On the same day yesterday, when the US-based telecom giant T-Mobile admitted a data breach, the UK-based telecommunication provider Virgin Media announced that it has also suffered a data leak incident exposing the personal information of roughly 900,000 customers.
Unlike the T-Mobile data breach that involved a sophisticated cyber attack, Virgin Media said the incident was neither a cyber attack nor the company’s database was hacked.
Rather the personal details of around 900,000 Virgin Media UK-based customers were exposed after one of its marketing databases was left unsecured on the Internet and accessible to anyone without requiring any authentication.
“The precise situation is that information stored on one of our databases has been accessed without permission. The incident did not occur due to a hack, but as a result of the database being incorrectly configured,” the company said in a note published on its website on Thursday night.
According to the notification, Virgin Media said the exposed database was accidentally left unsecured on the Internet from April 19, 2019—that’s almost a year—and was recently accessed by an unauthorized party at least once.
What type of information was accessed?
The exposed database stored the information (listed below) on both customers and potential customers, including “fixed-line customers representing approximately 15% of that customer base,” said Virgin Media CEO Lutz Schüler.
- customer names,
- home addresses,
- email addresses,
- phone numbers,
- technical and product information, which includes any requests people may have made using forms on the company’s website, and
- dates of birth ‘in a very small number of cases.’
“Please note that this is all of the types of information in the database, but not all of this information may have related to every customer,” Virgin Media said.
The company assured its customers that the misconfigured marketing database did not include affected customers’ account passwords or financial information such as credit cards or bank account numbers.
However, Schüler said the company doesn’t know “the extent of the access or if any information was actually used.”
Who Discovered the Data Leak?
The unguarded database was first discovered online by researchers at TurgenSec, who then responsibly reported it to the Virgin Media’s security team as per the National Cyber Security Centre (NCSC) cybersecurity guidelines.
Though the Virgin Media has surprisingly not publicly acknowledged TurgenSec’s findings, the researchers confirmed The Hacker News that the leaked data includes at least 2,324,498 records concerning 900,000 people.
“We cannot speak for the intentions of their communications team but stating to their customers that there was only a breach of “limited contact information” is from our perspective understating the matter potentially to the point of being disingenuous,” TurgenSec said in a statement.
According to TurgenSec team, the leaked data also includes affected users’:
- IP addresses,
- Requests to block or unblock various pornographic, gore and gambling websites, corresponding to full names and addresses,
- IMEI numbers associated with their stolen phones,
- Subscriptions to the different aspects of their services, including premium components,
- Device type owned by the user,
- The “referrer” header collected from the browsers, exposing which previous site users had visited before accessing Virgin Media.
What is Virgin Media now doing?
The company said the unauthorized access to the database has been shut down immediately following the discovery and that it launched a full independent forensic investigation to determine the extent of the breach incident.
The company is also contacting affected customers of security failure and has already notified the Information Commissioner’s Office.
What affected customers should do now?
Affected customers should be suspicious of phishing emails, which are usually the next step of cybercriminals with such data in hands to trick users into giving away further details like their passwords and banking information.
“We urge people to remain cautious before clicking on an unknown link or giving any details to an unverified or unknown party. Online security advice and help on a range of topics are available on our website,” Virgin Media said.
Though the compromised data doesn’t include any banking or financial data, it is always a good idea to be vigilant and keep a close eye on your bank and payment card statements and report any unusual activity to your respective bank.
For more information regarding the security incident, Virgin Media customers can visit the company’s website or call their customer service line on 0345 454 1111.