Virgin Media has revealed that a Virgin Media database containing the personal details of 900,000 people was left unsecured and accessible online for 10 months.
The company discovered the issue last weekend when it found that one of its databases had not been configured properly.
It is one of the largest data breaches by a UK company in recent years due to the number of customers at risk. Virgin Media stressed that the issue was triggered by a staff member not following the correct procedures and was not a cyber attack.
The marketing database has, however, been accessed by at least one person outside the company and was left open from April last year until last week.
Lutz Schüler, chief executive of Virgin Media said:
“We recently became aware that one of our marketing databases was incorrectly configured which allowed unauthorised access. We immediately solved the issue by shutting down access.”
“Protecting our customers’ data is a top priority and we sincerely apologise,”
“Based upon our investigation, Virgin Media does believe that the database was accessed on at least one occasion but we do not know the extent of the access or if any information was actually used,”
The data breach affects around 15 per cent of its fixed line customer base although some Virgin Mobile customers were also included. Even non-Virgin Media customers could be affected as the database contained details derived from “refer a friend” promotions.
The information in the database did not include passwords or financial details but did include names, email addresses, phone numbers and details of their contract with the company. The information would be highly valuable to fraudsters who could use those details to directly contact customers, possibly posing as Virgin Media staff, and con them into handing over more sensitive information.
The vulnerability of the customer data was first discovered by TurgenSec as part of a sweep of databases. It reported the issue to the ICO and said in a statement that Virgin Media reacted “swiftly” after being alerted. Virgin Media said it secured the database immediately and informed the the ICO, but opted not to alert customers immediately.
The company said it would have made an immediate statement if the data had been financial or required customers to change their passwords but opted to fully investigate the depth of the issue with an outside company before alerting customers.
Virgin Media sent the following email to affected uers late Thursday evening: