3 hide their customer database again. Sensible really.

26 March 2009

Following on from our earlier story where we revealed how the personal details of almost 80,000 3 Mobile customers could easily be viewed online, the company have plugged the leak and removed any access to the database.

The ease with which Bitterwallet reader Dan was able to access this classified information was staggering to be frank. It all stemmed from an email he was sent from 3, advertising their mobile broadband service (left). Possibly out of sheer boredom but probably out of the curiosity that most of the web-savvy among us possess, Dan right-clicked on the dongle picture and looked for the image source.

This threw up a URL, which led him to a directory of folders where the images that 3 use in their mailouts were stored. Nothing so damning so far. But one of the folders therein looked a little bit more intriguing. Named ‘BB LAPTOP ANTON,’ its contents amazed Dan, as well as us when we saw them. Three CSV files, listing the names and addresses of what we assumed were customers of 3. A grand total of 79,035 of them (excerpt below). Either way, it was data that should have been kept strictly confidential and certainly not accessible to any net user with a little bit of nous.

3 have subsequently removed the info from public view and hopefully the mistake won’t be repeated. It would be interesting to see what the Information Commissioner might have to say about it all though…

EDIT: A 3 spokesman has contacted us regarding the security leak and said, "The information referred to has now been removed from the Internet. We're still in the process of investigating, however our initial research indicates that, in all probability, this is not a list of 3 UK customers. Less than 5% of names on initial investigation are 3 customers.

"We're clearly still concerned that there could be any compromise of consumer data associated with the marketing of our products and we are doing everything in our power to find out where this information has come from.  What is important to note is that the data only consisted of names and addresses - no consumer financial information was exposed at any point."

TOPICS:   Mobile


  • Chris H.
    'our initial research indicates that, in all probability, this is not a list of 3 UK customers. Less than 5% of names on initial investigation are 3 customers' Does it matter if only 5% are 3 customers if 100% are genuine details of UK residents?
  • Hodgy
    Exactly. The message there seems to be 'Not many of the names were 3 customers so we don't really give a toss.'
  • Chris H.
    I'm not fully versed on the data protection act to know exactly how badly this would have breached it - I'm going to guess this is something to do with the subscription list for the mailshot, seems a logical assumption to make.
  • Nik B.
    If 95% of them aren't 3 customers, who the hell are they and why does 3 have their details (online or not)?
  • Chris H.
    as I said, probably the people subscribed to the 3 mailing list
  • TimJ
    Simple solution, disable directory browsing. Doesn't really require a genius does it.
  • Jakg
    If only 5% were 3 customers, then what were they doing with all their personal details?
  • The B.
    Don't most (if not all) web servers come with directory brwosing turned off? Wouldn't they have had to have turned it on? On a live server? I can only assume they pay peanuts 'cos they certainly employ monkeys.
  • Bitterwallet B.
    [...] EDIT: Update to story HERE… [...]
  • The B.
    Whiel we're at it, don't bother informing the information commissioners office, they're bloody useless, do you realise that they've never actually prosecuted anyone for violating of data privacy? They've written a few stern letters to the worst offenders though.
  • Matt B.
    "Less than 5% of names on initial investigation are 3 customers. " And it'll probably be even less than that, soon!
  • me
    hardly personal date under the dpa, same as can be seen in a phone book..
  • Paul Nikkel EDITOR
    You really think so? A name and address regardless of anything else is personally identifiable information and as such is covered under the DPA. Take some time: http://www.ico.gov.uk/what_we_cover/data_protection/the_basics.aspx You can opt out of the phone book. Choosing to stay listed and in the public domain is your choice.
  • Rash
    WTF? Does anyone actually put their address when signing up to a mailing list???? I certainly don't! What a load of crap! The peoples in the file are actually Three customers - I don't beleive them that they are not! I trust Dan took down a complete copy of exactly what he did as evidence? About time three went down!
  • Ducky
    "What is important to note is that the data only consisted of names and addresses - no consumer financial information was exposed at any point.” Ah, so that's okay then. :-)
  • Jimbo
    I reckon they were all 3 customers at one time but over 95% of them left because of the shocking 'customer service'.
  • senseless w.
    again another example of a bitter wallet team totally bored. Perhaps you guys could volunteer to brush the M1

What do you think?

Connect with Facebook, Twitter, or just enter your email to sign in and comment.

Your comment