Virgin Media exposes data of 900,000 users via unprotected marketing database
Virgin Media, a provider of telephone, television, and internet services in the UK, disclosed today a data breach that was caused by a database server left exposed online without a password.
The incident exposed the personal details of approximately 900,000 customers, representing around 15% of the company's entire customer base.
Exposed data varies by user, but it could contain names, home addresses, emails, phone numbers, along with technical and product information.
Virgin Media said the database was used for marketing activities and, as a result, did not contain sensitive information, such as passwords or financial details.
The company said it already notified the Information Commissioner's Office, the UK's data protection watchdog.
In a data breach notification page, Virgin Media is warning customers that they may be susceptible to phishing attacks.
"Based upon our investigation, Virgin Media does believe that the database was accessed on at least one occasion but we do not know the extent of the access or if any information was actually used," Lutz Schüler, CEO of Virgin Media, said in a press release.
In an interview with the Financial Times, which first broke the story, Schüler said they don't have any evidence that the stolen data was abused in any way.
The company said it's now contacting each of the impacted users to notify them about the incident.
Virgin Media is the second telco to disclose a data breach in the last 24 hours. Yesterday, T-Mobile US disclosed a security breach that exposed the staff and customers' personal information.
Updated on March 9 to add a link to a TurgenSec blog post where the company who found the exposed database accuses Virgin Media of downplaying the severity of its findings, claiming that besides user personal data, the server also contained user ISP requests on behalf of users to access pornographic or gore-related websites, device details, and more. Virgin Media has not responded to the blog post.