[BreachExchange] Your data was 'taken without permission', customers told, after personal info accessed in O2 UK partner's database

[Destry Winant]

https://www.theregister.co.uk/2020/03/13/o2_customer_data_slurped_through_partner_databse/

Hackers have slurped biz comms customers' data from a database run by
one of O2's largest UK partners.

In an email sent to its customers, the partner, Aerial Direct, said
that an unauthorised third party had been able to access customer data
on 26 February through an external backup database, which included
personal information on both current and expired subscribers from the
last six years.

The data accessed included personal information, such as names, dates
of birth, business addresses, email address, phone numbers, and
product information. The company said no passwords or financial
information was taken.

"As soon as we became aware of this unauthorised access we shut down
access to the system and launched a full investigation, with
assistance from experts, to determine what happened and what
information was affected. We immediately reported this matter to the
Information Commissioner's Office and are actively working on fully
exploring the details of how it happened."

'Sophisticated'

The company said that it was unsure who was responsible for the hack
or what their intentions were. It added that it has "sophisticated
safeguards in place to protect customer information", and was "working
to further enhance security by taking advice from relevant experts".

Based in Fareham, England, Aerial Direct is O2's largest direct
business partner in the UK with more than 130,000 customers. The
company provides IP telephony services and equipment, including
mobile, fixed lines, as well as call, broadband, conferencing and
hosting telecoms. In its most recent accounts, for FY2018, filed in
May last year (PDF), it turned over £21.6m and chalked up earnings
before interest, taxes, depreciation and amortization of £6.9m.

The company has set up a support website for customers affected by the
breach, suggesting they change their passwords and advise their banks,
building societies and credit card companies if they see any dodgy
transactions on their statements.

The company did not reply to The Register's requests for further
information on how it locked down that info. ®