With the prevalence of data incidents these days, it’s no longer much of a shock when a company is hit, the latest being Virgin Media in the UK. Perhaps what’s head-turning in this case is the fact that seemingly conflicting statements have emerged, and here Insurance Business gives you the lowdown.
Stressing that the company didn’t fall victim to a cyberattack, Virgin Media stated: “Certain sources are referring to this as a data breach. The precise situation is that information stored on one of our databases has been accessed without permission. The incident did not occur due to a hack but as a result of the database being incorrectly configured.
“We take our responsibility to protect your personal information seriously. We know what happened, why it happened, and as soon as we became aware we immediately shut down access to the database and launched a full independent forensic investigation. We have also informed the Information Commissioner’s Office.”
According to Virgin Media, the database in question did not contain passwords or financial details such as bank account numbers or credit card information.
However, cybersecurity firm TurgenSec – the reporting party in this case, or the firm which notified Virgin Media of the ‘breach’ – seems to suggest that the incident is worse than it is being presented.
“We cannot speak for the intentions of their communications team but stating to their customers that there was only a breach of ‘limited contact information’ is, from our perspective, understating the matter potentially to the point of being disingenuous,” asserted TurgenSec. “We do not know if the people writing the statement knew all the facts when writing this statement, but here is what we know.”
On its website, TurgenSec noted: “Would customers consider the following to be an accurate description of ‘limited contact information’: full names, addresses, date of birth, phone numbers, alternative contact phone numbers, and IP addresses – corresponding to both customers and ‘friends’ referred to the service by customers; requests to block or unblock various pornographic, gore-related, and gambling websites, corresponding to full names and addresses…
“…IMEI numbers associated with stolen phones; subscriptions to the different aspects of their services, including premium components; the device type owned by the user, where relevant; the ‘Referrer’ header taken seemingly from a user’s browser, containing what would appear to be the previous website that the user visited before accessing Virgin Media; form submissions by users from their website.”
In fact, the company is urging all affected individuals – which, according to TurgenSec, totals 900,000 people in the UK – to issue a GDPR (General Data Protection Regulation) request to Virgin Media to identify exactly what data has been compromised.
“The limited information issued by Virgin Media, in our opinion, does not adequately cover the extent of this,” it added.
TurgenSec also went on to highlight the supposed shortcomings as far as Virgin Media’s systems are concerned.
“Despite the reassurance they issued that ‘protecting our customers’ data is a top priority’, we found no indication that this was the case,” claimed the IT company. “This wasn’t only due to a simple error made by a member of staff ‘incorrectly configuring’ a database, as has been stated.
“There seems to be a systematic assurance process failure in how they monitor the secure configuration of their systems. All information was in plaintext and unencrypted – which means anyone browsing the internet could clearly view and potentially download all of this data without needing any specialised equipment, tools, or hacking techniques.”
Meanwhile Virgin Media said it has contacted all affected customers with the advice on what to do next. It’s unclear whether the firm would be liable to compensate due to the incident.
