Mobile operator Lyca Mobile, which last week confirmed that it had been struck by a serious cyberattack that disrupted their systems and connectivity services across the UK (as well as in various other countries), has now confirmed that the hackers also “accessed at least some of the personal information held in our systems“.
Just to recap. Customers first began noticing problems on Friday 29th September 2023 (around midday), with many reporting that they’d been unable to make mobile calls or send text (SMS) messages, while others struggled to contact customer support or to top up their credit via Lyca’s website. The connectivity problems in particular were quite sporadic, affecting some users but not others.
The operator’s latest update notes that they “first became aware of this on 30th September and took immediate action to contain the incident“, which included isolating and shutting down systems where appropriate, while also instructing security and other experts to help them investigate, protect customer data and restore their systems.
However, at the time of Lyca’s previous update on 3rd October (here), the operator was still investigating whether any personal data had been compromised and as part of that they proclaimed to be “confident that all our records are fully encrypted.” But the latest update, which was posted just before the weekend (sorry we didn’t spot it up until now), appears to contradict this and indicates that the “attackers have accessed at least some of the personal information” they hold.
Lyca’s Statement
It will take some time to fully complete our investigations and carefully restore all of our systems, but it is now clear to us that the attackers have accessed at least some of the personal information held in our systems. We now believe this includes at least some customer data, so we are writing to advise you to be vigilant in case of any suspicious activity.
The main types of personal information which we hold in connection with our customers are set out below.
- Identification information: where you have given them to us we may hold your name, address, date of birth, alternative contact number and/or email address.
- Where provided to us, any identity information such as proof of address, copies of passports, identity cards or similar information that was provided to us as part of your initial verification when you purchased your phone service.
- If you have set up an online account, such as MyAccount, with Lyca Mobile then we may also hold a password for you. Our policy is to ensure that passwords are encrypted in our systems, but since we do not yet have full details of the cyber attack, please see the recommended actions below.
- Customer service interactions: some interactions between customers and our customer service team are recorded (having been selected at random) and those records are held for up to 60 days.
- If you have chosen to store a credit card in your online account then we will also hold the last four digits of your credit card number and its expiration date. The full credit card number will also be held, but will be encrypted for additional security and we consider the risk of any access to be very low. We do not hold the 3 digit CVV code in any form.
We would also like to flag to customers that our number porting functionality has been affected by the attack on our systems. We are currently unable to provide users with PAC codes. We sincerely apologise for the inconvenience caused and are working around the clock to ensure this and all other functionality is restored as quickly as possible.
As a result of this Lyca are currently asking customers with a password for their service to reset it (including on any other services if the same PW is reused) and recommending that users “remain vigilant for any suspicious activity“, such as phishing attempts, fraud or nuisance marketing communications. “Criminals may use your personal details to target you with convincing emails, texts and calls,” said the operator.
“The security of your personal information is very important to us and as our investigation progresses, we will consider whether we need to take any further steps to help protect that information. While we hope to bring all of our systems back online as soon as possible, we are doing so carefully to minimise any further issues,” added Lyca.
Lyca also confirmed that both Ofcom and the Information Commissioner’s Office (ICO) are being kept up-to-date about events. In the case of the ICO, we expect that an investigation is likely to follow and if a data breach is confirmed then, for a company of Lyca’s size, it’s likely to result in a fine. How big that fine is will depend upon the scale of the breach and at this stage there are still a lot of unknowns.
Wait – Lyca are holding the card details themselves? You’d think they’d use a payment gateway/provider to do that surely? (For things like this, you then have that segregated)
“We are currently unable to provide users with PAC codes.”
This is interesting. I wonder if OFCOM have given them a deadline to resolve, as they’re now basically holding people’s numbers hostage of people who may actually not want service anymore. (They going to disconnect those numbers / release them?? – be interesting if OFCOM comment though I doubt it if this is still ongoing)
No, they don’t hold full number, only 4 last digits and expiry date
Did you even read the article??
“The full credit card number will also be held, but will be encrypted for additional security and we consider the risk of any access to be very low.”
I charged bundle for £12 and the invoice that I have received was for “Pakistan plan” and of course isn’t working. I tryed to email Lyka about refund!!! I want my money back! If is proble they should protect people, not to leave them to loose money. I think to change my provider!!!
Data breaches like this should be punishable by death. The entire board of Lyca should hang – this would set an example to other companies who fail to protect our data.
I, for one, am thankful we don’t live in that kind of extremist society. Equally we shouldn’t forget that those ultimately responsible for this are the hackers and no modern network system can ever be 100% secure – no matter what you do, a clever enough hacker will always find a way. Maybe execute the hackers first?
