Privacy gaffe. Personal data of 900,000 Virgin Media customers was left on an unsecured marketing database for ten months, ISP admits
British Internet Service Provider (ISP) Virgin Media is at the centre of a data breach scare, after it admitted that it had stored the personal details of 900,000 customers in an unsecured database.
And to make matters worse, this ‘marketing database’ was accessed on one occasion by an unauthorised person.
The database did not contain passwords or financial information, but did contain contact information such as names, home and email addresses, as well as phone numbers.
This is an embarrassing gaffe for an ISP that prides itself of offering some of the highest broadband speeds in the UK. Last year for example Virgin Media trialled its “hyperfast multi-gigabit home broadband” in a sleepy village in the Cambridgeshire countryside.
That trial only involved eight homes in Papworth and those homes were able to achieve a staggering download speed of more than 8Gbps.
While speed is good, unfortunately it seems that data breach incidents are a growing issue for companies that store people’s data.
Virgin Media admitted the breach in a statement from its CEO, Lutz Schüler.
“We recently became aware that one of our marketing databases was incorrectly configured which allowed unauthorised access,” said Schüler. “We immediately solved the issue by shutting down access to this database, which contained some contact details of approximately 900,000 people, including fixed line customers representing approximately 15 percent of that customer base. Protecting our customers’ data is a top priority and we sincerely apologise.”
“The database did not include any passwords or financial details, such as credit card information or bank account numbers, but did contain limited contact information such as names, home and email addresses and phone numbers,” said Schüler.
Schüler then admitted the data had been accessed by an unauthorised party.
“Based upon our investigation, Virgin Media does believe that the database was accessed on at least one occasion but we do not know the extent of the access or if any information was actually used,” said Schüler.
“We are now contacting those affected to inform them of what happened,” said Schüler. “We urge people to remain cautious before clicking on an unknown link or giving any details to an unverified or unknown party. Online security advice and help on a range of topics is available on our website.
Schüler said that Virgin Media had kept the Information Commissioner’s Office fully updated since it became aware of this incident.
Security experts expressed frustration that big companies are still struggling to properly secure customer data.
“Leaving data insecure should seriously be a thing of the past, yet this just highlights that major companies are still unaware of exactly where their data is and how vulnerable it may be to cyber attacks,” said Jake Moore, cybersecurity specialist at ESET.
“Whilst no passwords or bank details were under any risk of compromise, this is still enough for a cyber criminal to take advantage of,” said Moore. “Usually, the next step for attackers will be to follow up with phishing emails enticing customers to divulge further information. Coupled up with Virgin’s broadband outage in the week, this could be a particularly good target for malicious actors to prey on.”
Another expert called on companies to adopt a more holistic mindset when trying to secure customer data.
“Despite repeated high profile cases of companies failing to secure their servers properly this is clearly still a widespread problem,” said Stuart Reed, VP cyber at Nominet. “While Virgin Media didn’t store any passwords in the database it did contain customer contact information which can still be used by criminals to aid their phishing campaigns.”
“What is troubling is that it is unknown how much, if any, information was accessed during the 10 months the database was exposed and that’s why holistic visibility is a key part of good cyber security hygiene,” said Reed.
“Everyone needs to approach cyber security with a holistic mindset, ensuring that you have multiple layers to your security which can provide visibility over your network,” said Reed. “Monitoring at the DNS level can also provide insights into where data is being exposed to the web and what might be leaving your network. On top of this, educating your employees on good cyber practice, including how to spot threats and problems could help avoid situations like this in the future.”
Another security expert stated that this breach at Virgin Media demonstrated why humans are struggling to manage data correctly, and it should be time for AI to take over.
“This serves as yet another reminder that organisations have lost track of where their data is and who can access their systems – humans can no longer manage digital complexity on their own and they will make mistakes,” said Andrew Tsonchev, director of technology at Darktrace.
“Organisations have to start automating defence – only AI can keep a constant eye on an organisation’s digital systems and, critically, fight back against hackers when they do manage to access personal data,” said Tsonchev.
“We may think the information here isn’t ‘sensitive’ but every bit of intel a hacker can get their hands on can be used to launch secondary attacks to target individuals or organisations,” said Tsonchev. “There will be a lot of guesswork involved now in working out how many times the data has been accessed, by who and most importantly, how it will be used.”
The dangers of this type of data being exposed was also flagged by Thorsten Geissel, director sales engineering at cyber security firm Tufin.
“This is the latest in a number of security incidents involving unsecured databases: although accidental, these are nonetheless damaging and are likely to become more prevalent,” said Geissel. “Network complexity in organisations of this size presents challenges. It only takes one small human error to make the whole environment vulnerable.”
“This incident once again underlines the importance of having consistent security measures and policies across the infrastructure,” said Geissel. “Organisations cannot afford routine changes to databases or other network components to be at the expense of security and must keep track of policies across their entire infrastructure – especially as more and more of them transition to the cloud.”