Virgin Media is likely to be in the General Data Protection Regulation (GDPR) crosshairs after disclosing a recent breach that affected approximately 900,000 customers to the U.K.’s data regulator.
Virgin on Thursday confirmed the breach in a press release. According to an email sent to affected customers, a marketing database with customer information was left open for access from at least April 19, 2019, to when the company was “recently” made aware of the cyber-security lapse and shut down access—a period of roughly 10 months.
“The database did not include any passwords or financial details, such as credit card information or bank account numbers, but did contain limited contact information such as names, home and email addresses and phone numbers,” CEO Lutz Schüler said in a statement. “Based upon our investigation, Virgin Media does believe that the database was accessed on at least one occasion but we do not know the extent of the access or if any information was actually used.”
According to the email to customers, technical and product information and, in a small number of cases, dates of birth may have also been exposed.
Schüler’s statement acknowledges the database was “incorrectly configured which allowed unauthorized access.” In a statement to the BBC, the company explained a member of staff not following correct procedures was to blame for the vulnerability.
“We immediately solved the issue by shutting down access to this database, which contained some contact details of approximately 900,000 people, including fixed line customers representing approximately 15% of that customer base,” said Schüler. “Protecting our customers’ data is a top priority and we sincerely apologize.”
Virgin has launched an independent forensic investigation into the breach.
Virgin Media, though owned by multinational telecommunications company Liberty Global, is headquartered in the United Kingdom, and therefore subject to the European Union’s stringent data privacy law, the GDPR. The company made the U.K. Information Commissioner’s Office (ICO) aware of the breach and is keeping the regulator “fully updated,” according to Schüler.
An ICO spokesperson confirmed Virgin has reported the breach and that the ICO is “making enquiries.”
“The ICO assesses certain key factors when determining potential penalties and fines, such as the cause of the breach, the sensitivity and number of affected personal data records, and the number of affected data subjects,” said Sundeep Kapur, an associate in the privacy and cyber-security practice at law firm Paul Hastings.
“While I think that the sheer number of affected personal data records and data subjects will play a role in whether the ICO pushes for fines (and the size of those fines), the real driver will be whether the cause of the data breach reveals more systemic issues regarding Virgin Media’s basic security practices.”
Under the GDPR, companies may be fined up to 4 percent of their annual turnover when consumers’ privacy rights covered by the law are violated. This includes when customer data is accessed in a breach, which was the case when the ICO proposed fines of £183.39 million (U.S. $230 million) and £99.2 million (roughly U.S. $124 million) for British Airways and Marriott, respectively, last July. Both fines have yet to be finalized.
Of note, British Airways’ breach exposed the data of nearly 500,000 customers and was also found to be the result of poor security arrangements at the company.