British telecommunications company Virgin Media recently became aware of a data breach. The breach allowed unauthorized access to the personal information of 900,000 of their customers. The data was stored in an incorrectly configured database. According to Virgin Media, the database was accessed at least once. Although the investigation is still ongoing, a statement released by the security researchers who initially discovered the data breach unveil concerning details.
Data Breach Affecting 900,000 Customers
Virgin Media said the customer data was stored on a marketing database they use to manage information about existing and potential customers in relation to some of their marketing activities.
The database included personal information such as people’s names, home addresses, emails, some dates of birth and phone numbers, as well as technical and product information. The database also included web form based customer requests.
Recently, Virgin Media became aware that data within their marketing database had been left exposed because the database had been misconfigured. The telecommunications company immediately contacted affected customers and the UK’s privacy watchdog. They also swiftly removed the database and have launched a full independent forensic investigation.
Concerning Details Emerge
Although no passwords or financial data were contained within the database, it is concerning that customer’s personal details had been left accessible for such a long period of time. In fact, the database was left exposed for almost 10 months, from April 2019 to February 28, 2020. During this time the data was accessed at least once.
Virgin Media acted promptly and insists that “limited contact information” had been accessed. However, cybersecurity researchers from the company that initially discovered the breach, TurgenSec, recently released a statement questioning this (page taken offline by source).
Firstly, the leaked data contained information that most people would consider to be far more than just “limited information”. For example, the data also included information about friends, alternative contact numbers, subscription information, a referrer header appearing to refer to the website the customer previously visited, and more. Secondly, all information was available in plaintext and unencrypted, which means that anyone could view and copy this data without needing any specialized tools.
The most likely consequence of this type of data breach for customers is an increase in spam emails and phishing attacks. Malicious third parties may send customers emails or messages designed to look as if they come from Virgin Media, or any other company. Normally, attackers would then try to trick customers into revealing personal information or to steal the persons’ identity.
However, as some of the information Virgin Media holds on customers also included “requests to block or unblock various pornographic, gore related and gambling websites, corresponding to full names and addresses” it is also possible to link some customers to gambling and pornographic sites.
TurgenSec’s security researchers recommend all customers affected by the breach to immediately issue a GDPR request to Virgin Media to determine exactly what information Virgin Media holds about them.
In response, Virgin Media said that “all individuals have been given details on how they can get in touch directly to address any queries, or for support and advice”.
The telecommunications company also stated that they are currently building a secure online tool that will allow any individual to find out if they are affected and what type of data relating to them was included in the database.