The cyberattack, which occurred last week, disrupted services for millions of Lyca Mobile customers, except for those in the United States, Australia, Ukraine, and Tunisia.
In an update released on Friday, 6 October, Lyca Mobile disclosed it initially detected the breach on 30 September and promptly implemented measures to contain the situation, including isolating and shutting down compromised systems. Despite these efforts, the company confirmed that the attackers managed to access "at least some of the personal information stored in [its] system."
Although the specific types of data stolen were not specified, Lyca Mobile does collect customer information such as names, dates of birth, addresses, copies of identity documents (such as passports or identity cards), customer service interactions, and partial payment card information (the last four digits of credit card numbers). The company also indicated that customer passwords may have been compromised.
Lyca Mobile encrypts data both in transit (between devices and networks such as the internet, within a company, or being uploaded in the cloud) and at rest (not being actively used, such as moving between devices or networks and not interacting with third parties), including passwords, but does not disclose the encryption methods used. It remains unknown whether the intruders obtained the company's encryption keys.
The number of affected customers has not been disclosed by Lyca Mobile, which claims to be the world's largest mobile virtual network operator (MVNO) with over 16 million customers globally. The company has not revealed the details of how the breach occurred or the nature of the security incident, although the confirmation of data theft suggests a possible ransomware connection.
Lyca Mobile spokesperson, Cara Whitehouse, declined to comment further than the initial statement, stating that the company is still working with forensic investigators to assess the full extent of the impact on their systems.
While much of the disruption caused by the cyberattack has been resolved, such as the ability to make national and international calls, Lyca Mobile announced on Friday that it is currently unable to provide users with port authorisation codes, which allow customers to transfer their phone numbers between cell networks. Some markets also continue to experience issues with topping up their balances online.
Lyca Mobile previously informed the UK's Information Commissioner's Office (ICO) about the incident, with ICO spokesperson Adele Burns confirming that they are assessing the information provided by Lyca Mobile.
Lyca Mobile PAC code issues
A number of customers have reported difficulty receiving a porting authorisation code (PAC) from Lyca. You would need a PAC code in order to switch to a new network but take your existing mobile number with you.
Rather than trying to contact Lyca for yours, the best approach is to text 'PAC' to 65075 for free. You should get a message back with your PAC code within two hours. This is a requirement from Ofcom that providers send you your PAC within this time frame. If you experience a significant delay or don't get a response, you can report this to the telecoms regulator directly with this online form.
What to do if you have been affected
If you have a Lyca Mobile password, as an extra precaution, Lyca has recommended that you reset it. And if you use that password for other online accounts, you should change it now.
If you have reused the same credentials, including the same password elsewhere (for example, on unrelated websites), you may wish to consider changing those too, as a precaution.
There is also a risk you might be targeted for phishing attempts, fraud or nuisance marketing communications. Criminals may use your personal details to target you with convincing emails, texts and calls.
Be suspicious of unsolicited requests for your personal or financial details. If you receive an email which you're not sure about, treat it with caution, or if you have been a victim of fraud or cyber crime, contact your bank immediately and report this to the police.
Lyca has also confirmed they are liaising with Ofcom.
For more information, check out our guide on how to spot a mobile phone scam.