British internet service provider Virgin Media recently committed a security blunder when it left its database online and unsecured, said Infosecurity Magazine. This gaffe made the system vulnerable to malicious parties, compromising the sensitive info of around 1 million customers.
In an email to customers, the Liberty Global-owned ISP informed those concerned that some 900,000 clients may have been exposed to hackers for several months. The company also disclosed that the security gap could have existed from at least April 19, 2019. The same email also informed customers “the database was accessed on at least one occasion” but the company is now aware of the extent of usage of the access, according to BBC.
In explaining the extent of the potential breach, Virgin Media clarified that the database “was used to manage information about [their] existing and potential customers.” The archive was maintained in connection with some of the company’s marketing practices.
The database contained personal info such as name, address and contact numbers. It also has technical and product information. Some customer info could have dates of birth.
While some essential information could have been leaked, the ISP shed light on the safety of sensitive data such as passwords and financial credentials. According to Virgin Media, the security flaw did not disclose any such information, which means that clients’ finances and accounts are safe.
Customers who could be affected are those who have Virgin TV and fixed-line telephone accounts from the company. There could also be some Virgin Mobile users.
The security gap was allegedly caused by a Virgin Media staff who misconfigured the system, leaving it exposed for 10 months, said Infosecurity Magazine.
Repercussions for the gaffe
The ISP told customers to be wary of phishing attempts through the contact information they presented to the company. They could also fall victim to fraudulent activities and nuisance marketing strategies.
Aside from the dangers posed by this blunder to customers, the company is also facing penalties for its oversight. Lawyer Jonathan Compton from city law firm DMH Stallard said that the ISP will be penalized based on the general data protection regulation (GDPR).
Compton said that the penalty could be the maximum fine as outlined by the Data Protection Act 2018, especially as the flaw existed over the period of almost a year, affecting almost 1 million customers. The fact that negligence was the source of the problem can play into the severity of the punishment.