Virgin Media admits breach exposed 900,000 customers’ personal information

The personal information of 900,000 Virgin Media customers was left exposed online for 10 months enabling a third-party to access the data, it has emerged.

The company said the breach did not happen due to a hack but occurred because its database was incorrectly configured, allowing unauthorised access. 

The information in the database did not include passwords or financial details but did contain names, email addresses, phone numbers and details of customers’ contracts with the service.

Virgin Media is blaming the error on the negligence of a staff member who did not follow correct procedures. 

The information was accessible from April 2019 until February 28, 2020.

The personal information of 900,000 Virgin Media customers was left exposed online for 10 months enabling a third-party to access the data. The company said the breach did not happen due to a hack but occurred as the database was incorrectly configured

Virgin Media CEO Lutz Schuler said the company recently became aware of the issue and immediately shut down access to the affected database.  

Speaking at a media conference in London, Schuler said: ‘There is no evidence that the data taken has been used in the wrong way.

‘We want to avoid any panic. 

‘We all have enough on our plate with coronavirus at the moment but we have to be open about it,’ said Schuler, who said he would apologise to customers for the breach. 

The company, which is conducting an ongoing investigation, said it believes the database was accessed at least once but does not know the extent of the access or if any information was used. 

‘Protecting our customers’ data is a top priority and we sincerely apologise,’ it said.  

‘We are now contacting those affected to inform them of what happened.’ 

Virgin is now urging its customers to remain cautious before ‘clicking on an unknown link or giving any details to an unverified or unknown party’.   

The Financial Times reported that this breach affects about 15 percent of Virgin Media’s paying customers, including some with Virgin Mobile.

However, data from non-customers could have also been included that came from ‘refer a friend’ promotions.   

Virgin Media is Britain’s second-largest broadband company and owned by billionaire John Malone’s Liberty Global, according to The Financial Times.

The vulnerability of the customer data was first discovered by information security provider TurgenSec, as reported by the FT and confirmed to MailOnline by the company. 

‘The breach was discovered by TurgenSec as part of a routine sweep of databases,’ a spokesperson at TurgenSec told MailOnline.

‘Despite reassurance issued that “protecting our customers’ data is a top priority” we found no indication that this was the case. 

‘This wasn’t only due to a simple error made by a member of staff “incorrectly configuring” a database, as has been stated. 

TurgenSec added that information was in plaintext and unencrypted – which means anyone with a web-browser could clearly view and potentially download all the data without needing any specialised equipment or hacking techniques. 

‘It is regrettable that the company is shifting blame to a member of their staff, when they should have had a mature DevSecOps methodology that routinely looks for, identifies and mitigates these errors before customer’s data is exposed.’ 

Virgin Media is blaming the error on a staff member not following correct procedures. The information was accessible from April 2019 until February 28, 2020

Virgin Media is blaming the error on a staff member not following correct procedures. The information was accessible from April 2019 until February 28, 2020

With almost one million customers affected, the breach is deemed one of the largest by a UK firm in recent years.

‘This data breach has exposed the data of almost a million Virgin Media customers and whilst no financial details or passwords were included, those customers are likely to be worried,’ said Adam French, Which? consumer rights expert.

‘It is vital that Virgin Media continues to provide clear information on what has happened. 

‘For anyone concerned they could be affected, it’s good practice to update your password after a data breach. 

‘Also, be wary of emails regarding the breach, as scammers may try and take advantage of it.’

Virgin Media spent Thursday morning apologising to customers for an outage, which it fixed later in the afternoon

Virgin Media spent Thursday morning apologising to customers for an outage, which it fixed later in the afternoon 

Virgin said that online security advice and help on a range of topics is available to customers on its website.  

It says it has contacted all the affected individuals with advice on what to do next.   

Virgin Media customers were hit earlier with another disaster on Thursday, as many of them were left without internet.

Customer reports of broadband problems surged overnight before reaching a high of around 4,300 by 11am, according to independent outage monitor website Downdetector.

Home and business users alike have been affected by the outage, which appears to have affected Southampton and surrounding areas particularly badly.

The network operator is scrambled to investigate the cause of the dropout and said it fixed the issue at around 4pm on Thursday.   

VIRGIN MEDIA’S STATEMENT ON THE DATA BREACH 

‘We recently became aware that some personal information, stored on one of our databases has been accessed without permission. Our investigation is ongoing and we have contacted affected customers and the Information Commissioner’s Office.

The database was used to manage information about our existing and potential customers in relation to some of our marketing activities. This included: contact details (such as name, home and email address and phone numbers), technical and product information, including any requests you may have made to us using forms on our website. In a very small number of cases, it included date of birth. Please note that this is all of the types of information in the database, but not all of this information may have related to every customer.

To reassure you, the database did NOT include any passwords or financial details, such as bank account number or credit card information.

We take our responsibility to protect personal information seriously. We know what happened, why it happened and as soon as we became aware we immediately shut down access to the database and launched a full independent forensic investigation.’