- The mobile operator’s website homepage showed other customer details when searched by visitors.
- Upon informing, Three UK patched the issue within hours but failed to provide details of the impact.
On Friday, British telecom company Three UK had some of its customers' data leaked out for a while, after a few visitors noticed that the company’s website homepage erroneously displayed other private customers' data.
A visitor by the name Chris tweeted that he found out different customer details popping up on the site’s homepage. The data included customer names, their postal addresses, phone numbers, email addresses, amongst others and were shown randomly.
“When you load their site over your mobile internet connection, it recognizes you and automatically logs you in. I was doing this on my home Wi-Fi (which isn't Three), so it should've required me to log in manually when I first went to their site. I guessed it might've either redirected me to a session for a valid user who was accessing at the same time, or some blip which didn't recognize me and just assigned another user's ID instead.” he told The Register.
Fixes issue within hours
After Chris’ tweet, the telecom company immediately responded that it was working on the issue. It took down the site for a couple of hours and patched the flaw.
However, Three UK has not disclosed the scale of the temporary breach following the fix. Information Commissioner’s Office, which oversees data privacy and information rights in Britain, told media that Three UK has informed them of the incident.
A total of four visitors reported Three UK of this issue. Interestingly the only difference was, they could get the details without even logging in.