Concern as UK Broadband ISP Brsk Hit by Major Customer Data Breach
Alternative broadband ISP Brsk, which last year merged with Netomnia’s growing multi-gigabit speed Fibre-to-the-Premises (FTTP) network (here), has reportedly been hit by a major data breach that is claimed to have resulted in 230,105 customer records being exposed to hackers. The database has since been put up for sale.
The breach appears to have been first spotted by the DailyDarkWeb, which is a community of volunteers dedicated to monitoring the unseen layers of the digital world and one that has often been credited with spotting a number of past leaks related to UK companies and telecoms providers. Sadly, the same today appears to be true for Brsk.
“A threat actor is advertising the alleged customer database of BRSK (brsk.co.uk), a UK-based telecommunications company specializing in full fibre broadband. The actor is offering the dataset, which contains 230,105 records, on a hacking forum, with a sample provided and a price set for negotiation via direct message,” said the website.
Advertisement
The breach is said to contain various personal customer details, including names, email addresses, physical address, phone numbers, installation/booking details, brsk ID numbers, location data and also data that identifies whether the customer is considered to be a vulnerable user (e.g. customers with telecare needs etc.). The latter is particularly worrying, as such users are often a prime target for phishing and scams.
However, so far as we can tell, the database does not appear to contain any financial details, logins or passwords, although that may come as small comfort to the internet provider’s many customers exposed by this leak.
A spokesperson for Brsk told ISPreview:
“Brsk is investigating an incident involving unauthorised access to one of our customer database systems. We have established that the information involved is limited to basic customer contact information. No financial information, passwords, or account login credentials were affected. At this stage, there is no evidence to suggest that any of the information has been misused.
We understand that incidents of this nature can cause concern, and we are treating this matter with the highest level of seriousness. We have informed affected customers and as an additional precaution, we are offering them 12 months of free personal, financial and web-monitoring services provided by Experian. We have also engaged specialist security partners to assist with our investigation. The ICO, the police and relevant regulatory authorities have all been informed.”
Unfortunately, a number of internet providers have, over the past few years, suffered from a variety of similar data breaches. One of the biggest occurred at TalkTalk in October 2015 that resulted in the release of details belonging to 156,959 customers, which after a long investigation resulted in the Information Commissioner’s Office (ICO) hitting the provider with a £400,000 fine in 2016 (here).
Suffice to say that Brsk could be facing a significant fine in the future, and that’s before we consider the reputational damage that such things tend to cause. However, it could potentially be a long time before the ICO reach that stage, not least because the regulator is currently backlogged with cases. For example, the ICO are still understood to be investigating Lyca Mobile UK’s 2023 Data Breach, which took place over two years ago (here)!
Advertisement
The following is a copy of the email that customers have received in connection with this event.
Brsk’s Data Breach Email to Customers
We sincerely regret to inform you that some of your data stored on one of our systems, which is used to process new installations on the Brsk broadband network, has been accessed without our permission. There’s no evidence that any of the information has been misused, however we ask you to be vigilant for any unexpected emails or phone calls that may appear to come from Brsk.
What information is involved?
The information is limited to the contact details you provided when you placed your Brsk broadband order. This includes: name, surname, email address, contact number and physical address.
We would like to assure you that no financial information (such as bank or debit/credit card information) is stored on this system and therefore none was compromised.
None of your Brsk passwords or login credentials were affected.
What happened?
A third party gained unauthorised access to the system containing certain customer contact information. This system is entirely separate from our core network and operational infrastructure, all of which remain fully secure.
What we have done
Upon discovery, we immediately activated our security protocols, locked down the system affected and launched an investigation. Additional security measures have been implemented, and the customer data has been removed from the affected environment. We have also notified the relevant authorities in line with our legal and regulatory obligations.
What this means for you?
We are sharing this update to keep you informed. If anything appears unusual or you receive unsolicited requests for your personal details from Brsk, please take care and contact us directly if you’re unsure.
We will never reach out to ask for your financial information, passwords, or account login details by phone, email or text. If we ever require you to confirm this, we will only ask you to do so through our secure online customer portal.
Are your broadband services or core network impacted?
No. The affected system is separate from our core network and operational infrastructure, which continue to operate securely.
How are we resolving this?
To support you with monitoring your personal information for certain signs of potential identity theft, we are offering you 12 months of free personal, financial and credit monitoring services, provided by Experian, one of the UK’s leading Credit Reference Agencies.
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook, BlueSky, Threads.net and Linkedin.
« Starlink Launch Cheaper £55 Lite 250Mbps Broadband Plan in UK
Vodafone UK Launch Black Friday Sale on Broadband and Mobile »
Advertisement
Leave a Reply
Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message and display names can be almost anything you like (provided they do not contain offensive language or impersonate a real person's legal name). By clicking to submit a post you agree to storing your entries for comment content, display name, IP and email in our database, for as long as the post remains live.
Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.
Yup – But to be fair they have offered us 12 months of Experian Protect which works – More than some companies have done in the past.
So BRSK customers have to do the leg work for a ISP who had a very weak background security to there system.
They have sent out the usual were sorry but they are not.
But were going to get fined for this they say as if it’s the customers fault.
Customers to get thousands of unwanted e-mails, texts, and calls, and oaps primed to be scammed because BRSK deemed customers details not important enough to have been put behind better security protocols.
Soon as they are fined bills will go up.
How much are the hackers asking for? It’s not that long ago BT compiled all their customers’ info into a big book and sent it to everyone for free.
You could opt out of being in that.
Weirdly, they’re still doing it. The latest editions of the book can be downloaded from the BT website in PDF form. Name, full address, phone number. Same as the data leaked from Brsk save for email. Now, sure, you can opt-out but you’ve got to know to opt-out. It’s probably going to be mostly older, vulnerable people in there. Do people know BT are publishing their data in a convenient PDF for scammers? Do the scammers know about this resource!? I wonder.
