Virgin accused of covering up full extent of data breach

Virgin Media customers affected by last week’s data breach are being urged to use their powers under GDPR to find out exactly what information the company has leaked on them, following claims it has been economical with the truth over the severity of the incident.

According to the firm which discovered the poorly secured database, Turgensec, the extent of the data breach was more extensive, and personal, than Virgin Media’s official disclosure seemed to suggest.

On Friday Virgin Media insisted that only name, home and email address and phone numbers, technical and product information, and in some cases date of birth had been compromised. However, Turgensec said that, as well as contact details, it had found requests to block or unblock various pornographic, gore related and gambling websites, corresponding to full names and addresses and IMEI numbers associated with stolen phones.

It also discovered subscriptions to the different aspects of their services, including premium components; the device type owned by the user, where relevant; the “referrer” header taken users’ browser, containing details on the previous website that the user visited before accessing Virgin Media; and form submissions by users from their website.

In a statement, Turgensec said: “We cannot speak for the intentions of [Virgin Media’s] communications team but stating to their customers that there was only a breach of ‘limited contact information’ is from our perspective understating the matter potentially to the point of being disingenuous.”

Turgensec also quibbled with the Virgin Media’s attempt to blame the security gaffe on IT workers “incorrectly configuring” an Internet-facing database. It claims that the database – which was filled with unencrypted plain-text records – was a sign of “systematic assurance process failure,” the firm said.

Turgensec urged all customers who have received a notification to file a GDPR request for a full breakdown of what data of was spilled.

The firm added: “Companies like to downplay the impacts whilst upselling their supposed care and due diligence in an attempt to place shareholder value over their customer’s rights. Their customers have a right to ensure their data is protected ‘by design’ which in many cases it isn’t. It would seem highly unlikely to us that in this case, after being left open for 10 months, the data has not been obtained by multiple actors some potentially malicious.”

In response, Virgin Media has hit back. It told The Register: “Out of the approximate 900,000 people affected by this database incident, 1,100, or 0.1%, had information included relating to our ‘Report a Site’ form. This form is used by customers to request a particular website to be blocked or unblocked – it does not provide information as to what, if anything, was viewed and does not relate to any browsing history information.

“We strongly refute any claim that we have acted in a disingenuous way. In our initial notification to all affected people about this incident we made it clear that any information provided to us via a webform was potentially included in the database.”

The Information Commissioner’s Office has been informed of the incident.