ANDREW COWIE/AFP via Getty Images
show image

Virgin Media breach: unprotected database was stored in the cloud, telco confirms

Virgin Media revealed last night (5 March) that the misconfiguration of a marketing database had led to around 900,000 customers’ contact details being breached.

Now, a spokesperson for the telecoms giant has confirmed to NS Tech that, as many security pros suspected, the data had been stored in a cloud-based server.

The incident makes the firm just the latest in a long line of businesses to have leaked customers’ contact details after failing to properly protect a cloud database.

The data, which was left in the unprotected database for ten months, included the names, home and email addresses and phone numbers of customers and potential customers. It was accessed by an unauthorised individual “at least” once over that period, according to the company, which said the extent of the access was unknown.

Security experts have warned that while the data does not include financial information, if it is sold on to scammers, it could be used in phishing attacks. “Coupled up with Virgin’s broadband outage in the week, this could be a particularly good target for malicious actors to prey on,” said Jake Moore, a security specialist at ESET.

A number of similar breaches have involved misconfigured Amazon Web Services S3 buckets in recent months and the company has said that, if it could, it would go back in time and redesign its security setup. Virgin refused to disclose the name of its cloud provider, citing security concerns.

Marco Essomba, founder of iCyber-Security, said he suspected the misconfiguration was related to “inadequate access control or authentication permission”. “It’s amazing how many of these flaws you can find if you dig on the internet using automated tools,” he told NS Tech. “This owes to the perception that cloud infrastructures are secure by default, which is simply not true. Access control for cloud storage systems are often left on default settings and completely forgotten once deployed in production.”

Virgin Media said it had informed the Information Commissioner’s Office. Ryan Dunleavy, head of media disputes at the law firm Stewarts, said “fines can be eye-wateringly high under the GDPR, even for an incident which doesn’t involve passwords or financial details of consumers”.

He added: “Virgin could be facing a fine of multiples of millions of pounds. This is an opportunity for the ICO to put down another benchmark in terms of the value of fine for a breach of this nature in the UK.”

Virgin Media’s chief executive, Lutz Schüler, said: “We immediately solved the issue by shutting down access to this database, which contained some contact details of approximately 900,000 people, including fixed line customers representing approximately 15% of that customer base. Protecting our customers’ data is a top priority and we sincerely apologise.”