Virgin Media’s woeful data governance record has been exposed yet again after the company has been forced to admit that a marketing database containing personal data on over 900,000 customers has been left unprotected for over 10 months, allowing any Tom, Dick or Harry to access the information.
The company has already confessed that the database – which contained name, home and email address and phone numbers, technical and product information, and in some cases date of birth – has been accessed “on at least one occasion” by an unknown user.
An email to affected customers from Virgin Media chief executive Lutz Schueler states: “We are very sorry to have to inform you that we recently became aware that some of your personal information, stored on one of our databases has been accessed without permission. Our investigation is ongoing but we currently understand that the database was accessible from at least 19 April 2019 and that the information has been recently accessed.”
However, the email insists that the database did not include any passwords or financial details, such as bank account number or credit card information. It does not state whether Virgin Media account details have been compromised, however.
Schueler added: “We take our responsibility to protect your personal information seriously. We know what happened, why it happened and as soon as we became aware we immediately shut down access to the database and launched a full independent forensic investigation.”
The incident joins a catalogue of cock-ups which have beset the firm over recent years, including sending baillifs to collect a debt from a woman who had never been a customer, cutting off a customer because it claimed he had died, sending a deceased man a bill with a late payment charge, exposing 50,000 CVs from job applicants, and telling another customer it was her fault that she had been the victim of a phishing attack.
It would appear that the company is at least taking this latest issue seriously. The email concludes: “Given the nature of the information involved, there is a risk you might be targeted for phishing attempts, fraud or nuisance marketing communications. We understand that you will be concerned so we are writing to everybody affected to provide reassurance, guidance and support. Once again, we sincerely apologise for what has happened.”
Virgin confirmed it has reported the breach to the Information Commissioner’s Office, although whether that will help its case is another matter. The regulator takes a very dim view of such data security issues; its first major GDPR rulings – the proposed fines against British Airways and Marriott International totalling £282m – were as a result of lax security measures.
Jonathan Compton, a partner at City law firm DMH Stallard, believes the company should brace itself for the worst.
He said: “It is important to note that this was not a case of a secure database being hacked. No, this was an error by a member of staff not following correct procedures. The company can expect a large fine.
“Fines towards the maximum of the applicable Act are likely. This was a serious breach, over a long period, affecting nearly 1 million people. The situation is aggravated by the fact that this was not the result of a hack but the result of negligence.”
‘Schoolboy error’ condemns Virgin Media data yet again
Virgin Media shoots itself in foot over phishing attack
Virgin Media in dock again as it cuts off ‘dead customer’
Scammers access Virgin Media data for phishing attack
Blunder exposes 50,000 Virgin Media job applicants
Virgin gaffe sparks spam deluge
Virgin grovels for fining dead man