Lyca Mobile UK Confirm Personal Data Breached by Hackers | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker

Mobile operator Lyca Mobile, which last week confirmed that it had been struck by a serious cyberattack that disrupted their systems and connectivity services across the UK (as well as in various other countries), has now confirmed that the hackers also “accessed at least some of the personal information held in our systems“.

Just to recap. Customers first began noticing problems on Friday 29th September 2023 (around midday), with many reporting that they’d been unable to make mobile calls or send text (SMS) messages, while others struggled to contact customer support or to top up their credit via Lyca’s website. The connectivity problems in particular were quite sporadic, affecting some users but not others.

NOTE: Lyca is a Mobile Virtual Network Operator (MVNO) on EE’s platform in the UK.

The operator’s latest update notes that they “first became aware of this on 30th September and took immediate action to contain the incident“, which included isolating and shutting down systems where appropriate, while also instructing security and other experts to help them investigate, protect customer data and restore their systems.

However, at the time of Lyca’s previous update on 3rd October (here), the operator was still investigating whether any personal data had been compromised and as part of that they proclaimed to be “confident that all our records are fully encrypted.” But the latest update, which was posted just before the weekend (sorry we didn’t spot it up until now), appears to contradict this and indicates that the “attackers have accessed at least some of the personal information” they hold.

Lyca’s Statement

It will take some time to fully complete our investigations and carefully restore all of our systems, but it is now clear to us that the attackers have accessed at least some of the personal information held in our systems. We now believe this includes at least some customer data, so we are writing to advise you to be vigilant in case of any suspicious activity.

The main types of personal information which we hold in connection with our customers are set out below.

  • Identification information: where you have given them to us we may hold your name, address, date of birth, alternative contact number and/or email address.
  • Where provided to us, any identity information such as proof of address, copies of passports, identity cards or similar information that was provided to us as part of your initial verification when you purchased your phone service.
  • If you have set up an online account, such as MyAccount, with Lyca Mobile then we may also hold a password for you. Our policy is to ensure that passwords are encrypted in our systems, but since we do not yet have full details of the cyber attack, please see the recommended actions below. 
  • Customer service interactions: some interactions between customers and our customer service team are recorded (having been selected at random) and those records are held for up to 60 days. 
  • If you have chosen to store a credit card in your online account then we will also hold the last four digits of your credit card number and its expiration date. The full credit card number will also be held, but will be encrypted for additional security and we consider the risk of any access to be very low. We do not hold the 3 digit CVV code in any form. 

We would also like to flag to customers that our number porting functionality has been affected by the attack on our systems. We are currently unable to provide users with PAC codes. We sincerely apologise for the inconvenience caused and are working around the clock to ensure this and all other functionality is restored as quickly as possible.  

As a result of this Lyca are currently asking customers with a password for their service to reset it (including on any other services if the same PW is reused) and recommending that users “remain vigilant for any suspicious activity“, such as phishing attempts, fraud or nuisance marketing communications. “Criminals may use your personal details to target you with convincing emails, texts and calls,” said the operator.

The security of your personal information is very important to us and as our investigation progresses, we will consider whether we need to take any further steps to help protect that information. While we hope to bring all of our systems back online as soon as possible, we are doing so carefully to minimise any further issues,” added Lyca.

Lyca also confirmed that both Ofcom and the Information Commissioner’s Office (ICO) are being kept up-to-date about events. In the case of the ICO, we expect that an investigation is likely to follow and if a data breach is confirmed then, for a company of Lyca’s size, it’s likely to result in a fine. How big that fine is will depend upon the scale of the breach and at this stage there are still a lot of unknowns.


Click Here For The Original Story From This Source.

National Cyber Security