UK-based phone, TV and broadband services provider Virgin Media on Thursday admitted that it exposed the personal information of roughly 900,000 people.
The company blamed the incident on a misconfigured marketing database that stored names, home addresses, email addresses, phone numbers, and technical and product information. Dates of birth were also exposed “in a very small number of cases.”
“Please note that this is all of the types of information in the database, but not all of this information may have related to you,” customers were told.
Virgin Media said the exposed database did not include any passwords or financial information, such as payment card details or bank account numbers. The database stored information on both customers and potential customers.
The firm said this was not a cyberattack and its database was not hacked. However, its investigation revealed that the database was accessed at least once, although it is unclear if any information was actually taken.
While it is possible that the database was accessed by malicious actors, it’s also not uncommon for security researchers to come across unprotected databases and access them for analysis, particularly if they appear to belong to a major organization.
In a letter sent out to affected individuals, Virgin Media said the database was accessible since at least April 19, 2019, and the unauthorized access occured recently.
Virgin Media claimed it quickly shut down access to the database once it learned of the exposure. The company launched an investigation into the data breach and notified the Information Commissioner’s Office.
Related: T-Mobile Notifying Customers of Data Breach
Related: 400 Mn Facebook Users’ Phone Numbers Exposed in Privacy Lapse: Reports
Related: Canadian Telecom Firm Freedom Mobile Exposed Customer Details
Related: Major U.S. Mobile Carriers Vulnerable to SIM Swapping Attacks