Virgin Media, a provider of telephone, television, and internet services in the U.K., revealed that it discovered an unsecured database that exposed the personal information of around 900,000 customers, which is 15% of the company’s entire customer base. The leaked database was taken down immediately and is now password protected.
According to the Virgin Media release, the exposed information includes names, home addresses, emails, phone numbers, and product information. The incident response team at Virgin Media stated that the database was used for marketing activities and did not contain sensitive information like passwords, credit/debit card numbers, and other financial details.
The company stated it already notified the Information Commissioner’s Office, the U.K.’s data protection watchdog, for further investigation on the security incident. It also warned the affected customers to be vary of phishing attacks.
Lutz Schuler, CEO of Virgin Media, said, “Protecting our customers’ data is a top priority and we sincerely apologize. The database did not include any passwords or financial details, such as credit card information or bank account numbers, but did contain limited contact information such as names, home and email addresses and phone numbers. Based upon our investigation, Virgin Media does believe that the database was accessed on at least one occasion but we do not know the extent of the access or if any information was actually used.”
“We are now contacting those affected to inform them of what happened. We urge people to remain cautious before clicking on an unknown link or giving any details to an unverified or unknown party,” Schuler added.
Private Information of British Citizens Exposed Online
In a similar database leak incident, an unprotected AWS (Amazon Webservices) S3 database that contained personal information of British citizens was discovered by security researchers Noam Rotem and Ran Locar of the security firm vpnMentor. It included passport scans, tax documents job applications, background checks, expense forms, scanned contracts complete with signatures, salary information, emails and more.
Researchers found no security protection on this AWS database, also known as bucket, and thus were able to see all the files stored in it. The files contained a wide range of Personally Identifiable Information (PII), including names, addresses, phone numbers, dates of birth, gender, national insurance number–in short, everything that a threat actor requires to complete identity theft, fraud, or any cyberattack targeted towards the user or against him.