900,000 customers affected by Virgin Media data breach

Virgin Media data leak – an unprotected marketing database to blame

The "data incident" is said to be caused by an incorrectly configured database

Virgin Media, one of the largest internet and TV cable provider in the UK, has announced a data breach which affected over 900,000 of its customers, which represents 15% of the customer base. According to the notice published on Thursday,^[1] the incident occurred due to “an incorrectly configured database,” which was accessed without permission at least on one occasion.

According to Virgin, no financial information, passwords, login names, or other sensitive details were stored in the compromised database, although plenty of personal customer data was present, including name, phone number, home address, support information, support ticket information, etc. In a “very small number” of cases, Virgin Media reported that births of dates were also affected.

Upon discovery, Virgin Media shut down the affected database, contacted relevant authorities (Information Commissioner's Office, the UK's data protection body), and started a forensic investigation. The affected customers were also contacted by the company via email or other methods.

Virgin Media is a huge telecommunication company providing phone, television, and internet services in the United Kingdom and Ireland. In 2018, the company's net revenue reached 5.15 billion British pounds (approx. $6.7 billion).^[2]

Database was exposed online from at least April last year

Virgin Media immediately started to inform the customers via email, and, according to that information, the database was exposed online for almost a year.

The email reads as follows:^[3]

Hello,

We are very sorry to have to inform you that we recently became aware that some of your personal information, stored on one of our databases has been accessed without permission. Our investigation is ongoing but we currently understand that the database was accessible from at least 19 April 2019 and that the information has been recently accessed.

Virgin Media discovered the unprotected database on February 28, 2020, and the investigation is currently ongoing. While it is unknown who accessed the marketing database and whether the information was used, the CEO of Virgin Media Lutz Schüler said that the company currently does “not know the extent of the access.”^[4]

In other words, because the database was exposed for ten months, it is possible that unauthorized access occurred on multiple occasions. But we will know later, most likely.

The unforeseen consequences of a data breach: phishing attacks

Virgin Media previously had backlash from people who are concerned about the safety of personal information and the security of other customers. Many security advocates were unhappy about the company's password policy, claiming that the rules prompted users to create weak passwords. In return, Virgin said that the password policy is adequate and meets all the requirements.^[5]

Fast forward to over a year later, and Virgin Media suffers a data breach that it calls merely a “data incident,” and it was not a hack nor a cyberattack. In the meantime, many people disagree with such statement:

So if they gained access to a database but it wasn't a hack, that was because you intentionally gave them access then? You're not making things any better for yourselves here.

Indeed, a multi-million telecommunications company should be capable of protecting users' personal information, although the issue is also prevalent across other companies – Wyze,^[6] NextMotion, Kars4Kids, and others, made a similar mistake. Additionally, around the same time when Virgin Media announce the incident, T-Mobile also said that it experienced a data breach, but this time it affected customer financial data.

Those affected should watch out for phishing campaigns, and should never provide personal information via the phone or email.