Huh? What book? If I opt out now will they remove me from any published PDFs? Where is this book?
https://www.bt.com/help/the-phone-book/a-z-directory-finder
Is it worth taking the Exoerian offer? I am onr of those affected
Yes, you can turn on CREDIT LOCK which means anyone using Experian as their credit reference agency for checking new credit applications gets refused. They also keep an eye on dark web.
I did – got the £10,99 protect prodcut which gives you full access to everything and is updated every time you log in.(file, score and protect)- First thing I did was turn on Credit lock.
I want compo
Unlikely. No financial data leaked and other leaks in majority of cases was no compo. The company are at least offering Experian Protect, more than others that have been in a worse situation with data leaks.
After the data leak, BRSK will be very secure, their CISO and CEO will make sure 🙂
You’ll probably want compensation for your hamster, cat and dog as well because some how you’ll try to claim they were affected to
Three sold my number 2 years ago. I’ve been getting 5-6 robocalls a day for over 6 months so I dumped it.
Not a penny – they even stung me for leaving early
Good luck with that
I have requested to leave this company before now as I’m an in mid contract and they refuse point blank they give you credit instead and now this happens
Trust me people warn about virgin media they can’t hold a candle to brsk they are a pile of sad and pathetic customer service
> I have requested to leave this company before now as I’m an in mid contract and they refuse point blank
Yes, that’s what a “contract” is. If you don’t want to be bound by it, don’t enter into it.
I’ve had the e-mail and the Experian offer. Is it worth going for it?
The Experian offer is a good gesture, but reputational damage for an altnet could be significant, if the data leak got into the wrong hands, which is my worry, as a customer of BRSK. I may write to them asking for further details.
It maybe worth using the following resource https://haveibeenpwned.com for a manual check
I had the same type of info breached in another breach of a cloud gaming service called Shadow (name, address, email, phone and a hashed password in that case). I kept an eye on my credit, but nothing came up, the only thing that happened was I started to receive a lot of those “I’ve been watching you watching porn” bitcoin scam emails to the email address that I used only on the breached service (I use Fastmail which lets you use a unique email for each service).
Companies really need to beef this stuff up – in the Shadow case it was because some stupid kid on the support team had been using Discord on the same computer that they used for work, and they were an idiot and pasted some code from a Discord “friend” or something. There should be personal consequences for individual employees whose poor security practices cause breaches, not just the company.
>> There should be personal consequences for individual employees whose poor security practices cause breaches, not just the company.
I’m sure most companies have disciplinary procedures in place to deal with that. However, should be careful to ensure the employees have had proper training on data security before taking any action against them. A lot of companies offer no training and maybe that should change in law!
Thanks – for me it was Shadow in 2023 – and then I thought I got all my info removed under French GDPR but apparently my old info was leaked again last year. Not that it’s relevant anymore.
This is happening far too often, it seems like companies are at the mercy of hackers, when it is your time to be hacked, then you will be.
This is the problem with relying on online databases and having info shoved in god knows where.
Even large companies have been hacked, and now with AI, it could be even easier.
I can understand why a couple I know stay offline and do everything the old way or as much as they can. But even doing that makes little difference since their details are still stored in databases available to the world.
It is worrying for a lot of people, certainly with so many scams going around.
Only companies that are ignoring security measures etc. But definitely there is more to come especially from companies valuating vibe coding.
If you want more than one person to be able to access a database it has to be ‘online’. There’s an argument about on-prem versus cloud, but both are targets for hackers.
The alternative is a return to paper records and even then burglars exist.
“accessed without our permission”, “gained unauthorised access to the system”
Because accessed sounds less serious than downloaded a copy of all the information.
“The information is limited to the contact details you provided”
If they know it includes information about vulnerabilities, that is a lie. Cowardly behaviour by Brsk management there.
“There is no evidence to suggest that any of the information has been misused”
Hackers are selling copies of the information, is that not misuse? I doubt their privacy policy states it is a valid use. And what might the buyers do with the information that DOESN’T constitute misuse?
How a company responds to a data breach says a lot about them. Brsk aren’t in my area, but after reading that email to their customers I wouldn’t go near them if they were.
they sent a different email to vulnerable customers highlighting this fact
@smelly welly Glad to hear that. As well as their legal obligation to inform the customers, some of those vulnerable customers may need more tailored ongoing support than just credit monitoring.
This will be a regular occurrence once digital id is in play except they will be able to take ALL of the centralized data rather than just the basics
How do you think that that will happen? Your ID is not a password, nor does it replace 2FA.
Is it all going to be centralised? There could be links, there was a big stink when Blair wanted to bring out an I.D card, not so much because of the card, but the database behind it.
I have seen posts from people saying that it could be hacked, and they are not going to have the app on their phone, fair enough there will no law to say you have to, but it makes no difference, the data will still be online.
Digital I.D will no doubt go to bits like other government I.T stuff, they will muck it up, I doubt it will bother me much at 60, I doubt I am going to get a new job.
That is if it ever happens.
It depends what data you mean. For example your medical records are not going to be in the same place as your identity information. The big issue with digital ID is the potential for surveillance. It’s perfectly possible to implement a zero knowledge system where the actual ID data is copied to your phone or a physical card and then you choose what to share and with who. In this scenario the government don’t get any information about how you use your ID and so there wouldn’t be a whole lot to leak. This would actually be pretty good and I would be happy to carry that! However, the government have made it clear this is not how it will work. They will log every time it is used, with who and for what purpose. Anything you might need to use ID for, and let’s be honest if they introduce this it will be de facto mandatory, will all be logged centrally and subject to leaks and government snooping. Dystopian.