Incident of the Week: Virgin Media Exposes Data of 900,000 People

British telephone, TV and internet provider Virgin Media (VM) startled its 900,000 clients by informing them its platform had been breached sometime between April 2019 and February 2020. The company stressed that the database, which has now been “shut down“, did not contain passwords or financial details, although it did include customer names, home and email addresses and phone numbers.

The company attributed the hacking to a member of staff who had “incorrectly configured” the database, and promised it's building a specific online service which will allow individuals to find out if they have been affected by the breach, and what information could have been visible.

See Related: Security Researcher Uncovers 440 Million Records From Estée Lauder

Meanwhile, Group Action Lawyers is taking on a growing number of people affected by the VM data breach, eager for compensation.

How Virgin Media Handled Its Data

Virgin Media blithely said its database had been “accessed on at least one occasion”, but they “do not know the extent of the access or if any information was actually used”. In other words, if a security researcher at TurgenSec had not alerted the company, this breach, too, may have gone unnoticed.
Further, according to TurgenSec, it is highly likely that more personal details than those revealed by VM were compromised.

“There seems to be a systematic assurance process failure,” the cybersecurity firm reported, “in how they monitor the secure configuration of their systems. All information was in plaintext and unencrypted - which means anyone browsing the internet could clearly view and potentially download all of this data without needing any specialized equipment, tools, or hacking techniques.”

See Related: The Cost Of An Enterprise Ransomware Attack

Biggest Issue: Poor Security is No Security

Hackers had at least ten weeks to crack Virgin Media’s database given that it was accessible from “at least” April 19th 2019, as VM’s operator informed the company’s clients.

To compound the issue, VM’s lack of honesty and forthrightness rankled many clients. The main problem with Virgin Media seems to be that it underestimated the vulnerability of its data. It took VM ten months to detect and patch the flaw that, had it followed best practices to secure its data, the company would less likely have been affected. That’s a situation the Information Commissioner's Office (ICO) will now investigate.

If found guilty, VM will have to fork out up to £17,3MI (U$19,95). This is not going to be a lesson the company is likely to forget.

Steps for Prevention

The strongest protection against data security breaches is practicing robust security hygiene. You will want to implement a “security culture”, where you make your staff aware of data security risks and how they can prevent these.

Controls include shielding your applications and databases with account privileges and permissions and strong multi-factor authentication rules. That is especially crucial for those systems that hold sensitive data, particularly if your company stores information of millions of people. Further, you will want to carry out regular security reviews of these systems and implement some procedures for control monitoring and alerts.

In contrast to VM, it is wise to encrypt your data as well as to make it unreadable to anyone who accesses the database without permission.

Finally, if a security breach does occur, it is vital you provide honest and thorough information on what occurred.
Poor security results in devastation. There is no company that is immune to hacking.

Next: Defense Electronics Manufacturer CPI Succumbs To Ransomware Demands