If you’re here it’s probably because you’ve already heard that Three has suffered a data breach, which could put the personal details of customers at risk.
According to sources cited by The Telegraph, around two-thirds of the company’s nine million customers could have been exposed.
So how serious is the breach? Are you at risk of financial loss? And if you’re a Three customer what should you do now? Read on and we’ll walk you through it.
Using a log-in belonging to a Three employee to access a database, initial reports suggest that criminals potentially had access to personal details up to nine million Three customers.
Subsequent reports put the figure at up to six million, while Three has since clarified matters and claims that, in fact, information "from 133,827 customer accounts was obtained" by the criminals.
The personal details, which include names, addresses, some email addresses, phone numbers and dates of birth, were on Three's database for customers due to upgrade.
The criminals used this information to order phones and then intercept and steal the handsets when they were delivered to stores. So the primary purpose of the scam it seems wasn't to steal details, but to obtain phones fraudulently.
The good news is that it seems that although nine million customers' details could feasibly be out in the public domain, Three says that, in fact, the miscreants only accessed information for a few thousand customers.
The better news that the details didn’t include financial information, which means the criminals won’t have been able to go on a spending spree with your bank details or credit card information. But as we’ll see, that’s no reason to be complacent.
So could someone have ordered a phone upgrade using my details?
As we’ve outlined above, only the details of customers who were in line for an upgrade were used for the scam. If you’re in a new Three contract or you’ve got months and months to run, that probably excludes you.
However, Three hasn't said whether the upgrade database also includes customers who have upgraded in the past. So we can't say for certain exactly who has been affected.
However, it has stated that the scammers used customers’ info to order 400 phones. That’s no small loss for Three, but it’s a pretty small proportion of the networks' nine million or so customers.
But if my details have been stolen, could other criminals use them to scam me?
That’s a real risk. If your data is in the public domain and for sale to other criminals, there’s a chance that scammers could use your details to pose as someone from your bank and attempt to solicit more sensitive information from you.
Given that some email addresses have been accessed, they could also target customers affected with scam emails.
What should I do now?
For peace of mind, the best thing to do is give Three a ring to check that no-one has placed an order for a new phone and whether your details could be out there.
To get in touch, call 333 from a Three phone or 0333 338 1001.
Three also advises you to contact your bank and change your passwords and PIN on your account. The networks’ customer service team recommends that you change your Three account password if it’s the same one you use for other online accounts too.
Naturally, it’s smart to be especially vigilant with your financial details over the next few months and exercise extreme caution with unsolicited emails and phone calls.
Will Three let me know if I’ve been affected?
Three has pledged it is contacting customers affected individually to "confirm what information has been accessed and directly answer any questions they have".
And what is it doing to ‘make it right’?
Three is investigating the breach with the help of the Police. It has also pledged to improve security to prevent further breaches and has put in place "increased security for all [compromised] customer accounts".
In the light of how TalkTalk's data breach from last year panned out, it’s possible that some sort of compensation may be forthcoming for customers affected. But that’ll likely only become apparent in the weeks to come.
Dave Dyson, Three CEO, said: "As you may already know, we recently became aware of suspicious activity on the system we use to upgrade existing customers to new devices and I wanted to update all our customers on what happened and what we have done.
"I understand that our customers will be concerned about this issue and I would like to apologise for this and any inconvenience this has caused.
"Once we became aware of the suspicious activity, we took immediate steps to block it and add additional layers of security to the system while we investigated the issue.
"On 17th November we were able to confirm that 8 customers had been unlawfully upgraded to a new device by fraudsters who intended to intercept and sell on those devices.
"I can now confirm that the people carrying out this activity were also able to obtain some customer information. In total, information from 133,827 customer accounts was obtained but no bank details, passwords, pin numbers, payment information or credit/debit card information are stored on the upgrade system in question.
"We believe the primary purpose of this was not to steal customer information but was criminal activity to acquire new handsets fraudulently.
"We are contacting all of these customers today to individually confirm what information has been accessed and directly answer any questions they have. As an additional precaution we have put in place increased security for all these customer accounts.
"We have been working closely with law enforcement agencies on this matter and three arrests have been made.
"I understand that this will have caused some concern and inconvenience for our customers and for that I sincerely apologise."