Virgin media, which is owned by US cable group. Liberty Global, has admitted that a database containing 900,000 people’s details was left unsecured and accessible online for 10 months.
At least one unknown user has had access to the phone numbers, home, and email addresses stored on the database for marketing purposes, on at least one occasion.
Lutz Schüler, chief executive of Virgin Media said: “We recently became aware that one of our marketing databases was incorrectly configured which allowed unauthorised access. We immediately solved the issue by shutting down access.”
“Protecting our customers’ data is a top priority and we sincerely apologise,” he said.
This breach was “…due to a staff member failing to follow the correct procedures and failing to configure the database correctly as a result, and was not due to a criminal attack”, according to another Virgin Media spokesperson.
The breach was discovered by a security researcher at TurgenSec who alerted Virgin Media on Friday 28th February 2020.
Virgin Media stated that almost all of those affected were Virgin customers fixed-line telephone or television accounts, but also included r Mobile and potential customers referred by friends as part of a promotion.
Mr Schuler said, “Based upon our investigation, Virgin Media does believe that the database was accessed on at least one occasion, but we do not know the extent of the access or if any information was actually used.”
Virgin Media said, in order to warn those affected about the risks of phishing, nuisance calls and identity theft, it would be emailing them on Thursday, reminding them not to click on unknown links in emails and not to provide personal details to unverified callers. Further information would be available on its website, it said.
The fact that Virgin Media’s database hasn’t been actively hacked is reassuring for customers, but while the details are light, it sounds like human error is to blame and that is rather embarrassing for a tech firm.
Ten months is a long time for all that data to have just been sitting there, waiting to be found.
And while no passwords or bank details were among it, there’s an awful lot of contact information for a cyber-criminal to work with. Phishing expeditions – when someone tries to get financial information out of a victim by pretending to be a company with a legitimate reason for contact – are not particularly sophisticated, but they are effective for those caught off-guard, and can be a lucrative source of income.
It’s unclear whether this was yet another case of unsecured data being stored on a cloud service that’s easily searchable if you know how. There have been dozens of examples of this lately, including just this week a database of the personal details of people using train station wi-fi around the UK.
Virgin Media has apologised and really, there’s very little practical advice to offer in the light of this kind of breach, beyond the usual protocol of staying alert to any messages requesting personal information or access to any kind of finance.