It has emerged that Three Mobile could have faced an eye-watering $2.2bn (£1.8bn) fine from Brussels if last week’s hack attack had occurred under the EU General Data Protection Regulation, which is due to come into force in May 2018.
In a move which should make even the most lackadaisical companies sit up and listen, under GDPR, data breaches can result in the parent company coughing up up to 4% of global turnover.
The Hutchison Whampoa group, which owns Three Mobile, is quoted on the Hong Kong Stock Exchange and had a global turnover of $53bn (£43bn) last year.
The news comes amid a major customer backlash against the mobile giant’s handling of last week’s data breach, with many demanding to know why they were only informed of the issue through the media.
The company has now confirmed that “only” 133,827 users – out of a potential 6 million – were affected by the hack, which saw personal details, including name, phone number, phone type, date of birth, address, marital status, previous address, gender, employment status and email address compromised.
Meanwhile, Three Mobile’s boss, David Dyson, has claimed that personal data was not the primary target of the attack, insisting that the thieves were simply trying to get their mitts on new handsets.
The company initially responded to queries on social media before posting a statement to its website which contained a customer service number. But many customers were fuming about how long it took Three to provide them with information, saying that social media was not the way to announce such a major breach.
One customer tweeted: @ThreeUK appalled – no communication from Three about data breach. Got everything from the press. #unacceptable. Three says it has now started contacting the affected customers and increased security.
In a statement, Dyson said: “We are now contacting all of these customers today to individually confirm what information has been accessed and directly answer any questions they have. We believe the primary purpose of this was not to steal customer information but was criminal activity to acquire new handsets fraudulently.”
Three men have been arrested and released on bail over the incident.
Three Mobile data breach could affect 6m customers
17-year-old lad pleads guilty to TalkTalk ‘car crash’
TalkTalk could have faced £70m fine under GDPR
TalkTalk rocked by record £400k fine for data breach
Three ad-blocking trial ‘wake up call to the industry’