-11-18

Postmortem Analysis
Timeline 1. The software failure incident involving the compromise of customer information from more than 130,000 users of the Three mobile network happened in November 2016. [49536]
System The system that failed in the software failure incident reported in Article 49536 was the system used by Three mobile network to upgrade existing customers to new devices. This system was compromised, leading to the unauthorized upgrade of eight customers to new devices by fraudsters who also obtained information from 133,827 customer accounts. The specific system that failed was the upgrade system used by Three mobile network.
Responsible Organization 1. Fraudsters attempted to steal handsets by unlawfully upgrading customers to new devices, leading to the compromise of customer information [49536].
Impacted Organization 1. Customers of the Three mobile network [49536]
Software Causes 1. The software cause of the failure incident was a cyber security breach that compromised customer information from more than 130,000 users of the Three mobile network [49536].
Non-software Causes 1. Fraudulent use of the company's phone upgrade system by individuals attempting to steal handsets [49536] 2. Criminal activity aimed at acquiring new handsets fraudulently [49536]
Impacts 1. Personal information from 133,827 customer accounts was obtained in the cyber security breach at Three mobile network [49536]. 2. Eight customers were unlawfully upgraded to new devices by fraudsters attempting to intercept and sell those devices [49536]. 3. The breach led to the arrest of three men over alleged fraudulent use of the company's phone upgrade system [49536]. 4. The incident caused concerns among customers and criticism of Three's response on social media [49536]. 5. Security experts have called for major companies to enhance consumer protection measures in light of this breach and others [49536].
Preventions 1. Implementing stronger authentication measures for accessing the upgrade system could have prevented unauthorized access and fraudulent activities [49536]. 2. Regular security audits and penetration testing of the system could have identified vulnerabilities before they were exploited by fraudsters [49536]. 3. Enhancing monitoring and detection capabilities to quickly identify suspicious activities on the system could have helped prevent the breach from escalating [49536].
Fixes 1. Implementing stronger security measures to prevent unauthorized access to customer information [49536] 2. Conducting regular security audits and assessments to identify vulnerabilities in the system [49536] 3. Enhancing monitoring systems to detect suspicious activities and potential breaches in real-time [49536]
References 1. Three boss, Dave Dyson's statement [49536] 2. Three mobile network's official communication 3. Law enforcement agencies 4. Security experts

