UK-based telecommunications company Virgin Media is the latest firm under scrutiny for a rather disturbing data breach. The issue was spotted by security analysts at TurgenSec, who informed the company of their findings, and the exposed database has since been shut down, The Financial Times reports. Unfortunately, though, that data — including sensitive browsing habits — had already been out in the open for nearly a year.
Extremely sensitive info out in the open — Personal information like email addresses and names belonging to at least 900,000 customers were exposed through an open and unsecured Virgin Media marketing database for 10 months. The database also contained insight into customers' browsing habits, including searches related to gambling, porn, and extreme gore, according to FT. Naturally, Virgin Media fails to mention this in its statement.
The implications are obvious and troubling. Virgin Media claims that it has contacted those affected and ensured their private information is in safe hands. But privacy watchdogs worry customers could become hapless victims of extortion and blackmail thanks to this breach.
In its public announcement, Virgin Media said:
We recently became aware that one of our marketing databases was incorrectly configured which allowed unauthorised access. We immediately solved the issue by shutting down access to this database, which contained some contact details of approximately 900,000 people, including fixed line customers representing approximately 15 percent of that customer base. Protecting our customers’ data is a top priority and we sincerely apologise.
Security experts aren't really having it, though — The company that originally sounded the alarm on the openly accessible database isn't too satisfied with Virgin Media's official response to the matter. It says that Virgin Media's response is insincere, while one of the engineers told FT that the company could face a hefty fine for failing to run an impenetrable database. TurgenSec said that it was "disingenuous" for the telecommunication company to downplay the severity of the breach by saying "limited contact information" had been revealed, according to FT.
"Despite the reassurance they issued that 'protecting our customers data is a top priority' we found no indication that this was the case," TurgenSec told the outlet. "There seems to be a systematic assurance process failure in how they monitor the secure configuration of their systems."