News

Virgin Media breach allegedly linked customers to pornographic content

The company apologised for the breach, but assured the 900,000 affected customers that only ‘limited contact information’ had been accessed.
The company apologised for the breach, but assured the 900,000 affected customers that only ‘limited contact information’ had been accessed. The company apologised for the breach, but assured the 900,000 affected customers that only ‘limited contact information’ had been accessed.

An insecure Virgin Media database that left personal details accessible to unknown parties allegedly contained information linking customers to pornographic sites.

Virgin Media apologised for the breach, which affected around 900,000 customers, and told customers “limited contact information” had been accessed.

But TurgenSec, the cyber security company that first uncovered the incident, said the database contained details of explicit content.

These included “requests to block or unblock various pornographic, gore related and gambling websites, corresponding to full names and addresses”, TurgenSec said.

Information about customer subscriptions to the different aspects of Virgin Media services, including premium components, was also left accessible.

The database was reportedly left unsecured since April 2019.

Virgin Media said the breach occurred after one of its marketing databases was “incorrectly configured” which allowed unauthorised access, adding that “protecting our customers’ data is a top priority”.

But TurgenSec said its researchers found evidence of a “systematic assurance process failure” in the way Virgin monitored system configurations.

It added that the matter had been understated “potentially to the point of being disingenuous”, a claim that Virgin Media “strongly refutes”.

A Virgin Media spokesman said: “Out of the approximate 900,000 people affected by this database incident, 1,100, or 0.1%, had information included relating to our Report a Site form.

“This form is used by customers to request a particular website to be blocked or unblocked – it does not provide information as to what, if anything, was viewed and does not relate to any browsing history information.

“We strongly refute any claim that we have acted in a disingenuous way. In our initial notification to all affected people about this incident, we made it clear that any information provided to us via a webform was potentially included in the database.

“All individuals have been given details on how they can get in touch with us directly to address any queries, or for support and advice. We will be further contacting customers, where appropriate, to provide additional guidance.

“In addition, we are currently building a bespoke, secure online tool which will allow any individual to find out if they are affected and which data types relating to them was included in the database.

“We once again apologise to those who have been affected.”