Mobile phone company 3 in “upgrade intercept scam” data breach

Mobile phone company 3 is the latest UK telecommunications firm to become the subject of a data breach story.

3’s breach is already being compared with the UK’s infamous TalkTalk breach of 2015, when somewhere in the region of 1,000,000 email addresses, phone numbers and addresses were stolen.

A teenager was recently convicted in connection with the TalkTalk hack (he won’t be sentenced until later this year); TalkTalk itself was fined £400,000 (about $500,000) by the UK’s Information Commissioner.

For all the comparisons with TalkTalk, however, 3’s breach troubles sound rather different.

It’s fair to say, at the moment details are sketchy. The breach came to light when three men were arrested in connection with the incident, but it appears to involve just eight of 3’s customers.

The men are out on bail, with investigations under way, so the police are playing their cards close to their chests.

As far as we can tell, this is what’s called an “upgrade interception scam,” exploiting the process followed by mobile phone companies when you get near to the end of your current contract to induce you to renew.

You’ll typically be contacted by your provider near the end of your term and offered a chance to upgrade to a new phone in return for agreeing to stay on as a customer. If you agree, you don’t have to go through another credit check, or sign loads of new forms, or get a new SIM or number…

…and you get a cool new phone delivered to you by courier a few days later.

In this case, it sounds as though the crooks got unauthorised access to 3’s phone upgrade system; fraudulently authorised numerous upgrades; hung around the delivery addresses waiting for the couriers to show up; signed for the handsets; and then cleared off with them.

If that was the modus operandi, you’ll appreciate that it was a high-interaction, high-risk strategy: you have to be in the right place at the right time for each handset, and if you miss one of the couriers, you leave behind a rather visible indicator that something went wrong.

Indeed, if you aren’t able to alter the user’s address and have to intercept the delivery outside their home, you run a real risk that the item will end up handed directly to your victim, who will be left holding a brand new phone tied to a new contract that they know nothing about.

What to do

With just eight customers affected, 3 ought to be able to right the wrongs done fairly quickly, but there are still some lessons we can all learn from this incident.

We don’t know whether the crooks had inside help, or somehow acquired a password to use themselves. If the latter, it sounds as though two-factor authentication (2FA) would have helped here.

2FA means that a password alone is not enough to access someone’s account – a secondary code that changes every time you login is also required.

We recommend adopting 2FA wherever you can.

We don’t know how 3 and the police found out about this scam, but it’s possible that the crooks drew attention to themselves when a delivery interception went wrong and a customer had an anomaly to report.

As always, both cybersecurity and physical security benefit from an attitude of “if you see something, say something.”

If you’re an employer, make sure your staff are encouraged to report security issues, from tailgating into the office to phishing emails, and from suspicious phone calls to unexpected login notifications.

Consider giving rewards, even if they’re modest: a congratulatory box of chocolates is a nice way to thank to a colleague who reported a potential security problem.