Concern as UK Broadband ISP Brsk Hit by Major Customer Data Breach

Alternative broadband ISP Brsk, which last year merged with Netomnia’s growing multi-gigabit speed Fibre-to-the-Premises (FTTP) network (here), has reportedly been hit by a major data breach that is claimed to have resulted in 230,105 customer records being exposed to hackers. The database has since been put up for sale.

The breach appears to have been first spotted by the DailyDarkWeb, which is a community of volunteers dedicated to monitoring the unseen layers of the digital world and one that has often been credited with spotting a number of past leaks related to UK companies and telecoms providers. Sadly, the same today appears to be true for Brsk.

“A threat actor is advertising the alleged customer database of BRSK (brsk.co.uk), a UK-based telecommunications company specializing in full fibre broadband. The actor is offering the dataset, which contains 230,105 records, on a hacking forum, with a sample provided and a price set for negotiation via direct message,” said the website.

The breach is said to contain various personal customer details, including names, email addresses, physical address, phone numbers, installation/booking details, brsk ID numbers, location data and also data that identifies whether the customer is considered to be a vulnerable user (e.g. customers with telecare needs etc.). The latter is particularly worrying, as such users are often a prime target for phishing and scams.

However, so far as we can tell, the database does not appear to contain any financial details, logins or passwords, although that may come as small comfort to the internet provider’s many customers exposed by this leak.

A spokesperson for Brsk told ISPreview:

“Brsk is investigating an incident involving unauthorised access to one of our customer database systems. We have established that the information involved is limited to basic customer contact information. No financial information, passwords, or account login credentials were affected. At this stage, there is no evidence to suggest that any of the information has been misused.

We understand that incidents of this nature can cause concern, and we are treating this matter with the highest level of seriousness. We have informed affected customers and as an additional precaution, we are offering them 12 months of free personal, financial and web-monitoring services provided by Experian. We have also engaged specialist security partners to assist with our investigation. The ICO, the police and relevant regulatory authorities have all been informed.”

Unfortunately, a number of internet providers have, over the past few years, suffered from a variety of similar data breaches. One of the biggest occurred at TalkTalk in October 2015 that resulted in the release of details belonging to 156,959 customers, which after a long investigation resulted in the Information Commissioner’s Office (ICO) hitting the provider with a £400,000 fine in 2016 (here).

Suffice to say that Brsk could be facing a significant fine in the future, and that’s before we consider the reputational damage that such things tend to cause. However, it could potentially be a long time before the ICO reach that stage, not least because the regulator is currently backlogged with cases. For example, the ICO are still understood to be investigating Lyca Mobile UK’s 2023 Data Breach, which took place over two years ago (here)!

The following is a copy of the email that customers have received in connection with this event.

Brsk’s Data Breach Email to Customers

We sincerely regret to inform you that some of your data stored on one of our systems, which is used to process new installations on the Brsk broadband network, has been accessed without our permission. There’s no evidence that any of the information has been misused, however we ask you to be vigilant for any unexpected emails or phone calls that may appear to come from Brsk.

What information is involved?

The information is limited to the contact details you provided when you placed your Brsk broadband order. This includes: name, surname, email address, contact number and physical address.

We would like to assure you that no financial information (such as bank or debit/credit card information) is stored on this system and therefore none was compromised.

None of your Brsk passwords or login credentials were affected.

What happened?

A third party gained unauthorised access to the system containing certain customer contact information. This system is entirely separate from our core network and operational infrastructure, all of which remain fully secure.

What we have done

Upon discovery, we immediately activated our security protocols, locked down the system affected and launched an investigation. Additional security measures have been implemented, and the customer data has been removed from the affected environment. We have also notified the relevant authorities in line with our legal and regulatory obligations.

What this means for you?

We are sharing this update to keep you informed. If anything appears unusual or you receive unsolicited requests for your personal details from Brsk, please take care and contact us directly if you’re unsure.

We will never reach out to ask for your financial information, passwords, or account login details by phone, email or text. If we ever require you to confirm this, we will only ask you to do so through our secure online customer portal.

Are your broadband services or core network impacted?

No. The affected system is separate from our core network and operational infrastructure, which continue to operate securely.

How are we resolving this?

To support you with monitoring your personal information for certain signs of potential identity theft, we are offering you 12 months of free personal, financial and credit monitoring services, provided by Experian, one of the UK’s leading Credit Reference Agencies.