A Virgin Media server left facing the public internet contained more than just 900,000 people's "limited contact information" as the Brit cable giant's CEO put it yesterday.
In fact, the marketing database also contained some subscribers' requests to block or unblock access to X-rated and gambling websites, unique ID numbers of stolen cellphones, and records of whichever site they were visiting before arriving at the Virgin Media website.
This is according to British infosec shop Turgensec, which discovered the poorly secured Virgin Media info silo and privately reported it to the broadband-and-TV-and-phone provider. The research team today said the extent of the data spill was more extensive, and personal, than Virgin Media's official disclosure seemed to suggest.
Here, in full, is what Turgensec said it found in the data cache that was exposed from mid-April to this month:
* Full names, addresses, date of birth, phone numbers, alternative contact phone numbers and IP addresses – corresponding to both customers and “friends” referred to the service by customers.
* Requests to block or unblock various pornographic, gore related and gambling websites, corresponding to full names and addresses. IMEI numbers associated with stolen phones.
* Subscriptions to the different aspects of their services, including premium components.
* The device type owned by the user, where relevant.
* The “Referrer” header taken seemingly from a users browser, containing what would appear to be the previous website that the user visited before accessing Virgin Media.
* Form submissions by users from their website.
Those website block and unblock requests were a result of Britain's ruling class pressuring ISPs to implement filters to prevent kids viewing adult-only material via their parents' home internet connections. The filters were also supposed to stop Brits from seeing any particularly nasty unlawful content.
Virgin Media today stressed the database held about a thousand subscribers' filter request inquiries.
The leaky server has since been hidden from view. Virgin Media's CEO Lutz Schüler said last night: "Based upon our investigation, Virgin Media does believe that the database was accessed on at least one occasion but we do not know the extent of the access or if any information was actually used."
He added: "The database did not include any passwords or financial details, such as credit card information or bank account numbers, but did contain limited contact information such as names, home and email addresses and phone numbers."
Double meanings and fluff
In a separate email to its subscribers this week, Virgin Media tried to reassure its punters that the only records accessible from the marketing database were "contact details (such as name, home and email address and phone numbers), technical and product information, including any requests you may have made to us using forms on our website."
As it turns out, the words "technical and product information" were doing an awful lot of heavy lifting. Turgensec's strategically worded statement stops short of accusing Virgin Media of outright lying, but it is still rather damning.
"We cannot speak for the intentions of [Virgin Media's] communications team but stating to their customers that there was only a breach of 'limited contact information' is from our perspective understating the matter potentially to the point of being disingenuous," the infosec house said on Friday.
Turgensec also quibbled with the ISP's attempt to blame the security blunder on IT workers “incorrectly configuring” an internet-facing database. Rather, the database – which was filled with unencrypted plain-text records – was a sign of "systematic assurance process failure," Turgensec said.
Like a Virgin, hacked for the very first time... UK broadband ISP spills 900,000 punters' records into wrong hands from insecure databaseREAD MORE
The security biz is also peeved with the way Virgin Media disclosed the gaffe. Turgensec didn't ask for any financial reward for finding the database but, as is traditional, it did expect a public hat tip for its efforts so as to get some industry recognition. Instead, Virgin Media went straight to the press without thanking the people who saved its bacon.
Turgensec urged all Virgin Media customers who received a notice from the broadband provider to file a GDPR request for a full breakdown of what data of theirs was spilled. With 900,000 people affected, that tie up the ISP's legal team for a while.
"Companies like to downplay the impacts whilst upselling their supposed care and due diligence in an attempt to place shareholder value over their customer's rights. Their customers have a right to ensure their data is protected 'by design' which in many cases it isn't," Tergensec lamented.
"It would seem highly unlikely to us that in this case, after being left open for 10 months, the data has not been obtained by multiple actors some potentially malicious."
Virgin Media, meanwhile, rejected the allegation it held back on important details.
"Out of the approximate 900,000 people affected by this database incident, 1,100, or 0.1 per cent, had information included relating to our 'Report a Site' form," a spokesperson told The Register.
"This form is used by customers to request a particular website to be blocked or unblocked – it does not provide information as to what, if anything, was viewed and does not relate to any browsing history information.
"We strongly refute any claim that we have acted in a disingenuous way. In our initial notification to all affected people about this incident we made it clear that any information provided to us via a webform was potentially included in the database."
Virgin Media added it is developing a tool to allow customers to search exactly what of their account information was exposed. ®