[BreachExchange] Virgin Media Accused of Downplaying Security Incident

Destry Winant destry at riskbasedsecurity.com
Wed Mar 11 10:12:41 EDT 2020


https://www.securityweek.com/virgin-media-accused-downplaying-security-incident

Virgin Media has been accused of downplaying the recently disclosed
cybersecurity incident that involved the personal information of
roughly 900,000 people.

UK-based phone, TV and broadband services provider Virgin Media
started informing customers and potential customers last week that
some of their personal information was exposed as a result of a
misconfigured marketing database.

The company said the exposed information included names, home
addresses, phone numbers, technical and product information, and, in
some cases, dates of birth.

The cybersecurity company that discovered the database, TurgenSec, has
provided more details about its findings. TurgenSec described the
telecom firm’s response to the breach as “strong” and commended the
company for quickly removing access to the database. However,
TurgenSec is not pleased with Virgin Media’s disclosure of the
incident.

According to TurgenSec, the exposed information also included IP
addresses, IMEIs associated with stolen phones, the user’s device
type, information submitted via forms, and requests to block or
unblock porn, gore-related or gambling sites.

“We cannot speak for the intentions of their communications team but
stating to their customers that there was only a breach of ‘limited
contact information’ is from our perspective understating the matter
potentially to the point of being disingenuous,” TurgenSec said.

The security firm also believes that the incident demonstrates Virgin
Media’s poor cybersecurity practices.

“There seems to be a systematic assurance process failure in how they
monitor the secure configuration of their systems. All information was
in plaintext and unencrypted – which means anyone browsing the
internet could clearly view and potentially download all of this data
without needing any specialised equipment, tools, or hacking
techniques. Anyone with a web-browser could access it,” TurgenSec
said.

The company is also displeased with the fact that Virgin Media has not
publicly given it credit for finding the exposed database.

Virgin Media, on the other hand, has suggested that its initial
disclosure was rushed due to news of the incident being leaked to the
press. The company says it thanks TurgenSec for its support.

“Out of the approximate 900,000 people affected by this database
incident, 1,100, or 0.1%,had information included relating to our
‘Report a Site’ form. This form is used by customers to request a
particular website to be blocked or unblocked – it does not provide
information as to what, if anything, was viewed and does not relate to
any browsing history information,” a Virgin Media spokesperson told
SecurityWeek.

“We strongly refute any claim that we have acted in a disingenuous
way. In our initial notification to all affected people about this
incident we made it clear that any information provided to us via a
webform was potentially included in the database. All individuals have
been given details on how they can get in touch with us directly to
address any queries, or for support and advice. We will be further
contacting customers, where appropriate, to provide additional
guidance,” they added. “In addition, we are currently building a
bespoke, secure online tool which will allow any individual to find
out if they are affected and which data types relating to them was
included in the database.”


More information about the BreachExchange mailing list