Virgin Media admits data breach affecting 900,000 people

Liberty Global-owned Virgin Media has admitted that a database continuing personal details of 900,000 people was left unsecured and accessible on the web for a period of 10 months, opening the company up to the possibility of a large fine.

The marketing database held addresses, email addresses and phone numbers, but not financial or bank details.

The company admitted it was negligent in leaving the database open, saying it had been wrongly configured by a member of staff who had failed to follow correct procedures.

The databse was mostly of virgin TV and phone customers, but also include some mobile customers and potential customers who had been referred by existing customers.

“We recently became aware that one of our marketing databases was incorrectly configured which allowed unauthorised access. We immediately solved the issue by shutting down access to this database, which contained some contact details of approximately 900,000 people, including fixed line customers representing approximately 15% of that customer base.  Protecting our customers’ data is a top priority and we sincerely apologise,” said CEO Lutz Schüler.

“The database did not include any passwords or financial details, such as credit card information or bank account numbers, but did contain limited contact information such as names, home and email addresses and phone numbers. Based upon our investigation, Virgin Media does believe that the database was accessed on at least one occasion but we do not know the extent of the access or if any information was actually used.”

Schüler said that the company was contacting affected people and urged them to remain cautious before clicking on unknown links sent to them in potential phishing attacks. He said that Virgin media had dept the Information Commissioner’s Office updated since it become aware of the incident.

Virgin Media has admitted that the database was accessed at least once by an unidentified party.

The breach could leave the company open to sanctions including a large fine.

“It is important to note that this was not a case of a secure database being hacked. No, this was an ‘error by a member of staff not following correct procedures’,” said Jonathan Compton is a partner at city law firm DMH Stallard.

Virgin Media is required under the Acts to report itself to the ICO and I understand that it has done so. The company can expect a large fine.”

Compton said that the maximum fine under the 1998 Act for data transgressions during the period that that Act was in force was £500,000. Under the new Act, however the penalties rise to €20 million or 4% of global turnover, whichever is the greater.

“Fines towards the maximum of the applicable Act are likely. This was a serious breach, over a long period, affecting nearly one million people. The situation is aggravated by the fact that this was not the result of a hack but the result of negligence,” he said.

Read Next