Lyca may well have had lapses in their network security, as would not be unsurprising for a big business, but mass execution for a data breach seems a little harsh. Who in their right mind would then ever even want to launch a business with an online element?
I strongly encourage everyone to regularly review what data you provide online. Remove card info, use disposable emails / hide my email on iOS, nicknames. Privacy is protection.
As to take a positive from this, it’s been a wake-up call to what data I trust companies with. Things are only going to get worse and more companies breached.
That’s great Pabs, no better time than today to be more privacy conscious
This is why I use two bank cards (one bank card is £0.01p unless I transfer to it when pay for mobile phone every month) so if the bank card details was stolen by hacker then the hacker can’t spend more 1p on it! lol
My other bank card is for my main security protected to my own only not for online card details.
Lyca should be ashamed of themselves for stored bank card! I hate company doing this!
Presumably you don’t pay for anything by direct debit then?
The primary risk is not around someone debiting your account – fraudulent transactions can be reversed (relatively) easily. The bigger problem from this sort of breach is identity fraud, where someone can take out completely new debts in your name, without your knowledge – until the debt collectors come knocking at the door.
@NE555 apparently the latest trend is for business to be set up in your name and it is very very difficult for you to prove it’s nothing to do with you, and the debt collectors come knocking. There are loopholes in the UK system that allow it to be so easy for fraudsters.
Trouble with these things is so little info is given out for weeks as they try to catch whoever did it. Or cover their rear ends in legal terms.
Oh thank goodness I used their system generated unique password, but I only used the account for a couple of days to check the service out then just tried to cancel it. I’ll look at cancelling it again. I stopped all payments for it.
Pro. I have since shut down my bank account that Lyca had.
Con. I am hoping after doing a CASS switch I will still get my £3.50 back when they finally sort it out.
Thank god I used a revolut disposable virtual card.
Ditto!! I do the same for any company I am not 100 sure on. Just cancel the card if something goes wrong. Love Revolt!
I still haven’t heard a peep from them about this issue. Not surprising considering their total lack of communication with the O2 to EE controversy. Shockingly awful company, but you get what you pay for I suppose. (Though if my credit card gets used fraudulently then I’ll end up paying way more than what I got.)
Same here – zero communication during the outage, and nothing since either! Surely the ICO are not OK with that?
Cyberpunk Programmers employs advanced detection and analysis techniques to identify the extent of the hacking and any compromised areas of your device. This thorough examination ensures that all traces of intrusion are identified and addressed. Not only does CyberPunk remove all traces of hacking, but they also offer comprehensive data recovery solutions. Whether you’ve lost files due to the hacking incident or as a result of the recovery process, their experts can assist in retrieving and restoring your valuable data. Their team of experts provides professional assistance and support throughout the recovery process. They understand the stress and frustration that comes with a hacked phone, and they are dedicated to helping you regain control and providing peace of mind. This group can be contacted through: email
“If you have chosen to store a credit card in your online account ” Clearly drafted by a lawyer in an attempt to minimise liability.
This is a nasty one. I suspect it is going to be the subject of ICO fines and class action.
Only sensible to stop PAC code transfers as the hackers will be wanting to use the data that have to transfer your number to their SIMs and hence have 2FA access to your Lyca clients bank accounts, internet accounts etc.
Stop being daft David
I moved my number away from Lyca today, the moment I had my PAC. I have a platinum number and was not worth the risk being on Lyca. I think they have a lot to learn from this breach, I don’t blame them but it’s left all their customer feeling very vulnerable, not to mention lack of service for over a week.
I always use a unique email and Revolut card limiting risk with online purchase.
They have a lot to offer and EE signal is great, they do lack with service and systems though…back to the big networks for me
My Microsoft account has 4 login attempts from Germany yesterday and an attempt from China today. Luckily I’m passwordless on it, so it can only be authorised from my phone, and regardless I use randomised passwords on every service anyways. But this is the first occurrence of this happening to me, and I was (Very briefly, for extra data) an esim customer during the breach.
I doubt the hackers were going to attempt to guess my password by luck… I imagine the passwords have been compromised, or at the very least security questions that may be used to guess passwords.
Anyone else had the same experience? Microsoft records failed attempts to login unlike alot of other website so it can be checked on the security dashboard.
The cyber attack happened when my rolling contract was due. As the payment hadn’t gone through, I followed the message on the helpline and manually added credit bought from a retailer. A few days later I was unable to make calls with my unlimited call credit only to be told I don’t have credit by a very unhelpful customer service rep. Keep the money Lyca, I am moving to another service please and I’ll never be back.
I honestly hope the ICO comes down on them like a ton of bricks. To operate any infrastructure service on this level and allow this type of thing to happen is inexcusable.
for 3 weeks I haven’t been able to charge, it doesn’t work I call customer service too, nothing works I’m disgusted