Virgin Media admitted it left an unsecured database online containing personal data for about 900,000 customers, including their phone numbers, names, and physical addresses.
When people hear about data breaches, they usually imagine hackers gaining access to secure systems, but that’s not always the case. Sometimes, data breaches have a simpler cause — pure negligence. It doesn’t always take a mastermind to access people’s private information, especially when it can be found unsecured online.
“The database was used to manage information about our existing and potential customers in relation to some of our marketing activities,” says Virgin Media. “This included: contact details (such as name, home and email address and phone numbers), technical and product information, including any requests you may have made to us using forms on our website. In a very small number of cases, it included date of birth.”
Fortunately, the database held no financial information or passwords. Even without it, though, a trove of verified, cross-referenced data about customers can be very useful in the right hands and could fetch a high price on the dark market.
The company also said the database was apparently accessed only once, by an unauthorized user, but it’s difficult to ascertain more than that. Such private data can be used in several criminal endeavors, with phishing being the most likely. It’s important to know that Virgin Media will never call or email people and ask them for banking details, and suspicious emails should be reported to the company immediately.
The company has already contacted the people affected by the data breach, so customers don’t have to do anything extra. To stay on the safe side, people should change their passwords after data breaches anyway, making sure to choose unique and powerful credentials.
Multiple Elasticsearch databases have been found exposed online in the past few months, and it looks like Virgin Media is not the only one being cavalier with private data. In 2019, an Elasticsearch server containing personal information on 1.2 billion people, scraped from various online sources, was found unsecured, online, and with no apparent owner.