U.K.-based Lyca Mobile has confirmed intruders accessed customers’ personal information after breaking into its systems.
Lyca Mobile, the London-headquartered mobile virtual network operator (MVNO) that piggybacks off network operator EE’s infrastructure, said earlier this week that it had been the target of a cyberattack which caused widespread disruption for millions of its customers, except those based in the United States, Australia, Ukraine and Tunisia.
In an update published on Friday, Lyca Mobile said that it first detected the incident on September 30 and took “immediate action to contain the incident,” such as isolating and shutting down compromised systems. Despite this, the company said that attackers have accessed “at least some of the personal information held in our system.”
While Lyca Mobile didn’t say what kinds of data was stolen, the company said that it holds customer information including names, dates of birth, addresses, copies of identity documents — such as copies of passports or identity cards — as well as customer service interactions, and some payment card information, including the last four digits of customers’ credit card numbers.
Lyca also suggested that customer passwords may have been compromised during the incident. Lyca said it encrypts data in-transit and at-rest, including passwords. When asked by TechCrunch, the company declined to comment on what type of encryption it uses. It’s not yet known if the intruders accessed or stole the company’s encryption keys.
Lyca Mobile has not said how many customers were affected by the incident. The company, which claims to be the world’s largest MVNO, says it has more than 16 million customers globally. Lyca has also yet to confirm how it was compromised or the nature of the security incident, though the company’s confirmation of data theft suggests the incident could be linked to ransomware.
Lyca Mobile spokesperson Cara Whitehouse declined to comment when reached by TechCrunch on Friday as the company is “still working with forensic investigators to assess the full impact on our systems.”
While much of the disruption caused by the cyberattack has been resolved, such as making national and international calls, Lyca Mobile said on Friday that it is currently unable to provide users with port authorization codes, which allow customers to transfer their phone numbers between cell networks. Lyca told TechCrunch earlier this week that customers in some markets remain unable to top-up their balances online.
Lyca Mobile previously told TechCrunch that it notified the U.K.’s Information Commissioner’s Office of the incident. ICO spokesperson Adele Burns said Lyca “has made us aware of an incident and we are assessing the information.”
Updated with comment from the ICO.