Notification to customers
Following investigations carried out as a result of disruption to our network, it has become clear that Lyca Mobile Europe Limited has been the victim of a systems cyber attack. We are working around the clock to ensure that the impact to our customers is minimized.
Lyca Mobile first became aware of this on September 30 and took immediate action to contain the incident, which included isolating and shutting down systems where appropriate. We also instructed leading security and other experts to help us investigate and minimize any impact on your data including the period during which we recover our systems. We have also notified and are in discussions with all of the relevant regulatory authorities.
It will take some time to fully complete our investigations and carefully restore all of our systems, but it is now clear to us that the attackers have accessed at least some of the personal information held in our systems. We now believe this includes at least some customer data, so we are writing to advise you to be vigilant in case of any suspicious activity.
The main types of personal information which we hold in connection with our customers are set out below.
• Identification information: where you have given them to us we may hold your name, address, date of birth, alternative contact number and/or email address.
• Where provided to us, any identity information such as proof of address, copies of passports, identity cards or similar information that was provided to us as part of your initial verification when you purchased your phone service.
• If you have set up an online account, such as MyAccount, with Lyca Mobile then we may also hold a password for you. Our policy is to ensure that passwords are encrypted in our systems, but since we do not yet have full details of the cyber attack, please see the recommended actions below.
• Customer service interactions: some interactions between customers and our customer service team are recorded (having been selected at random) and those records are held for up to 60 days.
• If you have chosen to store a credit card in your online account then we will also keep the last four digits of your credit card number and its expiration date. The full credit card number will also be held, but will be encrypted for additional security and we consider the risk of any access to be very low. We do not hold the 3 digit CVV code in any form.
We would also like to flag to customers that our number porting functionality has been affected by the attack on our systems. We are currently unable to provide users with PAC codes. We sincerely apologize for the inconvenience caused and are working around the clock to ensure this and all other functionality is restored as quickly as possible.
Password resets
If you have a Lyca Mobile password, then as an extra precaution we recommend that you reset that. If you use your Lyca Mobile password for other online accounts, you should change it now. If you have reused the same credentials including the same password elsewhere (eg, on unrelated websites) you may wish to consider changing those too as a precaution and as good practice generally.
Staying vigilant
We remain vigilant for any suspicious activity and are recommending that you please do the same. Given the nature of the information potentially involved, there is a risk you might be targeted for phishing attempts, fraud or nuisance marketing communications. Criminals may use your personal details to target you with convincing emails, texts and calls. Be suspicious of unsolicited requests for your personal or financial details. If you receive an e-mail which you’re not sure about, treat it with caution, or if you have been a victim of fraud or cyber crime, contact your bank immediately and you should report this to the police.
The security of your personal information is very important to us and as our investigation progresses, we will consider whether we need to take any further steps to help protect that information. While we hope to bring all of our systems back online as soon as possible, we are doing so carefully to minimize any further issues. Please bear with us if there are any interruptions to service at this time.
We are also liaising with the Federal Commissioner for Data Protection and Freedom of Information and other relevant authorities.
Contacting us
If you have any questions, you can contact our Customer Services team at
cs@lycamobile.de.
You can also find more information generally about how we handle your personal information and your rights, together with details of our Data Protection Officer, in our website privacy notice. This can be found at
https://www.lycamobile.de/en/help/lycamobile-privacy-policy/
06 October 2023
Marc Payne
Data Protection Officer
