Data Breach at Virgin Media Exposes 900,000 UK Customers UPDATE
As if yesterday’s broadband outage wasn’t bad enough. UK ISP Virgin Media is now facing their second embarrassment of the week after last night revealing that the personal details belonging to 900,000 of their customers had been exposed by an “incorrectly configured” marketing database. Oh and somebody unknown accessed it.
The operator was quick to stress that the database, which has now been “shut down“, did NOT contain any passwords or financial details, although it did include customer names, home and email addresses and phone numbers. We should stress that this database also included details of “potential customers,” but they didn’t elaborate on that.
The more worrying development is that Virgin Media said this database had also been “accessed on at least one occasion” but they “do not know the extent of the access or if any information was actually used.” Great. Oh and the database is known to have been accessible since 19th April 2019, which we’re certain will go down well (the unauthorised access to this is merely said to have been more “recent“).
Virgin added that they’ve been keeping the Information Commissioner’s Office (ICO) “fully updated” since they became aware of the incident and “sincerely apologise” to all those affected.
Lutz Schüler, CEO of Virgin Media, said:
“We recently became aware that one of our marketing databases was incorrectly configured which allowed unauthorised access. We immediately solved the issue by shutting down access to this database, which contained some contact details of approximately 900,000 people, including fixed line customers representing approximately 15% of that customer base. Protecting our customers’ data is a top priority and we sincerely apologise.
The database did not include any passwords or financial details, such as credit card information or bank account numbers, but did contain limited contact information such as names, home and email addresses and phone numbers. Based upon our investigation, Virgin Media does believe that the database was accessed on at least one occasion but we do not know the extent of the access or if any information was actually used.
We are now contacting those affected to inform them of what happened. We urge people to remain cautious before clicking on an unknown link or giving any details to an unverified or unknown party. Online security advice and help on a range of topics is available on our website.
We have kept the Information Commissioner’s Office fully updated since we became aware of this incident.”
Otherwise it seems likely, given the strict GDPR data protection laws, that the operator will now face a significant financial penalty for the breach, but this is probably not something we’ll learn about until the ICO concludes their investigation (usually takes them a few months).
A number of our readers were kind enough to forward a copy of the email that the operator has sent to them about the breach (only those impacted will receive this), which we’ll paste below.
VM’s Customer Email
Dear *************,
We are very sorry to have to inform you that we recently became aware that some of your personal information, stored on one of our databases has been accessed without permission. Our investigation is ongoing but we currently understand that the database was accessible from at least 19 April 2019 and that the information has been recently accessed.
To reassure you, the database did NOT include any of your passwords or financial details, such as bank account number or credit card information.
The database was used to manage information about our existing and potential customers in relation to some of our marketing activities. This included: contact details (such as name, home and email address and phone numbers), technical and product information, including any requests you may have made to us using forms on our website. In a very small number of cases, it included date of birth. Please note that this is all of the types of information in the database, but not all of this information may have related to you.
We take our responsibility to protect your personal information seriously. We know what happened, why it happened and as soon as we became aware we immediately shut down access to the database and launched a full independent forensic investigation. We have also informed the Information Commissioner’s Office.
Given the nature of the information involved, there is a risk you might be targeted for phishing attempts, fraud or nuisance marketing communications. We understand that you will be concerned so we are writing to everybody affected to provide reassurance, guidance and support. We have put all of the latest information on our website https://www.virginmedia.com/help/data-incident, including some advice on how to stay safe online, such as:
• Advice from the Information Commissioner’s Office on how you can avoid or report nuisance marketing calls, emails and texts (https://ico.org.uk/)
• How to be vigilant by not providing your personal information to anyone suspicious online, by phone, email or text. If you want more information, you can get it here https://www.getsafeonline.org/protecting-yourself/spam-and-scam-email/
• How you can protect yourself from the risk of identity theft (which is when someone uses someone else’s personal information to obtain goods, services or money without permission) and other types of fraud. The Information Commissioner’s Office has information online here https://ico.org.uk/your-data-matters/identity-theft/
Although no financial, banking details or account passwords were accessed, it is always a good idea to make sure that your passwords are strong and not easy to guess. There is some advice here on how to set a strong password https://www.virginmedia.com/help/how-to-create-a-strong-password.
If having read this email and visited our website you still have questions, you can contact us on 0800 052 2621, but please be aware our customer service advisors do not have any further information at this stage.
Once again, we sincerely apologise for what has happened.
Lutz Schueler
CEO, Virgin Media
UPDATE 4:29pm
Internet security researchers at TurgenSec, which claims to have found the database, said that it contained more intimate details than revealed by Virgin Media and have accused the ISP of effectively being dishonest with their customers.
We cannot speak for the intentions of their communications team but stating to their customers that there was only a breach of “limited contact information” is from our perspective understating the matter potentially to the point of being disingenuous. We do not know if the people writing the statement knew all the facts when writing this statement, but here is what we know.
Would customers consider the following to be an accurate description of “limited contact information”:
— Full names, addresses, date of birth, phone numbers, alternative contact phone numbers and IP addresses – corresponding to both customers and “friends” referred to the service by customers.
— Requests to block or unblock various pornographic, gore related and gambling websites, corresponding to full names and addresses.
— IMEI numbers associated with stolen phones.
— Subscriptions to the different aspects of their services, including premium components.
— The device type owned by the user, where relevant.
— The “Referrer” header taken seemingly from a users browser, containing what would appear to be the previous website that the user visited before accessing Virgin Media.
— Form submissions by users from their website.
We would recommend that all customers affected by this breach immediately issue a GDPR request to Virgin Media to identify exactly what information has been breached, and what information the company continues to hold on them. The limited information issued by Virgin Media, in our opinion, does not adequately cover the extent of this.
