Hackers have slurped biz comms customers' data from a database run by one of O2's largest UK partners.
In an email sent to its customers, the partner, Aerial Direct, said that an unauthorised third party had been able to access customer data on 26 February through an external backup database, which included personal information on both current and expired subscribers from the last six years.
The data accessed included personal information, such as names, dates of birth, business addresses, email address, phone numbers, and product information. The company said no passwords or financial information was taken.
"As soon as we became aware of this unauthorised access we shut down access to the system and launched a full investigation, with assistance from experts, to determine what happened and what information was affected. We immediately reported this matter to the Information Commissioner's Office and are actively working on fully exploring the details of how it happened."
The company said that it was unsure who was responsible for the hack or what their intentions were. It added that it has "sophisticated safeguards in place to protect customer information", and was "working to further enhance security by taking advice from relevant experts".
Based in Fareham, England, Aerial Direct is O2's largest direct business partner in the UK with more than 130,000 customers. The company provides IP telephony services and equipment, including mobile, fixed lines, as well as call, broadband, conferencing and hosting telecoms. In its most recent accounts, for FY2018, filed in May last year (PDF), it turned over £21.6m and chalked up earnings before interest, taxes, depreciation and amortization of £6.9m.
The company has set up a support website for customers affected by the breach, suggesting they change their passwords and advise their banks, building societies and credit card companies if they see any dodgy transactions on their statements.
The company did not reply to The Register's requests for further information on how it locked down that info. ®