A Virgin Media UK database containing the personal details of 900,000 people was left unsecured and accessible for 10 months, the company has admitted. The data was accessed “on at least one occasion” by an unknown user.
The database, which was for marketing purposes, contained phone numbers, home and email addresses. It did not include passwords or financial details.
The breach was not due to a hack or a criminal attack, but because the database had been “incorrectly configured” by a member of staff not following the correct procedures, Virgin Media said. Virgin was alerted to the problem after it was spotted by a security researcher at TurgenSec.
The company said almost all of those affected were Virgin customers with television or fixed-line telephone accounts, although the database also included some Virgin Mobile customers as well as potential customers referred by friends as part of a promotion.
Virgin Media, part of Liberty Global, has informed the Information Commissioner’s Office as and launched an investigation.
Lutz Schüler, chief executive of Virgin Media said: “We recently became aware that one of our marketing databases was incorrectly configured which allowed unauthorised access. We immediately solved the issue by shutting down access… Protecting our customers’ data is a top priority and we sincerely apologise.”
“Based upon our investigation, Virgin Media does believe that the database was accessed on at least one occasion but we do not know the extent of the access or if any information was actually used, Schuler said.
Virgin Media said it would be emailing those affected.