Commenting on the news that mobile network Three is the latest victim of a cyber attack, Joe Hancock, Cyber Security Lead at Mishcon de Reya said:
“Almost certainly, the reason we know about this breach is because Three had a regulatory obligation to tell its customers. Without this, this news may not have seen the light of day.
“Given that the new GDPR will drive more notifications like this, how a company manages the communication around such incidents is becoming more critical.
“In this instance, it seems that customer information was both ‘accessed’, rather than ‘lost’ in bulk, so – whilst in reality it’s possible some data didn’t go anywhere – Three may struggle to prove it.
“As a result, there will likely be the reputational fall out similar to what we would expect from a large scale data theft. Already, the language used around Three mirrors that used around TalkTalk’s breach. It is therefore perhaps better not to go on the record until the business has a clear understanding of how much data and which customers are affected by the breach. Now every Three customer is concerned.
“It appears that the people behind the breach have been caught, greatly increasing the possibility of preventing use of the data and making financial recoveries from the cyber criminals. Acting quickly is essential to prevent further fraud and to secure the evidence available if there is to be any chance of recovery.”