Virgin Media admitted it left an unsecured database
online containing personal data for about 900,000 customers, including their
phone numbers, names, and physical addresses.
When people hear about data breaches, they usually
imagine hackers gaining access to secure systems, but that’s not always the
case. Sometimes, data breaches have a simpler cause — pure negligence. It
doesn’t always take a mastermind to access people’s private information,
especially when it can be found unsecured online.
“The database was used to manage information about our
existing and potential customers in relation to some of our marketing
activities,” says
Virgin Media. “This included: contact details (such as name, home and email
address and phone numbers), technical and product information, including any
requests you may have made to us using forms on our website. In a very small
number of cases, it included date of birth.”
Fortunately, the database held no financial information
or passwords. Even without it, though, a trove of verified, cross-referenced
data about customers can be very useful in the right hands and could fetch a
high price on the dark market.
The company also said the database was apparently accessed
only once, by an unauthorized user, but it’s difficult to ascertain more than
that. Such private data can be used in several criminal endeavors, with
phishing being the most likely. It’s important to know that Virgin Media will
never call or email people and ask them for banking details, and suspicious
emails should be reported to the company immediately.
The company has already contacted the people affected by
the data breach, so customers don’t have to do anything extra. To stay on the
safe side, people should change their passwords after data breaches anyway,
making sure to choose unique and powerful credentials.
Multiple Elasticsearch
databases have been found exposed online in the past few months, and it looks
like Virgin Media is not the only one being cavalier with private data. In
2019, an Elasticsearch server containing personal information on 1.2 billion
people, scraped from various online sources, was found
unsecured, online, and with no apparent owner.