Law Firm Starts Legal Action Over Virgin Media UK Data Breach

A consumer action law firm, Your Lawyers, has today announced that they’ve launched a Group Action Claim against broadband ISP Virgin Media UK, which gives the provider “four weeks to admit liability” for a recent data breach that exposed the personal details belonging to 900,000 of their customers.

Back in March 2020 the operator revealed that an “incorrectly configured” marketing database had exposed personal customer details to the public (here), which had apparently been “accessed on at least one occasion” but they didn’t know by whom or if any information had actually been used.

Initially the operator announced that the database itself had contained the names, home addresses, email and phone numbers of both customers and potential customers alike, but NOT passwords or financial details. But it later transpired, via internet security firm TurgenSec, that the database also contained a lot of other data for some customers (e.g. IP addresses, requests to block or unblock various pornographic sites etc.).

All of this information was stored in plaintext and unencrypted, which effectively meant that anyone browsing the internet could potentially view and download all of it without needing any specialised equipment, tools, or hacking techniques, provided they knew where to look. Virgin Media promptly closed the database and notified affected customers soon after becoming aware.

At around the same time Your Laywers began collecting interest from those affected by the breach, which was done with a view to launching a group action against Virgin Media. The law firm has today kicked off its Group Action Claim against the operator, which gives them four weeks to admit liability for the breach.

What’s happens next?

If they do not admit liability then Your Lawyers intends to file an application for a Group Litigation Order (GLO) in order to formalise the action and seek justice for those affected. Recent GLOs have included the British Airways data breach, Hillsborough Victims and VW Diesel Emissions.

Your Lawyers claims to represent almost 2,000 Claimants in the case, having received thousands of enquiries, and they will no doubt be aiming to attract more with today’s move. The law firm claims that each “victim of the breach” could be eligible for up to £5,000 compensation for “financial and emotional distress suffered“, which in theory could leave Virgin Media with a total compensation bill of up to £4.5bn (massively more than the cost of their c.£3bn Project Lighting network expansion).

Aman Johal, Director of Your Lawyers, said:

“Our Group Action Claim against Virgin Media is now live and I encourage anyone affected to sign up for representation now.

Unbelievably, Virgin Media failed to take the necessary steps to keep people’s data safe for a sustained period of time, and, shockingly, it took a third-party security researcher to identify the issue.

We know from experience that, when personal data is exposed online, it leaves victims vulnerable to cyberattacks and attempts at fraud, such as phishing scams. Customers will no doubt have bought into the Virgin Media brand that has been nurtured by Richard Branson for years and will rightly expect their personal data be properly protected. For this to have happened is an inexcusable breach of consumer rights.

Your Lawyers will hold Virgin Media to account for this avoidable breach of private information, and we will do everything possible to ensure justice for the victims prevails. The door is open for victims to join the action, and now is the time to act.”

As you might expect this is one of those “no win, no fee” style firms, which will of course have a vested interest in making such things look as financially attractive as possible. Over the past couple of years’ a new wave of group litigation under UK data protection legislation has cropped up, which has potentially placed additional liabilities upon businesses (as if the huge fines under GDPR weren’t worry enough).

According to the Information Commissioner’s Office (ICO), which is still probing VM’s breach, damages for breach of data protection legislation may be “material” (e.g. financial losses) or “non-material” (e.g. distress) and indeed previous cases have shown that damages may be awarded for a “loss of control” over personal data, even in the absence of pecuniary loss or distress.

In this case it appears as if Your Laywers intend to claim compensation for both financial and emotional distress, although that figure of £5,000 is very debatable. Normally you’d have to prove this (e.g. a start would be to show that somebody had actually abused the data) but, as above, damages could conceivably still be awarded for just a “loss of control” over the data itself.

However, case law around such claims – for the loss of control of data – is still evolving, although it seems unlikely to attract the sort of financial damages being talked above, especially as no financial details were exposed. Each case is different and a court will probably still need to see some demonstration of harm (that will be tricky).

We also recall seeing a roughly similar group action against Morrisons not so long ago, which hit a problem with its compensation demands after a ruling found that the company was not vicariously liable for the acts of the employee (we don’t yet know if this is an angle that VM will be able to argue). Meanwhile Virgin Media has declined to comment, which is normal where legal action is concerned.