Virgin Media Breach ‘Disclosed Sensitive Data’

More than 1,000 of the Virgin Media customer records involved in a recently disclosed data breach  included information linking the users to highly sensitive online content, the company has acknowledged.

The breach, made public last week, involved a Virgin Media marketing database on 900,000 people that was left unsecured online for 10 months.

The database included users’ names, addresses, emails and contract details, but did not expose financial details or login credentials.

However, the security researchers who initially brought the breach to light said the database also included the details of customers who asked for particular websites to be blocked or unblocked via an online form.

Sensitive data

In some cases, the details involve users wishing to bar access to pornographic websites or to mainstream sutes such as YouTube or the BBC.

But other requests involve users asking for certain websites to be unblocked, including pornographic sites, gambling sites or some presenting extremely violent material.

The exposed records show the site being blocked or unblocked and link it to customers’ names and contact details, researchers said.

They warned the sensitive data could be used by attackers in extortion attempts.

Virgin Media said the information had been accessed “at least” once by an unknown party during the period in which it was left exposed online.

TurgenSec, the computer security firm that discovered the data had been exposed, said it was “disingenuous” of Virgin Media to claim that the breach had only involved “limited contact information”.

It pointed out that aside from the blocking and unblocking requests,  other data including mobile device identification numbers and customer information related to the Bafta film awards competition was in the database.

‘Systematic failure’

“Despite the reassurance they issued that ‘protecting our customers’ data is a top priority’ we found no indication that this was the case,” TurgenSec said.

“There seems to be a systematic assurance process failure in how they monitor the secure configuration of their systems.”

Virgin Media said it was contacting those affected directly and would provide specific security advice to those customers, as well as launching an online service that would allow customers to check whether they were affected.

Virgin Media, owned by US cable group Liberty Global, said there was no evidence the data had been used to extort people.

“A small subset of these 1,100 customers requested this action for gambling sites and those containing adult content,” Virgin Media said.

“In our initial notification to customers about this incident, we made it clear that any information provided to us via a web form was potentially included in the database.”

The company added it had informed the Information Commissioner’s Office (ICO) of the incident.

The ICO said it was investigating the breach.

“People have the right to expect that organisations will handle their personal information securely and responsibly,” the ICO said.  “When that doesn’t happen, we advise people who may have been affected by data breaches to be vigilant when checking their financial records.”