Virgin Media, a telephone, TV and internet service provider in the UK, has publicly apologized after a database containing the personal details of 900,000 customers was left unsecured and accessed without permission due to improper configuration for over 10 months.
Virgin Media first learned of the exposed database after TurgenSec, a cyber security firm located in the UK, informed the media giant that a database was publicly accessible without proper password protection. The database which was used for marketing purposes included details like customer names, home addresses, email addresses, phone numbers, and in some cases dates of birth. It did not include passwords or financial information. The information was accessible from April 2019 until February 28, 2020.
However, the Financial Times recently learned that the database also included more than 1,100 records of customer requests to block or unblock specific websites, mostly for gambling sites and other adult related content. This sensitive information puts customers at risk for potential extortion attempts.
The firm has since shut down access to the database, but Lutz Schüler, chief executive of Virgin Media, confirmed that the database had been accessed at least once without permission, adding, "we do not know the extent of the access or if any information was actually used." Those customers affected by this data breach have been notified by Virgin Media via email in an attempt to warn them about the potential risks of phishing, nuisance phone calls, and identity theft. For more details on the data breach, visit Virgin Media's Data Breach Notification webpage.
The breach has also been reported to the Information Commissioner's Office, the UK's data protection watchdog, who has since announced it's "making inquiries" after being informed of the incident by Virgin Media. The company has also launched it's own forensic investigation into the incident.
This particular breach was not caused by a hack or any criminal attack - it was the result of improper configurations by employees not following the correct procedures. This is particularly embarrassing for a globally recognized technology organization with over 20 million customers that relied on an outside security firm to notify them of their security pitfalls. This breach proves that Virgin Media operated with systematic failures in how they monitor the secure configuration of their systems and as a result, the firm could be fined due to the failures in securing the customer database.
Unsecured databases are the low-hanging fruit of the internet and pose a significant threat to organizations worldwide. To combat this threat, organization must embrace system hardening and vulnerability management. New vulnerabilities are spotted every single day. As such, organizations must refresh systems' compliance with hardened configuration guidance regularly and often. Trusted guidance like the CIS Benchmarks can be used to provide guidance for establishing a secure configuration posture across your IT infrastructure.
NNT recently partnered with the Center for Internet Security (CIS) to host a webinar on a particularly important security control, CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers. Watch the webinar on demand to learn more about secure configuration guidance and CIS Control 5.
Share this post