Virgin Media has escaped enforcement action over its 2019 data breach – which left the personal data of more than 900,000 customers unprotected for over 10 months – after the Information Commissioner’s Office has ruled the company has no case to answer.
The incident was sparked by a Virgin Media “staff error”, which left a marketing database exposed on the Internet until data security firm TurgenSec spotted the issue and reported it to the company.
At the time, Virgin wrote to all those affected but insisted that only name, home and email address and phone numbers, technical and product information, and, in some cases, date of birth, had been compromised.
However, TurgenSec subsequently claimed that it had also found requests to block or unblock various pornographic, gore related and gambling websites, corresponding to full names and addresses and IMEI numbers associated with stolen phones.
It went on to report that the details had been accessed by an unknown third party at least once, with the majority of victims being customers with TV or telephone landline accounts, while a smaller percentage of Virgin Mobile customers were also affected.
Even so, Virgin Media has been accused of deliberately fobbing off customers after failing to provide exact details of what data was compromised.
An ICO spokesperson said: “Our aim is to protect people from poor organisational practices that put their personal information at risk. We have a range of powers to help us do that, including working with an organisation to check the right policies are in place.
“Following a detailed investigation, we felt that approach was sufficient in this case, and that formal enforcement action was not required. Our decision was based on the evidence of appropriate internal procedures, the number of people affected, the type of personal data involved and how the breach was caused.
“We expect Virgin Media to update us if new information comes to light or if their own investigations uncover detriment to customers.”
Quite where this leaves the group legal action against the company is anyone’s guess. Your Lawyers already represents almost 2,000 claimants in the case, and insists this figure is growing rapidly.
The law firm estimates that each victim of the breach could be eligible for up to £5,000 compensation for financial and emotional distress suffered. This could leave Virgin Media with a total compensation bill of up to £4.5bn.
Back in October, Your Lawyers director Aman Johal said: “Unbelievably, Virgin Media failed to take the necessary steps to keep people’s data safe for a sustained period of time, and, shockingly, it took a third-party security researcher to identify the issue.
“We know from experience that, when personal data is exposed online, it leaves victims vulnerable to cyberattacks and attempts at fraud, such as phishing scams. Customers will no doubt have bought into the Virgin Media brand that has been nurtured by Richard Branson for years and will rightly expect their personal data be properly protected. For this to have happened is an inexcusable breach of consumer rights.
“Your Lawyers will hold Virgin Media to account for this avoidable breach of private information, and we will do everything possible to ensure justice for the victims prevails. The door is open for victims to join the action, and now is the time to act.”
Virgin Media is accused of ‘fobbing off’ breach victims
Virgin Media has 4 weeks to settle breach case ‘or else’
We can screw Virgin Media for billions, claims law firm
Virgin Media customers urged to join data breach action
Virgin accused of covering up full extent of data breach
Oops we did it again: Virgin Media gaffe hits 900,000
‘Schoolboy error’ condemns Virgin Media data yet again
Virgin Media shoots itself in foot over phishing attack