[BreachExchange] Virgin Media faces £4.5BILLION compensation payout after data breach left personal details of 900,000 customers online for 10 months, lawyers say

Destry Winant destry at riskbasedsecurity.com
Mon Mar 30 10:13:40 EDT 2020


https://www.dailymail.co.uk/news/article-8159737/Virgin-Media-faces-4-5BILLION-compensation-payout-data-breach-left-personal-details-online.html?ns_mchannel=rss&ns_campaign=1490&ito=1490

Virgin Media could be forced to pay up to £4.5billion to customers
whose personal data was published online - including details of porn
sites accessed, a law firm says.

Your Lawyers, a firm based in Chesterfield, Derbyshire, has offered to
help people who had their full names and contact details released get
up to £5,000 each.

Earlier this month Virgin Media said the breach occurred because its
database was incorrectly configured, allowing unauthorised access to
one third-party.

The information was accessible from April 2019 until February 28, 2020.

The law firm says a Group Compensation Action could force the company
to cough up thousands of pounds per customer for undue financial and
emotional distress.

Your Lawyers, a firm based in Chesterfield, Derbyshire, has offered to
help people who had their full names and contact details released get
up to £5,000 each from Virgin Media (file)

The information in the database did not include passwords or financial
details but did contain names, email addresses, phone numbers and
details of customers' contracts with the service.

However, the independent IT company that alerted Virgin to the breach
found details that linked some customers to 'explicit websites', it
told MailOnline.

Virgin Media blamed the error on the negligence of a staff member who
did not follow correct procedures.

Aman Johal, Director at Your Lawyers, revealed the firm had formally
notified Virgin Media it was taking action.

He said: 'Virgin Media failed to take the steps required to keep
customer data safe. It is vital for the company to understand the
severity of this breach.

'When data is left exposed online it is open season for fraudsters to
scam and attack vulnerable people.

'Our claimant base is growing daily. We urge anyone affected by the
breach to make a claim as soon as possible.'

Virgin Media blamed the error on a staff member not following correct
procedures. The information was accessible from April 2019 until
February 28, 2020

Mr Johal described the release of the information as a 'serious breach
of consumer rights' for which there 'is simply no excuse'.

'Even though the breach occurred due to "human error", we must hold
Virgin Media to account,' he added.

MailOnline has approached Virgin Media for comment.

Virgin Media CEO Lutz Schuler said the company recently became aware
of the issue and immediately shut down access to the affected
database.

Speaking at a media conference in London, Schuler said: 'There is no
evidence that the data taken has been used in the wrong way.

'We want to avoid any panic.

'We all have enough on our plate with coronavirus at the moment but we
have to be open about it,' said Schuler, who added that he would
apologise to customers for the breach.

The company, which is conducting an ongoing investigation, said it
believes the database was accessed at least once but does not know to
what extent or if any information was used.

'Protecting our customers' data is a top priority and we sincerely
apologise,' it said.

'We are now contacting those affected to inform them of what happened.'

Virgin is now urging its customers to remain cautious before 'clicking
on an unknown link or giving any details to an unverified or unknown
party'.

Was your data released during the breach?

If you'd like to join the action go to Your Lawyers here to claim.

The Financial Times reported that this breach affects about 15 percent
of Virgin Media's paying customers, including some with Virgin Mobile.

However, data from non-customers could have also been included that
came from 'refer a friend' promotions.

Virgin Media is Britain's second-largest broadband company and owned
by billionaire John Malone's Liberty Global, according to The
Financial Times.

The vulnerability of the customer data was first discovered by
information security provider TurgenSec, as reported by the FT and
confirmed to MailOnline by the company.

'The breach was discovered by TurgenSec as part of a routine sweep of
databases,' a spokesperson at TurgenSec told MailOnline.

'Despite reassurance issued that 'protecting our customers' data is a
top priority' we found no indication that this was the case.

'This wasn't only due to a simple error made by a member of staff
"incorrectly configuring" a database, as has been stated.

TurgenSec added that information was in plaintext and unencrypted –
which means anyone with a web-browser could clearly view and
potentially download all the data without needing any specialised
equipment or hacking techniques.

'It is regrettable that the company is shifting blame to a member of
their staff, when they should have had a mature DevSecOps methodology
that routinely looks for, identifies and mitigates these errors before
a customer's data is exposed.'

With almost one million customers affected, the breach is deemed one
of the largest by a UK firm in recent years.

'This data breach has exposed the data of almost a million Virgin
Media customers and whilst no financial details or passwords were
included, those customers are likely to be worried,' said Adam French,
Which? consumer rights expert.

'It is vital that Virgin Media continues to provide clear information
on what has happened.

'For anyone concerned they could be affected, it's good practice to
update your password after a data breach.

'Also, be wary of emails regarding the breach, as scammers may try and
take advantage of it.'

Virgin said that online security advice and help on a range of topics
is available to customers on its website.

It says it has contacted all the affected individuals with advice on
what to do next.

VIRGIN MEDIA'S STATEMENT ON THE DATA BREACH

'We recently became aware that some personal information, stored on
one of our databases has been accessed without permission. Our
investigation is ongoing and we have contacted affected customers and
the Information Commissioner's Office.

The database was used to manage information about our existing and
potential customers in relation to some of our marketing activities.
This included: contact details (such as name, home and email address
and phone numbers), technical and product information, including any
requests you may have made to us using forms on our website. In a very
small number of cases, it included date of birth. Please note that
this is all of the types of information in the database, but not all
of this information may have related to every customer.

To reassure you, the database did NOT include any passwords or
financial details, such as bank account number or credit card
information.

We take our responsibility to protect personal information seriously.
We know what happened, why it happened and as soon as we became aware
we immediately shut down access to the database and launched a full
independent forensic investigation.'


More information about the BreachExchange mailing list