UK telephone, TV and internet provider Virgin Media has suffered a data breach.
Or not, depending on whom you ask.
TurgenSec, the company that alerted Virgin Media to the breached information – or, at least, to the inadvertently disclosed database – says that it “included personal information corresponding to approximately 900,000 UK residents.”
We’re not exactly sure where or how TurgenSec found the errant data, but it sounds as though this was either a cloud blunder, a marketing partner plunder, or both of those at once.
Cloud blunders are, unfortunately, all too common these days – typically what happens is that a company extracts a subset of information from a key corporate database, perhaps so that a research or marketing team can dig into it without affecting the one, true, central copy. In the pre-internet days, you often heard this referred to as a “channel-off”.
In the modern era, channelled-off data seems to leak out in two main ways:
- The copied data gets uploaded to a cloud service that isn’t properly secured. Crooks regularly trawl the internet looking for files that aren’t supposed to be there – this process can be automated – and are quick to pounce if they find access control blunders that let them download data that should clearly be private.
- The data gets sent to an outside company, e.g. for a marketing campaign, and it gets stolen from there. Data breaches from partner companies could happen for exactly the reason given above – poor cloud management practices – or for a variety of other reasons that the company responsible for the data can’t control directly.
We’re assuming, in Virgin Media’s case, that what happened was along the lines of the first cause above, given that the company insists that:
No, this was not a cyber-attack. […] No, our database was not hacked. […] Certain sources are referring to this as a data breach. The precise situation is that information stored on one of our databases has been accessed without permission. The incident did not occur due to a hack but as a result of the database being incorrectly configured.
Virgin Media hasn’t done itself any favours with this statement. What it seems to be saying is that, because the crooks merely wandered in uninvited, without even needing to bypass any security measures or exploit any unpatched security holes, this doesn’t count as a “hack” or a “breach”.
We don’t know about you, but to us, this sounds a bit like wrecking your car by driving into a ditch and then claiming that you “didn’t actually have a crash”; instead, you simply didn’t drive with sufficient care and attention to stay safely on the road.
What data went walkabout?
Whether you think it’s a breach or not, it’s certainly a pretty big leak, even though the 900,000 users impacted is well short of Virgin Media’s full customer list.
TurgenSec has published a list of the fieldnames (database columns) that appeared in the exposed data, although not every field contained data for every user listed.
These apparently include: name, email address, home address, phone number and date of birth.
TurgenSec is also claiming that some of the fields reveal “requests to block or unblock various pornographic, gore related and gambling websites,” although a report last Friday by the BBC suggests that this block/unblock data was present only for about 1,100 of the customers affected by the breach leak.
What to do
Virgin Media secured the errant database pretty quickly, so it’s no longer open for any more crooks to find and steal.
The company has also set about contacting customers whose Virgin Media accounts were affected, meaning that are probably millions of people in the UK who will be watching out for an email but ultimately won’t hear anything because they weren’t affected.
As we know, this is the sort of vacuum into which cybercriminals love to step – sending phishing scams that pretend to be security notifications.
Our recommendations, therefore, are as follows:
- If you receive an email claiming to be from Virgin Media, ignore contact details in that email. Use an existing account or your original contract to find an official phone number or website, and get in touch that way. It’s slightly less convenient (assuming the email is genuine) but it makes it very much harder for the crooks to trick you into contacting them instead (making the more likely assumption that the email is fake).
- Read our article, What you sound like after a data breach. We wrote it a few years ago as a satirical piece, but there’s a lot in there you can learn from. As Mark Stockley put it back in 2015, “Hopefully you’ve never had anything stolen in a data breach, but if you have, I hope you’ve been spared the salted wound of the non-apology.”
- Learn how to build a cybersecurity-aware culture in your own business. Sophos CISO Ross McKerchar has six tips to bolster the “human firewall” that makes it less likely you’ll let data leak out in the first place.
LEARN MORE ABOUT HOW TO STOP PHISHING
Other ways to listen: download MP3, play directly on Soundcloud, or get it from Apple Podcasts.)
cakmn
It’s a breach of trust – trust that one’s personal data will be treated with respect for one’s privacy – to not ensure that one’s data will be protected as fully as possible at all times.
To argue otherwise is a butt-covering mind game of words that lawyers like to use to try to minimize responsibility that is theirs but that they don’t want to admit to because it will cost their clients money and shame.
alex@alexandmarion.com
No, my house wasn’t burgled. All my possessions were removed by persons who gained access without permission due to an incorrectly configured door lock.
Paul Ducklin
Of course, in this case it’s a bit worse that that because it wasn’t *your* possessions that were stolen, it was *mine* (and 899,999 other folks).
Simon
No, there was not a tragic accident involving a school bus full of children who were in our care. The bus driver intentionally drove the bus off the side of a bridge. This is not how we intend our drivers to behave and the result is certainly a tragedy but we strongly disagree that the word “accident” be attached to this incident. 3 months of complimentary grief counseling will be offered to the families of the children who were on the bus.
