Lyca Mobile clients in over four dozen countries experienced service disruption after the company suffered a cyber attack that also potentially leaked personal information.
The international mobile virtual network operator (MVNO) said the cyber attack “prevented customers and retailers from accessing top-ups” through its channels. An investigation is in progress to determine whether the incident leaked customer data.
Based in London, United Kingdom, Lyca Mobile operates in 60 countries, serving about 16 million customers, with a “new customer joining every two seconds,” according to its website.
Lyca Mobile cyber attack caused service disruption in most markets
Lyca Mobile said the service disruption caused by the cyber attack “impacted some national and international calling” in all but four markets.
“The issues affected all Lyca Mobile markets apart from the United States, Australia, Ukraine and Tunisia,” the press release stated.
Subsequently, Lyca Mobile enrolled the services of “3rd party technical expertise to complement our internal expertise” in resolving service disruption and determining whether the cyber attack resulted in customer data breach.
“Our number one priority is ensuring the safety and security of our customers’ data, and we are urgently investigating whether any personal information may have been compromised as part of this attack,” said Lyca Mobile.
Promising to “keep customers updated on the outcome of our investigation,” Lyca Mobile was confident that the cyber attack had limited impact since most of its “records are fully encrypted.”
However, Roger Grimes, a Data-Driven Defense Evangelist at KnowBe4, believes the attacker likely bypassed encryption.
“I would take Lyca Mobile’s statement on encryption protecting customer records with a grain of salt,” Grimes said. “More than likely, the attacker was on their network and systems using credentials of authorized users. This allows the attacker to access and copy most encrypted data as if it wasn’t encrypted. Encryption isn’t bad, but isn’t nearly as protective against most of today’s attacks.”
According to Grimes, encryption was less effective when protecting “anything beyond stolen computers or USB keys.”
Insisting that it was focused on getting “operational services back up and running,” Lyca Mobile declined to comment on whether the incident was a ransomware attack. So far, no threat group has taken responsibility for the Lyca Mobile cyber attack.
The mobile virtual network operator became aware of the cyber attack over the weekend. According to the Cybersecurity and Infrastructure Security Agency (CISA), “highly impactful ransomware attacks” occur during out-of-office hours, such as weekends and holidays when security staff are away.
Nevertheless, the virtual mobile telecommunication services provider could be the victim of traditional cyber hacking as such companies are lucrative targets for various threat groups.
Ordinary cybercriminals target telecommunications companies to steal customer data or bypass multi-factor authentication for account takeover attacks. Similarly, state-sponsored cyber actors target telecoms for cyber espionage.
Meanwhile, law enforcement and regulatory authorities, including the UK’s data watchdog, the Information Commissioner’s Office (ICO), are aware of the Lyca Mobile cyber attack.
Virtual mobile network operator resolved service disruptions
Shortly after the attack, the virtual mobile network operator said it had resolved service disruption in all markets, although operational issues persist in some areas.
Service disruption could seriously impact customers dependent on Lyca Mobile’s international calling services. Threat actors endeavor to maximize impacts by inconveniencing customers to force companies to comply with ransom demands.
Indeed, Lyca Mobile customers took to social media to complain about service disruption, confirming that the cyber attack had a significant impact.