Virgin Media is having a bad old time of it.
It's just realised (read: been told) it left a database of 900,000 people's data – including phone numbers, email addresses and physical addresses – completely unsecured online for ten months.
Worse, the company knows that it's been accessed at least once by persons unknown. Awesome.
The database was apparently intended for marketing, and not only contained details from Virgin Media and Virgin Mobile customers but also some people who'd been referred by friends, meaning they weren't even with Virgin Media and still had their information leaked.
Virgin is of course trying to reassure people that there was no payment or password info included, which is true, but for some people – like those escaping abuse – having their physical address leaked is a bigger problem. It's easy enough to cancel a payment card, not so easy to move house.
The company says the database was used "on at least one occasion" by God-knows-who for God-knows-what. Chief Exec Lutz Schüler says:
"Based upon our investigation, Virgin Media does believe that the database was accessed on at least one occasion but we do not know the extent of the access or if any information was actually used."
"At least one occasion" seems intentionally phrased to make you think it was only once, but they don't seem to actually know. They also don't know how long the data was accessed for or how much of it was viewed or saved.
Virgin has been keen to point out that the info wasn't hacked, it was available because the database was "incorrectly configured" by someone who didn't follow company protocol. Honestly, that's not the reassurance they seem to think it is: "We didn't get robbed! We left the doors open ourselves!"
Well, did they at least spot the problem themselves after ten whole months? Nope. They were alerted by a security researcher from London-based TurgenSec. They have now told the Information Commissioner's Office (ICO) as they're obliged to do, and started an investigation.
"We recently became aware that one of our marketing databases was incorrectly configured which allowed unauthorised access. We immediately solved the issue by shutting down access.
Protecting our customers' data is a top priority and we sincerely apologise."
We'd argue that "shutting down access" doesn't "solve the issue" when the data has been available for the best part of a year. That's like saying "we left our doors open for ten months and don't know how much was stolen but the door's locked now so it's solved."
VM sent emails to affected people yesterday (Thursday the 5th of March), so if you didn't get one, you're probably OK. As ever, scammers and general gits will be keen to use the opportunity to phish people, so if you get emails saying "your data was in the breach, click here to fix it" or somesuch, be wary AF.
A bigger issue here is that Virgin Media has been known to have crappy security for a long time, and there have been many reports on social media by concerned parties over the years:
We take security seriously Luke, we find our password requirements to be adequate and secure :) ^JF
— Virgin Media (@virginmedia) June 13, 2017
Hi Slavo, thanks for your tweet. We do think our requirements are more than adequate but thanks for the feedback. ^JGS
— Virgin Media (@virginmedia) November 27, 2018
Hi Wes, thanks for your tweet. We do think our password requirements are more than adequate but thanks for the feedback, as we're always working hard to improve our service and offerings. ^JGS
— Virgin Media (@virginmedia) November 10, 2018
Not long after news of the leak broke, Virgin Media also suffered a swathe of outages:
— Kate Bevan (@katebevan) March 5, 2020
Task number one for today: find a new ISP. [BBC]