Virgin Media, one of the UK’s largest internet and TV cable providers, has admitted that it left a database containing the unencrypted details of more than 900,000 UK residents – including existing and potential customers – freely accessible to anybody on the internet, with no password required.
Security researchers at TurgenSec informed Virgin Media of the security breach late last week, and noted that sensitive information exposed in the database included – but was not limited to – the following:
- Full names, addresses, dates of birth, phone numbers, and IP addresses
- Requests to block or unblock various pornographic, gore related and gambling websites, corresponding to full names and addresses.
- IMEI numbers associated with stolen phones.
- Subscriptions to different aspects of Virgin Media services, including premium components.
Those affected included customers with Virgin cable television and telephone accounts, as well as those whose data has been collected as potential future customers.
Fortunately, no passwords and payment details were not exposed in the data breach. And yet, there are clear opportunities for fraudsters to use such details (perhaps via a phone call) to trick Virgin Media’s existing and potential customers into sharing more information about themselves.
Perhaps even worse, the fact that the database included details related to whether customers wanted to access porn, gambling, and gore-related (the mind boggles…) websites opens potential opportunities for embarrassment and extortion.
Virgin Media is contacting affected consumers to warn them about the security breach.
The database is thought to have been accessible since at least 19 April 2019, but was taken down by Virgin Media following the researchers’ outreach.
However, as an evidently annoyed TurgenSec described on its website, Virgin Media failed to acknowledge the researchers’ assistance:
We did not seek any remuneration as a result of responsibly disclosing their breaches, but did request attribution as the reporting party. We were informed our request would be taken to those handling the situation.
Virgin Media instead went straight to the media and we were contacted 15 minutes before the article publication in the FT asking for a statement. This felt like an ambush by Virgin Media who did not value our contribution.
Furthermore, in what appears to be a further attempt to control how the media presented the story, Virgin Media in its FAQ seems keen to impress on the world that it doesn’t consider the security breach to be a “cyber attack” or a “hack”.
“The incident did not occur due to a hack but as a result of the database being incorrectly configured.”
Unfortunately, what the company doesn’t seem to have realised is that what occurred can be considered worse than a cyber attack or a hack. It’s incompetence.
Virgin Media has informed the Information Commissioner’s Office (ICO), the UK’s data protection authority, about the incident.
Meanwhile, those impacted by the security breach would be wise to be on their guard against anyone requesting personal information or access to their financial details.