Lyca Mobile customer billing data likely compromised

Paul Wilkinson

2024-06-14

Introduction

Lyca Mobile (aka Lycatel), a mobile virtual network that operates in UK and other countries, appear to have suffered a breach of their customer billing system, and credit / debit card information is actively being used to attempt card fraud.

If you have ever paid for Lyca Mobile services using a credit card or debit card, I recommend urgently cancelling the card.

My experience of an attempted payment card fraud

In May 2023 I created a Revolut virtual card to pay for a new pay-as-you-go SIM from Lyca Mobile. I used the SIM for a project for a couple of months, then cancelled the monthly payment to Lyca Mobile and (as a precaution) manually “froze” the card in the Revolut app.

Today ([2024-06-14 Fri]) at 09:29 I got a notification on my mobile phone from the Revolut app:

Card frozen

Your card is frozen. Tap to unfreeze it now, before you try making the payment again.

This concerned me, as I hadn’t tried to make a payment recently.

I tap the notification, it takes me to a screen showing all activity on the aforementioned Revolut virtual card. There are three transactions in total – two from around May 2023 to Lyca Mobile, and one declined transaction from a few minutes prior to the notification, from the fraudster:

  Motorcycle Parts Warehouse -- £0
  Today, 09:18 -- Card is frozen

Still in the Revolut app, I opted to “terminate” the card, then attempted to report the fraudulent attempt, but Revolut don’t have an option to report fraud on declined transactions. I told Revolut’s help chat about this shortcoming, but received no advice beyond the steps I had already taken.

I did a quick web search and found several posts of others having a similar card fraud experience with Lyca Mobile since at least [2024-05-16 Thu]:

Questions or comments can be sent to [email protected]