Virgin Media announced today that the personal information of roughly 900,000 of its customers (yes that includes me) was accessed without permission on at least one occasion because of a misconfigured and unsecured marketing database from one of Virgin Media companies.
With Virgin Media, a leading cable operator in the U.K. and Ireland, and it delivered 14.6 million broadband, video, and fixed-line telephony services to approximately 6.0 million cable customers, as well as mobile services to 3.3 million subscribers at the end of December 2019, according to the company’s preliminary Q4 2019 results.
Database exposed for almost a year
According to the ongoing investigation, Virgin Media discovered on 28th February 2020, that the exposed database was accessible from at least 19th April 2019, and it was recently accessed by an unauthorized party at least once although Virgin Media doesn’t know “the extent of the access or if any information was actually used.”
Lutz Schüler, CEO of Virgin Media, said in a press release that the company “immediately solved the issue by shutting down access to this database, which contained some contact details of approximately 900,000 people, including fixed-line customers representing approximately 15% of that customer base.”
“The database did not include any passwords or financial details, such as credit card information or bank account numbers, but did contain limited contact information such as names, home, and email addresses and phone numbers,” he added via the press release
We are now contacting those affected to inform them of what happened. We urge people to remain cautious before clicking on an unknown link or giving any details to an unverified or unknown party. – Lutz Schüler, CEO of Virgin Media
Exposed customer information
The database was used to store and manage information on existing and potential Virgin Media customers and it included:
• contact details (such as name, home and email addresses, and phone numbers)
• technical and product information
• customers’ dates of birth (in a very small number of cases)
“Please note that this is all of the types of information in the database, but not all of this information may have related to every customer,” Virgin Media says.
The company also says that the unsecured database was not used to store customer passwords or financial details, like bank account numbers or credit card information.
Virgin Media advises customers who think that they might have been victims of identity theft to reach out to their bank or credit card company to inform them of any out of ordinary transactions or applications made in their name without their knowledge.
Customers were also warned over e-mail that they might be targeted by phishing attacks, fraud, or nuisance marketing communications.
For me, this is not good enough for a company to store this type of information with no database security.