ICO Confirms it’s Still Investigating Lyca Mobile UK’s 2023 Data Breach

In a small update, the Information Commissioner’s Office (ICO) has confirmed to ISPreview that their investigation into the September 2023 cyberattack and data breach of mobile network operator Lyca Mobile (here) is still “ongoing“. But the ICO declined to answer why it was taking so long to reach a conclusion.

The original attack, which disrupted Lyca Mobile’s systems and connectivity services across the UK for a period of time, also resulted in hackers being able to access “at least some of the personal information held in our systems“. Back in early October 2023, Lyca said it would “take some time to fully complete our investigations,” although no further public updates appear to have been issued.

The last time we asked the ICO about their investigation was in March 2024, at which point a spokesperson for the organisation said: “Lycamobile (UK) Ltd made us aware of an incident and our enquiries are ongoing.” By comparison the latest update from Rashana Sweidan Vigerstaff, the ICO’s Senior Communications Officer, simply confirmed that the “investigation is ongoing, therefore we will not be able to provide any further comment.”

The hope is that, one of these days, the ICO may actually be able to reveal more information about what happened, which could present another headache for Lyca given their ongoing multi-million dispute with the HMRC over the VAT treatment of customer “bundles” (here). Not to mention issues with the auditing of their accounts (here) and the recent announcement of significant UK job losses (here). The ICO often imposes fines on companies for major breaches of personal customer data.