The personal information of as many as 900,000 Virgin Media customers was left exposed on the Internet by the company for almost a year as a result of the company storing their details in an unprotected online database.
Virgin Media said on Friday that the exposure of personal data of its customers took place after an employee "incorrectly configured" an online database that contained such information. The company said that the database contained people's home addresses, email addresses, and phone numbers and was accessed at least once by an unauthorised party.
"We recently became aware that one of our marketing databases was incorrectly configured which allowed unauthorised access. We immediately solved the issue by shutting down access. Protecting our customers' data is a top priority and we sincerely apologise.
"Based upon our investigation, Virgin Media does believe that the database was accessed on at least one occasion but we do not know the extent of the access or if any information was actually used," said Lutz Schüler, CEO of Virgin Media.
All of the affected 900,000 customers, whose personal information was stored in the unsecured database, used Virgin Media's television, fixed-line telephone, and mobile services and some of them were referred to the company by existing customers.
The unsecured database contained more detailed customer data than Virgin Media admitted
The unprotected database was not discovered by Virgin Media but by security firm TurgenSec that alerted the company about the exposure on 28th February. In an official statement posted on its website, the firm said Virgin Media massively understated the extent of the breach, to the point of "being disingenuous" to its customers.
According to TurgenSec, the unsecured database contained the following information which, the firm says, does not fit the accurate description of “limited contact information” as stated by Virgin Media:
- Full names, addresses, date of birth, phone numbers, alternative contact phone numbers and IP addresses – corresponding to both customers and “friends” referred to the service by customers.
- Requests to block or unblock various pornographic, gore related and gambling websites, corresponding to full names and addresses.
- IMEI numbers associated with stolen phones.
- Subscriptions to the different aspects of their services, including premium components.
- The device type owned by the user, where relevant.
- The “Referrer” header taken seemingly from a user's browser, containing what would appear to be the previous website that the user visited before accessing Virgin Media.
- Form submissions by users from their website.
"There seems to be a systematic assurance process failure in how they monitor the secure configuration of their systems. All information was in plaintext and unencrypted – which means anyone browsing the internet could clearly view and potentially download all of this data without needing any specialised equipment, tools, or hacking techniques. Anyone with a web-browser could access it," the firm said.
"It is regrettable that the company is shifting blame to a member of their staff, when they should have had a mature DevSecOps methodology that routinely looks for, identifies and mitigates these errors before customer’s data is exposed.
"We would recommend that all customers affected by this breach immediately issue a GDPR request to Virgin Media to identify exactly what information has been breached, and what information the company continues to hold on them. The limited information issued by Virgin Media, in our opinion, does not adequately cover the extent of this," it added.
TurgenSec also accused Virgin Media of not attributing credit to it as the reporting party as the company went straight to the media and credited its internal security team for identifying and mitigating the data exposure.
"This breach is an important case study in the wider debate of responsible disclosure and how companies should behave to encourage a positive cyber security research culture," it said.
Companies must implement strong access controls to prevent breaches of such magnitude
Commenting on the data exposure and TurgenSec's response, Stuart Sharp, VP of Solution Engineering at OneLogin, told TEISS that the fact the data was accessed without the need for advanced hacking techniques using a misconfiguration that was in place for 10 months highlights how important it is to carry out regular security reviews of systems holding sensitive data, and to put in place access control monitoring and alerting.
"Any company holding personal data of millions of people should be protecting all of their applications and databases using a central access control platform with strong multi-factor authentication rules in place.
"Access Control is fundamental to protecting systems and databases, its security 101. Misconfiguration is a term used really to hide the fact baseline controls haven’t been put in place like privileged user access controls," he added.
Marco Essomba, founder, iCyber-Security, said that it's surprising that it took Virgin Media ten months to detect and patch the flaw. In simple terms, these types of breaches occur because many organisations still lack adequate monitoring and controls to automatically detect and proactively respond to servers & applications misconfiguration before damage has been caused
"The strongest protection against these types of breaches is to implement an effective defence-in-depth approach. For example, at one layer, an automated and continuous vulnerability assessment programme should be put in place to detect & alert on critical flaws.
"This must be backed by the right controls where remediation can be applied as soon as high risk vulnerabilities are detected. An effective change control mechanism must also be in place to ensure that changes applied to production systems are peer-reviewed to minimise human errors that could cause serious data breaches.
"Network & security managers, as well as infosecurity executives, must have the right cyber risk management and reporting tools to give them visibility on risk profiles of critical digital assets. That way, network and application flaws can be detected, prioritised, and remediated quickly for high risk assets," he added.