Software Taxonomy of Faults

Category Option Rationale
Recurring unknown The article does not provide information about a similar incident happening again at the same organization (one_organization) or at other organizations (multiple_organization).
Phase (Design/Operation) design, operation (a) The software failure incident in Article 49536 can be attributed to the design phase. The breach occurred due to suspicious activity on the system used to upgrade existing customers to new devices. Fraudsters were able to unlawfully upgrade customers to new devices and obtain customer information in the process. This indicates a failure in the design of the system that allowed for such unauthorized upgrades and access to customer data [49536]. (b) Additionally, the incident can also be linked to the operation phase. The breach was a result of fraudsters misusing the company's phone upgrade system in an attempt to steal handsets. This misuse of the system by unauthorized individuals led to the compromise of customer information, highlighting a failure in the operation or misuse of the system [49536].
Boundary (Internal/External) within_system, outside_system (a) The software failure incident reported in the article is primarily within the system. The breach occurred due to suspicious activity on the system used to upgrade existing customers to new devices. Fraudsters were able to unlawfully upgrade customers to new devices and obtain customer information from 133,827 accounts. The primary purpose of the breach was criminal activity to acquire new handsets fraudulently, indicating that the failure originated within the system's upgrade process [49536]. (b) Additionally, the incident involved external factors as well. Three men were arrested for the alleged fraudulent use of the company's phone upgrade system in an attempt to steal handsets, indicating an external threat actor involvement in the breach [49536].
Nature (Human/Non-human) non-human_actions (a) The software failure incident in this case occurred due to non-human actions, specifically a cyber security breach where fraudsters were able to unlawfully upgrade customers to new devices and obtain customer information [49536].
Dimension (Hardware/Software) hardware, software (a) The software failure incident reported in Article 49536 was primarily due to fraudulent activity related to the company's phone upgrade system. The breach involved fraudsters unlawfully upgrading customers to new devices in an attempt to intercept and sell those devices. This fraudulent activity was a contributing factor originating in the hardware aspect of the phone upgrade system. (b) The software failure incident also involved the unauthorized access of customer information from 133,827 accounts. This aspect of the incident, where customer information was obtained, can be attributed to contributing factors originating in the software system's security vulnerabilities.
Objective (Malicious/Non-malicious) malicious (a) The software failure incident in Article 49536 was malicious. The breach involved fraudsters unlawfully upgrading customers to new devices with the intention to intercept and sell those devices. The primary purpose of the activity was criminal to acquire new handsets fraudulently. Additionally, three men were arrested over the alleged fraudulent use of the company's phone upgrade system in an attempt to steal handsets, indicating malicious intent [49536]. (b) The software failure incident in Article 49536 was non-malicious. Although personal information from 133,827 customer accounts was obtained, the company confirmed that no financial information such as bank details, passwords, pin numbers, payment information, or credit/debit card information was compromised. The company stated that the primary purpose of the breach was not to steal customer information but to acquire new handsets fraudulently [49536].
Intent (Poor/Accidental Decisions) unknown (a) The intent of the software failure incident was not due to poor decisions but rather criminal activity aimed at acquiring new handsets fraudulently. The breach involved fraudsters unlawfully upgrading customers to new devices with the intention of intercepting and selling those devices. The primary purpose was not to steal customer information but to carry out criminal activity related to acquiring new handsets fraudulently. This indicates that the incident was driven by malicious intent rather than poor decisions [49536].
Capability (Incompetence/Accidental) accidental (a) The software failure incident related to development incompetence is not explicitly mentioned in the provided article. Therefore, it is unknown if the failure was due to contributing factors introduced due to lack of professional competence by humans or the development organization. (b) The software failure incident related to accidental factors is evident in the article. The breach of customer information from more than 130,000 users of the Three mobile network was a result of cybercriminals unlawfully upgrading customers to new devices by fraudulently intercepting and selling those devices. This unauthorized activity led to the exposure of information from 133,827 customer accounts. The incident was described as criminal activity to acquire new handsets fraudulently, indicating that the breach was accidental in nature and not a deliberate act by the company [49536].
Duration temporary The software failure incident reported in Article 49536 was temporary. It was a cyber security breach where customer information from more than 130,000 users of the Three mobile network was compromised. The breach was due to fraudulent activity on the system used to upgrade existing customers to new devices, leading to the unlawful upgrade of eight customers by fraudsters. The incident was not permanent as it was caused by specific circumstances related to the fraudulent activity and unauthorized access to customer information [49536].
Behaviour other (a) crash: The software failure incident in Article 49536 does not mention a crash where the system loses state and does not perform any of its intended functions. (b) omission: The incident does not describe a failure due to the system omitting to perform its intended functions at an instance(s). (c) timing: The incident does not involve a failure due to the system performing its intended functions correctly but too late or too early. (d) value: The software failure incident does not involve a failure due to the system performing its intended functions incorrectly. (e) byzantine: The incident does not describe a failure due to the system behaving erroneously with inconsistent responses and interactions. (f) other: The behavior of the software failure incident in Article 49536 is related to a cyber security breach where customer information was compromised due to fraudulent activity, specifically in the company's phone upgrade system.

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property (d) property: People's material goods, money, or data was impacted due to the software failure The software failure incident at Three mobile network resulted in the compromise of customer information from more than 130,000 users. Although no financial information was compromised, personal information from 133,827 customer accounts was obtained by fraudsters. The primary purpose of the breach was not to steal customer information but to fraudulently acquire new handsets. Additionally, eight customers were unlawfully upgraded to new devices by the fraudsters, intending to intercept and sell those devices [49536].
Domain unknown The software failure incident reported in Article 49536 is related to the industry of telecommunications, specifically the mobile network sector. The incident involved a cyber security breach at Three mobile network, compromising customer information from over 130,000 users [49536]. The breach was related to fraudulent activities aimed at intercepting and selling new handsets, indicating a breach within the mobile network's upgrade system [49536]. The compromised data included customer accounts information, but no financial details like bank information, passwords, or payment details were accessed [49536]. The incident led to the arrest of individuals involved in the fraudulent use of the company's phone upgrade system [49536].

Sources

Back to List