…
This wasn’t only due to a simple error made by a member of staff “incorrectly configuring” a database, as has been stated. There seems to be a systematic assurance process failure in how they monitor the secure configuration of their systems. All information was in plaintext and unencrypted – which means anyone browsing the internet could clearly view and potentially download all of this data without needing any specialised equipment, tools, or hacking techniques. Anyone with a web-browser could access it.
In response, Virgin Media has confirmed that details of 1,000+ customers in the database did include some extra information on those who had used an online form to ask for a website to be blocked or unblocked. It’s not been a good day for VM.
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook and Linkedin.
« Three UK Bids Farewell to CEO Dave Dyson for Personal Reasons
Latest UK ISP News
- FTTP (5536)
- BT (3518)
- Politics (2542)
- Openreach (2299)
- Business (2267)
- Building Digital UK (2247)
- FTTC (2045)
- Mobile Broadband (1978)
- Statistics (1790)
- 4G (1669)
- Virgin Media (1624)
- Ofcom Regulation (1467)
- Fibre Optic (1396)
- Wireless Internet (1392)
- FTTH (1382)
Virgin’s response to this is just to throw some links at their customers and let them figure it out in order to protect themselves/deal with the marketing calls. Good job!
I can’t be the only one thinking with suspicion that Virgin Media may have done this on purpose. To sell the information to third party companies or some maybe data gathering perhaps?
Very doubtful, the risk of a massive fine from the ICO (likely more than mitigating any financial gain from the somewhat limited data), and the fact that such things rarely go undiscovered for long, would seem to put pay to that idea.
Fair enough Mark. To me it seemed strange thinking about it how they didn’t pick up on leaving personal details vulnerable like that for almost a year.
Alas they wouldn’t be the first to make such a basic mistake, especially if the database was held on a third-party cloud platform where such things often occur (not sure if that’s the case here).
Mark when are you going to update the Top 10 UK ISPs By Subscriber Size 🙂 Noticed its not changed for a while.
What a ludicrous company VM is. If not, one of the worst companies in this country to deal with. Companies should be forced to pay, protect and insure people after losing their data. I would be consulting my MP if I was one of those people. We should always make sure we opt-out of any sort of marketing when dealing with a company. Marketing should really be opt-in but the percentile of people that would not opt-in shows how pointless, annoying and predatory marketing is. Stay smart, stay protected. Your privacy and security is important, even to the ‘nothing to hide’ people.
I am going to take legal action against VM for dishonest with their customers and mine data protection act. Not bloody happy with VM.
According to reports on various newspaper web sites today it seems that the database concerned was one that carried data relating to those customers who specifically requested access to porn sites …
Yea I read that too and not happy about it as when I was with Virgin (Left last July) after first setup I turned off all filtering as I’m the sole user so didn’t really need parental controls so could find myself unwittingly marked in said database as wanting porn which was not the case.
This database is far more than a marketing database as even ISP review has said in an update on this page. Virgin Media are being very disingenuous in what they have said themselves and Virgin have a hell of a lot to answer for for a breach of this kind which was caused by stupidity.
This is a serious data breech under GDPR as it included Date Of Birth facilitating scamming, hacking and identity theft so they should come down on them very very hard.
I regularly use a false DoB on general sites that request it. Unfortunately for Insurance, Banking, HMRC etc we have no choice.
GDPR states that personal data should be encrypted at rest and only those with speciall privileges should be able to extract data and that should be tightly controlled. To access my last employer I had a Secure ID and that ceased the moment I left. This is basic stuff.
Surely this level of incompetence as well as the actual seriousness of the information, essentially Virgin Media flat out lying should result in charges of criminal negligence against the individuals responsible.
It’s one thing to secure stuff badly. To have highly confidential information unencrypted open to the Internet with no attempt to secure it is another.
At a minimum if I did something this stupid I would immediately lose my job.
I have never accessed porn sites and I am one of the aff cited customers. Been inundated by phishing emails and phone calls for months- now I know why!
I’ve sent them a few messages on twitter as I’m effected and say no compensation due as no financial details was disclosed or passwords
However my name, address, email, date of birth, telephone number, alternative number and ip address have, I’m not impressed specially getting emails from someone from a dating site that looks like I’ve sent it as one replied telling me to f off, I’ve kept this as proof as its not acceptable specially just telling me to send it yo their phishing email address just stone walled and ignorance.
Were do we go to file for compensation as its against data protection and gdpr and effected must be notified as soon as possible not 10 months
https://www.virginmedia.com/shop/GDPR-for-non-customers I’ve used the email address under “get in tocuh” as I’m a former customer customer but might work if your a current customer too.
Let me know how you get on, I’m hoping to get a reply soon. Fingers crossed.
Remember how the UK wanted everyone to sign up for porn at their local store?
Now we have people being blackmailed for alleged porn habits because an ISP got hacked.
Any compo for customers, or is it just ok for this sort of thing to happen on VM watch.
Virgin media showing their true colours here. Exactly why none of us should go near them and why we shouldn’t count their network towards coverage targets.
I urge everyone to make a formal COMPLAINT to VM and ask for financial compensation. Kick them where it hurts and keep kicking.
Now Canadian operator Rogers joins UK’s Virgin Media on the naughty step …
https://www.bleepingcomputer.com/news/security/rogers-data-breach-exposed-customer-info-in-unsecured-database/
were do I find these Lawyers I had a hack last December which was so bad I had to completely
change my actual PC it blew my passwords on Amazon EBay and Paypal and I had to change all p/words nobody from Virgin Media contacted me at any time and I am a customer of some 15yrs standing with Broadband Tv service Home and mobile phone !!