This is the second data breach Three has experienced in 12 months. Customers who logged into their accounts saw the names, data usage, addresses, phone numbers and call histories of fellow Three users.
Three said yesterday evening that it was investigating the issue and suggested that those who were affected should contact customer service.
“We are aware of a small number of customers who may have been able to view the mobile account details of other Three users using My3,” a spokesman said.
“No financial details were viewable during this time and we are investigating the matter.”
One customer, Andy Fidler, told the Guardian he was shown the data usage and full call and text history of another named customer when he logged into his account.
Another, Mark Thompson, said on Facebook he received a call from a complete stranger who said she had logged on to her account and was shown his details.
Thompson said it was a “shocking breach of data privacy”. He wrote on Three UK’s Facebook page: “Care to explain just how my details have been shared, how many people have had access to my personal information, for how long, and how many of your other customers have had their details leaked by yourselves to other members of the public as well?”
The Information Commissioner’s Office said it “will be looking into this potential incident involving Three”.
A spokeswoman for the regulator said: “Data protection law requires organisations to keep any personal information they hold secure. It’s our job to act on behalf of consumers to see whether that’s happened and take appropriate action if it has not.”
This latest breach comes four months after three men were arrested for accessing the data of 133,000 of Three customers’ personal data.
Dr Jamie Graves, CEO at ZoneFox commenting on the latest breach, said, “Twice in 12 months, Three have faced two severe data breaches. In November last year their customers had their data stolen, and now a technical error in the company’s system is showing strangers’ personal information and phone records. Customers are unsure who has accessed their data, for how long and what is then done next with it. Perhaps if the company had insights into data flow and user behaviour this would help them avoid issues like this occurring and provide greater oversight. After all, prevention is better than the cure.”
“With the looming EU GDPR regulations, businesses must put the protection of their customers’ data at the fore, as they will have to declare data breaches, and detail the scope of such breaches, within 72 hours. A lot of learning must be done by businesses on how they deal with a breach and manage their customers’ personal data to ensure businesses are on the front foot.”