Data Breach

Virgin Media breach exposed data of 900,000 customers

Database has been accessed by at least one person from outside the company,

Virgin Media has revealed that a Virgin Media database containing the personal details of 900,000 people was left unsecured and accessible online for 10 months.

The company discovered the issue last weekend when it found that one of its databases had not been configured properly.

It is one of the largest data breaches by a UK company in recent years due to the number of customers at risk. Virgin Media stressed that the issue was triggered by a staff member not following the correct procedures and was not a cyber attack.

The marketing database has, however, been accessed by at least one person outside the company and was left open from April last year until last week.

Lutz Schüler, chief executive of Virgin Media said:

“We recently became aware that one of our marketing databases was incorrectly configured which allowed unauthorised access. We immediately solved the issue by shutting down access.”

“Protecting our customers’ data is a top priority and we sincerely apologise,”

“Based upon our investigation, Virgin Media does believe that the database was accessed on at least one occasion but we do not know the extent of the access or if any information was actually used,”

The data breach affects around 15 per cent of its fixed line customer base although some Virgin Mobile customers were also included. Even non-Virgin Media customers could be affected as the database contained details derived from “refer a friend” promotions.

The information in the database did not include passwords or financial details but did include names, email addresses, phone numbers and details of their contract with the company. The information would be highly valuable to fraudsters who could use those details to directly contact customers, possibly posing as Virgin Media staff, and con them into handing over more sensitive information.

The vulnerability of the customer data was first discovered by TurgenSec as part of a sweep of databases. It reported the issue to the ICO and said in a statement that Virgin Media reacted “swiftly” after being alerted. Virgin Media said it secured the database immediately and informed the the ICO, but opted not to alert customers immediately.

The company said it would have made an immediate statement if the data had been financial or required customers to change their passwords but opted to fully investigate the depth of the issue with an outside company before alerting customers.

Virgin Media sent the following email to affected uers late Thursday evening:

Dear (name)

We are very sorry to have to inform you that we recently became aware that some of your personal information, stored on one of our databases has been accessed without permission. Our investigation is ongoing but we currently understand that the database was accessible from at least 19 April 2019 and that the information has been recently accessed.

To reassure you, the database did NOT include any of your passwords or financial details, such as bank account number or credit card information.

The database was used to manage information about our existing and potential customers in relation to some of our marketing activities. This included: contact details (such as name, home and email address and phone numbers), technical and product information, including any requests you may have made to us using forms on our website. In a very small number of cases, it included date of birth. Please note that this is all of the types of information in the database, but not all of this information may have related to you.

We take our responsibility to protect your personal information seriously. We know what happened, why it happened and as soon as we became aware we immediately shut down access to the database and launched a full independent forensic investigation. We have also informed the Information Commissioner’s Office.

Given the nature of the information involved, there is a risk you might be targeted for phishing attempts, fraud or nuisance marketing communications. We understand that you will be concerned so we are writing to everybody affected to provide reassurance, guidance and support. We have put all of the latest information on our website https://www.virginmedia.com/help/data-incident, including some advice on how to stay safe online, such as:

  • Advice from the Information Commissioner’s Office on how you can avoid or report nuisance marketing calls, emails and texts (https://ico.org.uk/)
  • How to be vigilant by not providing your personal information to anyone suspicious online, by phone, email or text. If you want more information, you can get it here https://www.getsafeonline.org/protecting-yourself/spam-and-scam-email/
  • How you can protect yourself from the risk of identity theft (which is when someone uses someone else’s personal information to obtain goods, services or money without permission) and other types of fraud. The Information Commissioner’s Office has information online here https://ico.org.uk/your-data-matters/identity-theft/

Although no financial, banking details or account passwords were accessed, it is always a good idea to make sure that your passwords are strong and not easy to guess. There is some advice here on how to set a strong password https://www.virginmedia.com/help/how-to-create-a-strong-password.

If having read this email and visited our website you still have questions, you can contact us on 0800 052 2621, but please be aware our customer service advisors do not have any further information at this stage.

Lutz Schueler
CEO, Virgin Media