Virgin Media, one of the UK's biggest ISPs, on Thursday admitted it accidentally spilled 900,000 of its subscribers' personal information onto the internet via a poorly secured database.
The cableco said it "incorrectly configured" a storage system so that at least one miscreant was able to access it and potentially siphon off customer records. The now-secured marketing database – containing names, home and email addresses, and phone numbers, and some dates of birth, plus other info – had been left open since mid-April 2019.
Crucially, the information "was accessed on at least one occasion but we do not know the extent of the access," Virgin Media's CEO Lutz Schüler said in a statement this evening. Said access, we speculate, could have been from an automated bot scanning the internet, or someone prowling around looking for open gear; at this stage, we don't know.
EE, Virgin Media hit with £13.3m fine: Squeezing users for fees for early contract termination not OKREAD MORE
In a separate email to subscribers, shared with El Reg by dozens of readers, the telco expanded: "The database was used to manage information about our existing and potential customers in relation to some of our marketing activities. This included: contact details (such as name, home and email address and phone numbers), technical and product information, including any requests you may have made to us using forms on our website. In a very small number of cases, it included date of birth."
The storage box, we understand, not only contained Virgin Media broadband and fixed-line subscriber records – some 15 per cent of that total customer base – but also info on some cellular users. If a punter referred a friend to Virgin Media, that pal's details may be in the silo, too.
"Given the nature of the information involved, there is a risk you might be targeted for phishing attempts, fraud or nuisance marketing communications," customers were told.
Below is the letter in full to Virgin Media punters:
We are very sorry to have to inform you that we recently became aware that some of your personal information, stored on one of our databases has been accessed without permission. Our investigation is ongoing but we currently understand that the database was accessible from at least 19 April 2019 and that the information has been recently accessed.
To reassure you, the database did NOT include any of your passwords or financial details, such as bank account number or credit card information.
The database was used to manage information about our existing and potential customers in relation to some of our marketing activities. This included: contact details (such as name, home and email address and phone numbers), technical and product information, including any requests you may have made to us using forms on our website. In a very small number of cases, it included date of birth. Please note that this is all of the types of information in the database, but not all of this information may have related to you.
We take our responsibility to protect your personal information seriously. We know what happened, why it happened and as soon as we became aware we immediately shut down access to the database and launched a full independent forensic investigation. We have also informed the Information Commissioner’s Office.
Given the nature of the information involved, there is a risk you might be targeted for phishing attempts, fraud or nuisance marketing communications. We understand that you will be concerned so we are writing to everybody affected to provide reassurance, guidance and support. We have put all of the latest information on our website, including some advice on how to stay safe online, such as:
* Advice from the Information Commissioner's Office on how you can avoid or report nuisance marketing calls, emails and texts
* How to be vigilant by not providing your personal information to anyone suspicious online, by phone, email or text. If you want more information, you can get it here
* How you can protect yourself from the risk of identity theft (which is when someone uses someone else’s personal information to obtain goods, services or money without permission) and other types of fraud. The Information Commissioner’s Office has information online here
Although no financial, banking details or account passwords were accessed, it is always a good idea to make sure that your passwords are strong and not easy to guess. There is some advice here on how to set a strong password.
If having read this email and visited our website you still have questions, you can contact us on 0800 052 2621, but please be aware our customer service advisors do not have any further information at this stage. Once again, we sincerely apologise for what has happened.
Lutz Schueler CEO, Virgin Media
If there is any good news to be had, it is that the database did not include any payment information nor passwords. As you can see above, Virgin Media said it has informed the UK's privacy watchdog, and brought in an outside investigator to look into the blunder. ®