British telecom provider Virgin Media experienced a data breach that allowed unauthorized access to highly personal information about hundreds of customers.
“We recently became aware that one of our marketing databases was incorrectly configured which allowed unauthorized access,” Lutz Schüler, CEO of Virgin Media said in a statement. “We immediately solved the issue by shutting down access to this database, which contained some contact details of approximately 900,000 people, including fixed-line customers representing approximately 15% of that customer base. Protecting our customers’ data is a top priority and we sincerely apologize.”
Schüler went on to say that the database which was accessed did not include passwords or financial information such as credit card numbers or bank account numbers. However, it did contain names, addresses, email addresses, and phone numbers.
Virgin Media also confirmed that the database was accessed by unauthorized parties at least once. The company said it would contact affected customers and give them more information.
Virgin Media behaved “disingenuously”
The compromised data may not have included financial information, but it did include plenty of data that customers would have wanted to keep private. As reported by the BBC, the information included details on 1,100 customers who had requested specific websites to be blocked or unblocked, including sites dedicated to gambling, violence, and adult content.
This information could not only be embarrassing to customers but could also be used by cybercriminals to extort money, security experts warned.
The security firm that discovered the breach, TurgenSec, said in a statement that Virgin Media’s description of the breach including only “limited contact information” was “understating the matter potentially to the point of being disingenuous.”
The researchers went on to recommend “that all customers affected by this breach immediately issue a GDPR request to Virgin Media to identify exactly what information has been breached, and what information the company continues to hold on them,” as “[t]he limited information issued by Virgin Media, in our opinion, does not adequately cover the extent of this.”
“It is upsetting to see that even in a post-GDPR world, companies are still not living up to the intended spirit of the law,” the firm said. “Companies like to downplay the impacts whilst upselling their supposed care and due diligence in an attempt to place shareholder value over their customer’s rights.”