Virgin Media has been accused of downplaying the recently disclosed cybersecurity incident that involved the personal information of roughly 900,000 people.
UK-based phone, TV and broadband services provider Virgin Media started informing customers and potential customers last week that some of their personal information was exposed as a result of a misconfigured marketing database.
The company said the exposed information included names, home addresses, phone numbers, technical and product information, and, in some cases, dates of birth.
The cybersecurity company that discovered the database, TurgenSec, has provided more details about its findings. TurgenSec described the telecom firm’s response to the breach as “strong” and commended the company for quickly removing access to the database. However, TurgenSec is not pleased with Virgin Media’s disclosure of the incident.
According to TurgenSec, the exposed information also included IP addresses, IMEIs associated with stolen phones, the user’s device type, information submitted via forms, and requests to block or unblock porn, gore-related or gambling sites.
“We cannot speak for the intentions of their communications team but stating to their customers that there was only a breach of ‘limited contact information’ is from our perspective understating the matter potentially to the point of being disingenuous,” TurgenSec said.
The security firm also believes that the incident demonstrates Virgin Media’s poor cybersecurity practices.
“There seems to be a systematic assurance process failure in how they monitor the secure configuration of their systems. All information was in plaintext and unencrypted – which means anyone browsing the internet could clearly view and potentially download all of this data without needing any specialised equipment, tools, or hacking techniques. Anyone with a web-browser could access it,” TurgenSec said.
The company is also displeased with the fact that Virgin Media has not publicly given it credit for finding the exposed database.
Virgin Media, on the other hand, has suggested that its initial disclosure was rushed due to news of the incident being leaked to the press. The company says it thanks TurgenSec for its support.
“Out of the approximate 900,000 people affected by this database incident, 1,100, or 0.1%,had information included relating to our ‘Report a Site’ form. This form is used by customers to request a particular website to be blocked or unblocked – it does not provide information as to what, if anything, was viewed and does not relate to any browsing history information,” a Virgin Media spokesperson told SecurityWeek.
“We strongly refute any claim that we have acted in a disingenuous way. In our initial notification to all affected people about this incident we made it clear that any information provided to us via a webform was potentially included in the database. All individuals have been given details on how they can get in touch with us directly to address any queries, or for support and advice. We will be further contacting customers, where appropriate, to provide additional guidance,” they added. “In addition, we are currently building a bespoke, secure online tool which will allow any individual to find out if they are affected and which data types relating to them was included in the database.”