The cable operator exposed the personal data of about 900,000 customers, for a total of about 15% of the company’s fixed-line customer base.
Background: In the UK telecoms market, data breaches have occurred more than once in recent years. The TalkTalk data breach in November 2015 exposed the data of more than 150,000 customers, and made headlines in the press for several weeks. Three also suffered two similar incidents between 2016 and 2017.
A marketing database has been exposed: On 5 March 2020, Virgin Media discovered that a marketing database had been left unsecured for 10 months. This led to the personal data of about 900k customers accessed on at least one occasion, the company said in a statement. This is around 15% of the firm’s fixed line customer base. However, some Virgin Mobile customers were also included, and even non-Virgin Media customers could be affected as the database included details from ‘refer-a-friend’ promotions. At present, it is not clear whether there have been further attempts to access, and how any information may have been used.
Financial data was not exposed, but customers still need to be alert: The breach was not the result of a cyber attack – Virgin Media states it was due to an employee not following the correct procedures. It exposed customers’ names, email addresses, phone numbers, and details of their contracts with Virgin Media. While the breach did not affect customers’ passwords or financial data, there is still a risk it could be used maliciously since bad actors may now be able to contact the affected individuals to obtain further information. The data breach was discovered by a third-party company, TurgenSec, as part of a sweep of databases. TurgenSec said it immediately alerted the data protection authority, the ICO, and that Virgin Media swiftly took action after the incident. Under the GDPR, Virgin Media could face a fine up to the equivalent of €20m, or 4% of its total annual turnover – whichever is higher.