In the United Kingdom the Information Commissioner’s Office (ICO) has been informed by Virgin Media that the personal data of more than 900,000 customers has been illegally obtained by an unauthorised third party in breach of the European Union’s General Data Protection Regulation (GDPR).
A statement that was made public by the company to BBC News says that the database of the group was “incorrectly configured” by an employee, Due to this the data remained accessible. The data in question was linked to marketing data for existing and possible customers, who were informed of the leak in an email on Thursday evening. Early estimates are that the database was left exposed up until around 19 April 2019.
Jonathan Compton, UK compliance attorney and partner at DMH Stallard, has said that the Virgin Media group could be sanctioned with the highest of possible GDPR financial sanctions under GDPR. This would mean either 4% of global turnover or €20 million, whichever figure is greater.
Compton stated: “It is important to note that this was not a case of a secure database being hacked. No, this was an ‘error by a member of staff not following correct procedures’. Fines towards the maximum of the applicable Act are likely. This was a serious breach, over a long period, affecting nearly 1m people.”
TurgenSec, the company that first discovered that the marketing database was publicly accessible contacted Virgin Media to inform them of it. Since the breach became public the group said that Virgin Media were being “disingenuous” to claim that only “limited contact information” had been violated. The data that was affected includes names, email addresses, phone numbers and details related to technical services and products the customers were interested in. The company has been keen to stress that passwords and payment details were not stored on the database.
They stated: “We cannot speak for the intentions of their communications team but stating to their customers that there was only a breach of “limited contact information” is from our perspective understating the matter potentially to the point of being disingenuous. We do not know if the people writing the statement knew all the facts when writing this statement, but here is what we know.”
In addition to this they informed Virgin Media Customers to send in a GDPR request to ascertain if their data was impermissibly shared, saying “We would recommend that all customers affected by this breach immediately issue a GDPR request to Virgin Media to identify exactly what information has been breached, and what information the company continues to hold on them. The limited information issued by Virgin Media, in our opinion, does not adequately cover the extent of this.” You can view the full statement here.