Virgin Media, the British telecom and Cable TV provider, has suffered a breach that allowed unauthorized access to customer data, some of which reportedly linked subscribers to porn, gambling, and extreme-violence content.
Virgin Media said in a post that the unauthorized access was to a marketing database that included “limited contact information such as names, home and email addresses, and phone numbers” for about 900,000 subscribers. The company went on to say that the breached database contained no passwords or financial information.
Despite Virgin Media characterizing the accessed data as limited contact information, the Financial Times and the BBC reported that the compromised database also included details of some 1,100 customers who had used an online form to request that specific websites be blocked or unblocked. Some of those sites offered content involving porn, gambling, and extreme-gore videos.
“The records, seen by the Financial Times, show the website that was being blocked or unblocked linked to the customer names and contact details,” Friday’s FT article said. “In some cases that included parents asking for pornographic sites to be blocked to protect children, and other users requesting the Virgin Media unblock access to niche adult websites.”
The availability of customer data opens the 900,000 affected customers to spear-phishing attacks, in which scammers and malware attackers address a target by name or tailor the content of the email to the target’s personal details. Attackers often make the emails appear to be from the company breaching the data, which in this case is Virgin Media.
Even worse, the unauthorized access of sensitive data opens the 1,100 other affected customers to extortion schemes in much the way the devastating 2015 hack of Ashley Madison, a website that arranged trysts for people cheating on their spouses and romantic partners, spurred huge numbers of emails threatening to publish intimate details unless subscribers paid a fee. Five years on, extortion demands continue.
Virgin Media said the breach was the result of the database being incorrectly configured. The Register, citing an email sent to affected customers, reported that the database was left unsecured since at least last April. Virgin Media said the unauthorized access was neither a breach nor a hack but rather was “as a result of the database being incorrectly configured.”
Among security practitioners, however, the widely accepted definition of data breach is “a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen, or used by an individual unauthorized to do so.” Even the Merriam-Webster dictionary defines breach as an “infraction or violation of a law, obligation, tie, or standard.” So, sorry Virgin Media: a breach is exactly what happened here.