Law Firm Claims Virgin Media Data Breach Victims Due £5k Each
Cable TV and broadband ISP Virgin Media UK appears to be facing the prospect of a “group litigation” (class action) lawsuit from Your Laywers, which claims that the operator’s failure to protect the personal details belonging to 900,000 of their customers could result in each being able to claim £5,000 (c.£4.5bn total).
At the start of last month Virgin Media revealed that the personal details belonging to 900,000 of their customers had been exposed by an “incorrectly configured” marketing database (here), which had apparently been “accessed on at least one occasion” but they didn’t know by whom or if any information had actually been used (the database is understood to have been accessible since 19th April 2019).
Initially the operator announced that the database itself had contained the names, home addresses, email and phone numbers of both customers and potential customers alike, but NOT passwords or financial details. But it later transpired, via internet security firm TurgenSec, that the database also contained a lot of other data for some customers (e.g. IP addresses, requests to block or unblock various pornographic sites etc.).
All of this information was in plaintext and unencrypted, which effectively meant that anyone browsing the internet could clearly view and potentially download all of it without needing any specialised equipment, tools, or hacking techniques. “Anyone with a web-browser could access it,” claimed TurgenSec after discovering the database. Virgin promptly closed the database and notified affected customers soon after becoming aware.
Queue the Lawyers
At present the Information Commissioner’s Office (ICO) is already known to be conducting an investigation, but in an unusual twist we’ve now learnt that law firm Your Laywers is collecting interest from those affected by the breach and appears set to launch a group action against Virgin Media.
“If you’ve been notified by Virgin Media that your data was exposed during the breach incident, then you could be entitled to claim thousands of pounds in compensation,” says the firm (up to £5,000 per customer is one suggested figure). As you might expect this is one of those “no win, no fee” style firms, which will of course have a vested interest in making such things look as financially attractive as possible.
Over the past couple of years a new wave of group litigation under UK data protection legislation has cropped up (we’ve seen cases started against data breaches at British Airways, Morrisons etc.), which have potentially placed additional liabilities upon businesses; as if the possibly huge fines under GDPR weren’t worry enough.
According to the ICO, damages for breach of data protection legislation may be “material” (e.g. financial losses) or “non-material” (e.g. distress) and indeed previous cases have shown that damages may be awarded for a “loss of control” over personal data, even in the absence of pecuniary loss or distress.
In this case it appears as if Your Laywers intend to claim compensation for both financial and emotional distress, although it’s unclear how they’ve arrived at the £5,000 figure suggested in one article. Normally you’d have to prove this (e.g. a start would be to show that somebody had actually abused the data) but, as above, damages could conceivably still be awarded for just a “loss of control” over the data itself.
Aman Johal, Director at Your Lawyers, said:
“Your Lawyers has formally notified Virgin Media that we are taking action and our claimant base is growing daily. We urge anyone affected by the breach to make a claim as soon as possible.
Virgin Media failed to take the steps required to keep customer data safe and it is vital for the company to understand the severity of this breach.
There’s simply no excuse. This was an avoidable event, and we must hold Virgin Media to account.”
One key challenge here is that the case law around claims for the loss of control of data is still evolving and we have yet to see how any court will give effect to that in practice. Meanwhile the idea that Virgin Media could end up paying out billions of pounds does seem a touch unrealistic as few businesses could realistically survive such an outcome, especially when no financial details were exposed.
As for that Morrisons case, the claim for compensation against them recently hit a problem after a ruling found that the company is not vicariously liable for the acts of the employee. Each case is different and a court will probably still need to see some demonstration of harm. If any money were to be awarded, such as for loss of control over the data, then we suspect it would be for a far more modest figure than £5k.
Telecoms Lawyer, Neil Brown of decoded.legal, told ISPreview.co.uk:
“Unless there is some particularly unusual circumstance, it seems unlikely to me that a court would give £5,000 to someone simply because they were involved in a breach, without some actual demonstration of some kind of harm. While a court might make an award for loss of control of personal data, I’d have thought it would be far more modest.”
Naturally Virgin Media has not commented, as is standard practice where lawsuits are concerned.
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook and Linkedin.
« Three UK Launch “Supercharged” PAYG with £20 Unlimited Data
Vodafone UK Make 200Mbps Entry Level for Gigafast Broadband »
Latest UK ISP News
- FTTP (5513)
- BT (3514)
- Politics (2535)
- Openreach (2297)
- Business (2261)
- Building Digital UK (2243)
- FTTC (2043)
- Mobile Broadband (1972)
- Statistics (1788)
- 4G (1663)
- Virgin Media (1619)
- Ofcom Regulation (1460)
- Fibre Optic (1394)
- Wireless Internet (1389)
- FTTH (1381)
Seems legit.
I guess lockdown prevents chasing of ambulances.
And that PPI gravy train is running out!
There is absolutely no excuse for plain text data of this type under any circumstances. Unforgivable.
But if this data was accessed once and no harm has been found then the ICO should deal with it not claims lawyers. This is everything thats wrong with the dysfunctional system sadly…
Thanks for those responses Virgin Media.
If you have nothing useful to say jog on and leave this to the adults….
Distress alone is sufficient harm to claim compensation, at least while EU law still applies. This was established by the Court of Appeal in the case of Google v. Vidal-Hall.
The ICO won’t force them to pay compensation to individuals, it must be claimed. Although £250 is a more realistic amount for the courts to award for distress alone and it doesn’t need a claims lawyer involved, there is plenty of free advice online about sending a letter before action and if necessary filling a claim in the small claims court.
