UK-based telecommunication provider Virgin Media has announced that it has suffered a data leak incident exposing the personal information of roughly 900,000 customers.

The company left a marketing database was left unsecured and accessed by an unknown party. The database was left insecure since 19th April 2019 meaning this could have been accessed numerous times by multiple people.

The revelation comes after researchers at TurgenSec discovered the insecure database and informed the company.

The exposed database stored the information of both customers and potential customers, including “fixed-line customers representing approximately 15% of that customer base,” said Virgin Media CEO Lutz Schüler.
The list included:
– customer names,
– home addresses,
– email addresses,
– phone numbers,
– technical and product information, which includes any requests people may have made using forms on the company’s website, and dates of birth ‘in a very small number of cases.’

The company assured its customers that the misconfigured marketing database did not include affected customers’ account passwords or financial information such as credit cards or bank account numbers. However, Schüler said the company doesn’t know “the extent of the access or if any information was actually used.”

In a statement TurgenSec wrote ”Would customers consider the following to be an accurate description of “limited contact information”:

  • Full names, addresses, date of birth, phone numbers, alternative contact phone numbers and IP addresses – corresponding to both customers and “friends” referred to the service by customers.
  • Requests to block or unblock various pornographic, gore related and gambling websites, corresponding to full names and addresses.
  • IMEI numbers associated with stolen phones.
  • Subscriptions to the different  aspects of their services, including premium components.
  • The device type owned by the user, where relevant.
  • The “Referrer” header taken seemingly from a users browser, containing what would appear to be the previous website that the user visited before accessing Virgin Media.
  • Form submissions by users from their website.

TurgenSec recommends ”that all customers affected by this breach immediately issue a GDPR request to Virgin Media to identify exactly what information has been breached, and what information the company continues to hold on them. The limited information issued by Virgin Media, in our opinion, does not adequately cover the extent of this.“

Virgin Media says “Those affected will receive an email from email@em.virginmedia.com, so please check your spam filters to ensure you can receive it.”