The personal information of around 900,000 Virgin Media customers was accessible on an insecure server for several months, the company admitted on Friday.
As The Guardian reports, a marketing database had been left insecure since April 2019, meaning the names, home addresses, email addresses, and phone numbers of 900,000 users were vulnerable. At least one person outside of the company is known to have accessed the information.
The database also listed information about some Virgin Media customers’ devices and, according to the cybersecurity company that discovered the breach, TurgenSec, “requests to block or unblock various pornographic, gore-related and websites, corresponding to full names and addresses.” That claim is linked to Virgin Media’s Report a Site form and only relates to 1,100 customers listed in the database.
While neither financial details nor passwords were stored in the database, the available data could be used to carry out phishing attacks or phone scams. Details of non-Virgin Media customers are also thought to have been available. Virgin Media confirmed the database included potential customers who had been referred to the company by friends through a promotion.
TurgenSec believes the situation is being understated “potentially to the point of being disingenuous.” Speaking to the BBC, the company said that “the information was in plain text and unencrypted, which meant anyone browsing the internet could clearly view and potentially download all of this data without needing any specialized equipment, tools, or hacking techniques.”
In a statement, Virgin Media had said that its investigation is ongoing, and that “We take our responsibility to protect personal information seriously. We know what happened, why it happened and as soon as we became aware we immediately shut down access to the database and launched a full independent forensic investigation.”
Virgin Media says it’s building a specific online service which will allow individuals to find out if they have been affected by the breach, and what information could have been visible. The company has also informed the Information Commissioner’s Office (ICO), a regulatory body in the UK that deals with data protection, of the breach. A spokesperson for the ICO told the BBC an investigation is underway.