Cyber Incident Victim: Sure

On or around July 29, 2019, telecommunications provider Sure suffered a phishing attack resulting in unauthorized access to personal data belonging to nearly 400 individuals, including current and former employees as well as suppliers. The breach affected individuals across Guernsey, Jersey, and the Isle of Man. According to Tim Stonebridge, Sure's Chief Security Officer, the compromised data was "limited in nature" and did not involve any customer information. The incident stemmed from human error that enabled attackers to access a single employee email account. Sure's internal systems detected the unauthorized activity and automatically shut down the affected account, preventing broader system compromise. The company confirmed the attack was contained quickly and emphasized that its core infrastructure remained secure throughout the incident.

Sure initiated immediate response measures by notifying all affected individuals and providing them with specific guidance to enhance their vigilance. The company formally reported the breach to Data Protection Authorities in all three jurisdictions where impacted parties resided. Stonebridge publicly acknowledged that while the stolen data lacked sufficient standalone utility for malicious purposes, the risk warranted proactive warnings to potential victims. Sure issued an apology to those affected and reiterated its commitment to security, noting that employees receive regular cybersecurity training. The organization announced plans to incorporate lessons from this incident into future training programs to prevent similar human error-related breaches. No additional technical details about the phishing methodology, attacker identity, or specific data types exposed were disclosed in public statements.