VM must be rubbing their hands with glee right now from the prospect of offsetting those fines and costs for better security on everyone’s bills for the next few years. .
Realistically speaking, on that idea alone, they’d actually be far more concerned about losing customers by having to make their services more expensive than planned, and thus less competitive, in what is a very aggressively competitive market.
Raising prices generally doesn’t result it more customers, but less. Operator’s aren’t stupid, they know there’s a fine balancing act between the need for profit and managing your costs. The COVID-19 impact will also make people more budget conscious and protective of the money they have, Virgin know that too.
More likely we all end up no win but end up fee!
11. What Happens if you Lose
You do not have to pay any of the basic charges or success fee.
You do have to pay:
Your opponent’s legal charges and disbursements.
Your disbursements.
Not if the lawyer takes out insurance to cover the no win and a lot do.
I doubt Virgin will contact anyone anyway, even if there was a breach! It means they will be admitting liability which they will not do for the reason of this suing culture.
I’m actually more annoyed that they keep putting prices up on us existing loyal customers and then giving away Internet to new customers. It’s disgusting!
They already contacted those listed in the database and went public with the problem, which is actually required by the new data protection law.
I totally agree with you. It annoys me too. They are always giving all the best deals & new TiVo boxes or fast Broad band speeds to new customers. The price of my subscription goes up but the service goes down. When areVirgin Media going to think about their Loyal Customers? Their Bread & butter money every month given to new customers. I would consider making a claim about the loss of privacy. 5K would be very nice. Thank you.
To be fair ,Virgin Media did confirm their breach in an email to me.
I had an email from them last month.
This is exactly why, after 24 years of loyal cable service, I have finally decided to defect. They wanted £61.50 per month after my last £53 per month year “deal” expired. The lowest they could go to after I put the wheels in motion was £49 per month. Sky offered all-in for £37/month for 18 months plus a £100 credit on initial bills. Haven’t had the TV fitted yet due to COVID19, but so far just found the phone line’s not always so clear, but then I now get 24/7 calls included, and to all mobiles. You win and lose I guess, but could no longer really justify the higher prices.
It certainly seems like new customers are all that matters these days sadly.
Indeed, they texted me, even though I left them last August.
How do I know if I’ve been effected!?
You would have had a email off virgin media stating so
Hey Mark,
I may have missed the details in article but when did the breach occurred? I was questioned by the police for misuse of my IP address and was not even aware of it.
https://www.ispreview.co.uk/index.php/2020/03/data-breach-at-isp-virgin-media-exposes-900000-uk-customers.html
No wonder Bransons after a government bailout now.
Virgin Media is not owned by Richard Brandon, he sold it in 2013, Liberty Global has owned it since.
They said no passwords were held on the database yet I have received a raft of emails from scammers stating they know my Internet password and the one they quote – is my Virgin Media password! A coincidence, I think not!
The no passwords claim was supported by the independent security firm that found the database. I’d suggest you may have another problem and might want to try this site:
https://haveibeenpwned.com/
Do I claim individually or do the law firm claim for me? I have the email so what do I do now?
What is the email address please?
I had a scam text stating my mobile contract is about to be cancelled. I called my provider & they knew nothing about this,stated it’s a scam and delete it. I only called because I couldn’t remember my password to log in directly from the text, just as well really. I am not a VM customer but made a price enquiry from a door to door sales man. He took all of my details but I cancelled within 14 days. I also had the email from VM, do they obviously stored my details. Is this a GDPR issue? I have never had scam texts before
£5k sounds about right for the potential impact and distress to the end user. If anyone has had to deal with identify theft, they will know that £5k would only be the start.
More companies should get real penalties for being negligent with consumer data. In this case I hope the lawers get their way
I would suggest everyone to read the T&Cs of “Your Lawyers” before enlisting to join this class action lawsuit.
I have contacted YourLawyers about the section in their agreement that states that, should they lose, we are liable to pay the fees of VM in court. I’ve asked what exactly this entails and if I get a reply, I’ll mention it here. However, it’s something that is seriously dangerous for me as a single mother with no income to rely on.
However, I agree with the lawsuit. We have more than enough technology to ensure encryption happens on any data, to find out that an entire customer base of information was sitting on open text data and for god knows how long is a serious breach not only of trust but of competence too. I’d left Virgin media for their constant price rises every year and refusal to even consider moving me to a cheaper package, now I find out they were waving my personal data around like a shining beacon for anyone interested in using it. They can bite the dust for all I care.
There are no excuses for failing to at least password protect access to the database, although it’s worth nothing that there are good reasons why the actual content of a database may be left unencrypted (excluding passwords, financial details etc. that should always be encrypted).
This is because it makes, for example, correcting and diagnosing system problems at admin level (i.e. when all else has failed)), as well as development work and enabling different systems to talk with each another, extremely difficult (sometimes even impossible) because not even they can see what’s in the database.
This is partly why most software only encrypts the most sensitive part of the database, since to encrypt it all, even the less sensitive stuff, may be counter-productive. Instead you shift overall encryption and security to a higher level, the access level, rather than the content level.
Hi, did you get a response to your email enquiry please? as I am also interested in that particular section.
I had the email, but I was recommended to go with pure legal limited and their “claim your data breach”. Seems really good so far, just signed all documents and was told it could be settled within a few months.
were you told if pure legal lose the claim you will have to pay some legal cost’s ?
Small Claims Court: How much does it cost?
https://www.qredible.co.uk/b/small-claims-court-costs/