UPDATE..

No more information was ever forthcoming from EE on this issue.  We called them back and supplied the original incident number.. which surprise, surprise didn’t exist.  When I asked about the reason for my being given an incident number that didn’t exist, the service person complained of a bad line and said that they would call me back.

It’s been a few weeks with no call back.. Hmmm..

So, yesterday, I was using the MyEE app to check my upgrade status.  I logged into the app on my phone with my fingerprint, tapped the link in the app to upgrade and as usual the app informed me that I was leaving the app and would be sent to the online store (https://shop.ee.co.uk). 

Right before being redirected to the online store, a message pops up telling me that I need to change my password as EE were upgrading their security.  Well, I thought, not at this time as I know my password is very secure (20 characters, all random, symbol, letters and numbers with mixed case).  I hit cancel on the prompt, and it took me straight into my account online. 

Now this is where it gets interesting.  It was another person’s account.  Different name, different mobile number, different phone.  I could browse this person’s account, billing and change the account password.  Ouch! 

I called EE after a quick search on the internet turned up a data breach at T-Mobile in the USA where 20 million account holders’ details had been found to be for sale on the Dark Web. 

After speaking to a technical consultant, I was informed that it was just a ‘glitch’ on their systems and that it wouldn’t happen again.  I reminded him that if it could happen to me, what’s to say that it couldn’t happen to someone else, who could then gain access to my account?  GDPR issue anyone? 

I was then passed onto a manager who I asked if he was aware of a data breach at EE, and was told no.  He told me that EE was aware of the T-Mobile breach and that EE were currently looking to see if that breach contained any account information from UK customers. 

I also asked him if he was aware that the Android MyEE app was asking customers (when taking them to the ShopEE store) to change their passwords due to EE upgrading their security.  He wasn’t aware of that either.  He assured me that he would pass that information onto the app team. 

I had managed to get that popup twice more after exiting the app and going from the app to the online store.  I removed the app and re-installed it from the Android store once more – no security popup now. 

He asked me to go to the EE website, login to my account and change my password – just to make sure that my account was secure – I’d already done that.  I was then text a case number for a fraud / data breach case that he’d opened and promised to update me.