Mobile UK Travel SIM Provider easySim Global Suffers Data Breach UPDATE

Mobile provider easySim.global, which is part of the Stelios-linked easy® family of brands (easyJet, easyCar etc.) and offers low cost travel data (mobile broadband) to use all around the world via eSIM, has informed customers that they recently suffered a data breach after their database was “accessed remotely by a hacker“.

The incident itself appears to have occurred after the hacker(s) gained unauthorised access to one of the company’s servers on 5th August 2024 at 1:22pm due to an unspecified “server vulnerability“, although customers affected by the hack started to receive an email notification about the event a few days later.

The good news is that no security (passwords etc.) or financial data was compromised, but customer names and email addresses were exposed. In addition, in a “very small number of cases“, this is also said to have included customer phone numbers. One of ISPreview’s readers (Upminster309) has kindly posted a copy of the email they received on Tuesday of this week (here), which we’ve published below.

Interestingly, the email reveals that the hacker has then gone on to contact a number of the affected customers and that easySim.Global have already self-reported the data breach to the UK’s Information Commissioners Office (ICO) for further investigation, which could potentially result in a financial penalty further down the line. But the ICO typically take quite a long time to investigate such incidents.

Copy of easySIM’s Customer Email

Dear xxx,

It has come to light that our customer database was accessed remotely by a hacker late yesterday, and a small amount of customer data has been compromised.

We regret to inform you that the following data has been exposed in the data breach:

Your name
Your email address

We would like to apologise sincerely for this data breach, caused by a vulnerability on one of our servers, which has now been rectified.

We would like to confirm that no other data has been exposed, such as your phone number, account password or payment details. Please be aware that we do not store customer payment details on our systems at any time. Furthermore, the hacker has no way of accessing your easySim.global account, your phone or eSIM, all of which continue to be safe to use.

However, the hacker, who has so far used the name Anton Green and has contacted some of our affected customers. If this happens, please forward any email to support@easysim.global immediately.

The Information Commissioners Office (ICO) has been notified and we are doing everything possible to inform affected customers. Please see the statement on our website, with details of the extent of the breach and the action we have taken. We continue to protect the integrity of our systems and would like to apologise again for any inconvenience and distress caused by this data breach.

If you need any further information, please contact us at support@easysim.global or call us on +44 (0)23 9277 8833 and press option 4 to leave and message and we will call you straight back.

Best regards
Richard Gwilliam
Director
easySim.global​

EasySim.global has also posted a statement on their website, which appears to have been published the day after the event itself occurred, and largely echoes the above email. The company also confirms that only those affected by the data breach will be receiving an email about it.

UPDATE 1:14pm

The operator has posted an update to confirm that the ICO have already concluded their investigation and “will not be taking any formal regulatory action on this occasion“. The decision is apparently “due to the particular facts of the case and the remedial measures we have taken following the incident“, as well as the fact that it was a small-scale breach.

Richard Gwilliam, co-founder of easySim.global, said:

“I am personally mortified that we were exposed to this hack. Our system was designed from the ground up to protect personal data. This is why it was only a small number of email addresses that were exposed when the breach occurred, and an even smaller number of telephone numbers. The cause of the data breach was human error whilst working on a development system for our support. We have introduced a measure that will prevent this type of human error from ever happening again.

I would like to personally reassure everyone that passwords on our system are and will remain 100% secure. They are encrypted and nobody (not even us) are able to decode them. And we do not record payment details so you can be sure that your payment details are also 100% secure

Under GDPR regulation, the breach was so small that we were under no obligation to notify our customers. However, in the interests of honesty and transparency, I felt it right to do so.”

We do have to credit easySim.Global for doing a better job on the communication front than some other telecom operators we’ve covered over the years.