Virgin Media spills personal details of 900,000 customers in data breach

Misconfigured marketing customer database access ‘did not include any passwords or financial details’, Virgin Media claims

Virgin Media has admitted to a 10-month long data breach in which the personal details of 900,000 customers and ex-customers could have been compromised. It blames a misconfigured marketing database, and warned that it was accessed by persons unknown on at least one occasion over the past 10 months. It added that it did not know the extent of the access, nor whether any of the information has been put to nefarious use.

Worse still, some of the personal details also included email addresses acquired via Virgin Media's 'refer a friend' scheme.

The company added that the database contained personal information, such as names, home addresses, email addresses and telephone numbers, but did not contain any passwords or financial details. Affected customers will be contacted by the company, which indicated that compromised customer accounts could be targeted in phishing attacks. The Information Commissioner's Office (ICO) was notified within 72 hours of discovery of the breach.

The company only became aware of the security breach on Friday when it was informed by researchers at security firm TurgenSec.

"We recently became aware that one of our marketing databases was incorrectly configured which allowed unauthorised access," said Lutz Schüler, CEO of Virgin Media in a statement. "We immediately solved the issue by shutting down access to this database, which contained some contact details of approximately 900,000 people, including fixed line customers representing approximately 15% of that customer base."

He continued: "The database did not include any passwords or financial details, such as credit card information or bank account numbers, but did contain limited contact information such as names, home and email addresses and phone numbers. Based upon our investigation, Virgin Media does believe that the database was accessed on at least one occasion but we do not know the extent of the access or if any information was actually used."

However, the company did not say when the data breach occurred, nor when the company discovered the breach.

The fact that the compromised database contained marketing information vectors into claims made in recent years that the IT department might soon start answering to the chief marketing officer, rather than the CIO.

"The ‘age of the customer' will place harsh and unfamiliar demands on institutions, necessitating changes in how they develop, market, sell, and deliver products and services. CIOs will be called on to support these changes, widening their agendas beyond IT to include... technology, systems and processes to win, serve and retain customers," noted Forrester founder George F Colony.

However, it is open to question whether the CMO has the all-round IT skills required to securely run IT.

Virgin Media was formed out of the mergers of the UK's various local cable companies, consolidated into NTL and Telewest. Formed in 2006, the company was acquired by US communications company Liberty Global for £15 billion in 2013.

The data breach was disclosed at the same time that the company suffered an internet outage affecting users across North London.