Raylund
No, this was not a theft. […] No, our property was not broken. […] Certain sources are referring to this as a burglary. The precise situation is that properties in our house have been accessed without permission. The incident did not occur due to a break-in but as a result of the main door being unlocked and wide opened.
Gavin
Looking at the wording above, Virgin Media did not state that it wasn’t a breach, only that it wasn’t a hack or cyber-attack:
“No, this was not a cyber-attack. […] No, our database was not hacked. […] Certain sources are referring to this as a data breach. The precise situation is that…”
They seem to be carefully insinuating that a breach and a hack are sort of the same thing and that because they’re not calling this a hack then perhaps it wasn’t a breach either, but they’re not directly equating those two terms or denying that it was a breach outright.
Why all this weasel-wording? Maybe the “it’s-not-a-hack-and-we’re-not-directly-calling-it-a-breach” label keeps the burden of regulatory and compliance reporting or legal liability down? What lovely solace for all those individuals whose information was leaked. I’m quite sure their internal breach response plan/team was activated though.
Paul Ducklin
Not long ago a major South African bank suffered a breach of a similar size and sort (no financials) due to a blunder by a marketing company who had received a batch of “channelled off” customer contact data and failed to keep it safe.
I happened to hear a radio interview (I listened online but he was live when he went on air) with the bank’s CEO. After giving a similar sort of overview of what happened, he said words to the effect of: “I want to be frank and say that in terms of the relevant regulations, the ‘responsible party’ here is the quite clearly the bank and it’s up to us to deal with the consequences.”
Those words didn’t get anyone’s data back but they were refreshingly straight-talking. IMO, that sort of thing goes a long way to rebuilding trust after a cyberblunder…
Cassandra
But with Virgin, once you lost it, it’s lost
Spryte
If you cannot afford to hire the the people with the proper talent to do a job (securing your clients’ personal data, in thes case), perhaps you should not be in business.
Mike Prendergast
In gdpr terms it’s still a leak of PII
Richard Pennington
No, it’s not a breach. We weren’t hacked. We sent your data to the Daily Beast and they published it.
Emil
Would appreciate if you could use synonyms for crooks. I know you love this word but it’s very repetitive.
Paul Ducklin
We (or perhaps I ought to speak for myself only here and say “I”) tend to stick to calling them “crooks” or “criminals”, for the avoidance of doubt. Problem is that if you wander through the thesaurus you find that you can end up losing the sense of clarity over the criminality involved. If you say “hacker”, you get into a debate over whether that word is even pejorative; if you say “cracker” you get into an argument of just how much cracking there was, and what cracking even is; and so on.
It’s like the word “cloud” here (which I used four times, same as “crooks”), or “malware”, or “laptop”. Sometimes the straight-and-simple word than everyone knows works best.
What would you call them? (The criminals, that is, not the cloud/malware/your laptop.)
Emil
I loved your reply. Makes more sense as you put it. As just a reader, I don’t have a broad dictionary but maybe: offender, felon, outlaw, bandit, trespasser etc. I love your style of writing and the content!
Paul Ducklin
“Trespasser” is an interesting word here – it’s a good example of how old-school laws didn’t transfer well to the online world, in the same way that joyriding cars turned out not to be “theft” – because the offender didn’t intend to keep the car – and become “TWOCcing” instead. (For our American readers, TWOC is short for “taking without consent”.)
In England, at least, trespass is not a criminal offence. So I can take you to court for taking a shortcut through my garden, but the police won’t. “Just passing through and not taking anything” isn’t seen as bad enough to be criminal on its own. In the world of computers, however, “just looking around” potentially gives you so much criminal benefit that the digital eqiuvalent of trespass *is* a crime – you can be arrests and charged in a criminal court for unauthorised access as well as for unauthorised modification.
And “felon” is a tricky word, too. In the US, not all criminals are felons, because some crimes are only misdemeanours; but in the UK, there are no more “felonies” because the the felony/misdemeanour distinction was dropped in the 1960s.
I accept that for some people, “crook” seems a bit informal, though whenever I have heard cops use the word crooks, sorry, police officers talk about criminals, there has been nothing casual about their meaning!
Roger Bentley
“We’re not exactly sure where or how TurgenSec found the errant data” is an interesting comment. The burning question in fact. The only way they could have found this data is by looking for it. They are probably conducting an illegal activity known as port scanning. This is what hackers do to give them lists of open ports on servers that they can then manually investigate. Which again is illegal, the computer misuse act clearly states that you cannot access data that doesn’t belong to you REGARDLESS of your intentions. There is no such thing as “white-hat hacking” without permission, if you do not have authorisation you cannot snoop around in other people’s systems, that is law. Most internet service providers do not even allow port scanning. If Virgin had employed them to do this then there wouldn’t be a problem. Also if they are aware that 1100 of those records contained block/unblock data then they must have downloaded or at least sifted through the entire database. This means the customer data is in the hands of Turgensec and possibly the BBC. If I were a Virginmedia customer I’d be contacting both the BBC and Turgensec for a disclosure of what data they hold on me, what they’ve done with it, what their intentions are and most importantly how exactly they obtained it. You cannot obtain or gain access to this data legally so I think they have a lot of explaining to do.