Virgin Media confirms 'misconfigured database' left personal data of 900,000 people exposed

Virgin Media has confirmed a system configuration error in one of its marketing databases allowed an unauthorised third-party to gain access to the personal information of 900,000 people.

The consumer broadband provider has denied the system was hacked or that it has fallen victim to a cyber attack of some kind, and confirmed access to the system was made possible by an incorrectly configured database.

The offending database was shut down as soon as the issue came to light, but it is understood the error may have been present for up to 10 months before it was detected.

During that time it had been accessed on at least one occasion, the company confirmed, but it is too early to say if the information has been used or the extent to which it was accessed.

“We take our responsibility to protect your personal information seriously. We know what happened, why it happened, and as soon as we became aware we immediately shutdown access to the database and launched a full independent forensic investigation,” the company said in a statement on its website.

The company also went on to confirm that the Information Commissioner’s Office (ICO) has been made aware of the incident.

The information in question belongs to individuals described by Virgin Media as a mix of existing and prospective customers, but the company moved to assure those involved that no passwords or financial information about them would have been accessible via the afflicted database.

“The database… did contain limited contact information such as names, home and email addresses and phone numbers,” said Virgin Media CEO Lutz Schüler, in a statement.

“We are now contacting those affected to inform them of what happened. We urge people to remain cautious before clicking on any unknown link or giving any details to an unverified or unknown party.”

Jonathan Compton, a partner at London-based law firm DMH Stallard, said the company can expect to receive a sizeable fine as a result of the incident, given the number of people affected and how long the misconfigured system was live for.

“One of the key principles of the 1998 [Data Protection] Act and the more recent EU based Data Protection Act 2018 is the obligation on data handlers to keep that data secured. The Virgin Media database was accessed at least once and the company is not able to tell the identity of the user concerned,” said Compton.

“The maximum under the 1998 Act for data transgressions during the period that the act was in force was £500,000. Under the new act, the penalties rise to €20m or 4% of global turnover, whichever is the greater.

“Fines towards the maximum of the applicable act are likely. This was a serious breach, over a long period, affecting nearly one million people. The situation is aggravated by the fact that this was not the result of a hack, but the result of negligence,” he added.

Ernest Doku, telecoms market watcher at comparison site Uswitch.com, said – despite the firm’s assurances – customers will be “rightly concerned” to know their personal dataset has been unsecured and accessible for so long.

“Ten months is a long time for information useful to scammers, like phone numbers and email addresses, to be left available online,” said Doku.

“While it’s fortunate that only one ‘unknown user’ accessed the information in that time, it only takes one person to sell that information to cyber criminals.”