It’s not a breach… it’s just that someone else has your data

UK telephone, TV and internet provider Virgin Media has suffered a data breach.
Or not, depending on whom you ask.
TurgenSec, the company that alerted Virgin Media to the breached information – or, at least, to the inadvertently disclosed database – says that it “included personal information corresponding to approximately 900,000 UK residents.”
We’re not exactly sure where or how TurgenSec found the errant data, but it sounds as though this was either a cloud blunder, a marketing partner plunder, or both of those at once.
Cloud blunders are, unfortunately, all too common these days – typically what happens is that a company extracts a subset of information from a key corporate database, perhaps so that a research or marketing team can dig into it without affecting the one, true, central copy. In the pre-internet days, you often heard this referred to as a “channel-off”.

In the modern era, channelled-off data seems to leak out in two main ways:

• The copied data gets uploaded to a cloud service that isn’t properly secured. Crooks regularly trawl the internet looking for files that aren’t supposed to be there – this process can be automated – and are quick to pounce if they find access control blunders that let them download data that should clearly be private.
• The data gets sent to an outside company, e.g. for a marketing campaign, and it gets stolen from there. Data breaches from partner companies could happen for exactly the reason given above – poor cloud management practices – or for a variety of other reasons that the company responsible for the data can’t control directly.

We’re assuming, in Virgin Media’s case, that what happened was along the lines of the first cause above, given that the company insists that:

No, this was not a cyber-attack. […] No, our database was not hacked. […] Certain sources are referring to this as a data breach. The precise situation is that information stored on one of our databases has been accessed without permission. The incident did not occur due to a hack but as a result of the database being incorrectly configured.

Virgin Media hasn’t done itself any favours with this statement. What it seems to be saying is that, because the crooks merely wandered in uninvited, without even needing to bypass any security measures or exploit any unpatched security holes, this doesn’t count as a “hack” or a “breach”.
We don’t know about you, but to us, this sounds a bit like wrecking your car by driving into a ditch and then claiming that you “didn’t actually have a crash”; instead, you simply didn’t drive with sufficient care and attention to stay safely on the road.

What data went walkabout?

Whether you think it’s a breach or not, it’s certainly a pretty big leak, even though the 900,000 users impacted is well short of Virgin Media’s full customer list.
TurgenSec has published a list of the fieldnames (database columns) that appeared in the exposed data, although not every field contained data for every user listed.
These apparently include: name, email address, home address, phone number and date of birth.
TurgenSec is also claiming that some of the fields reveal “requests to block or unblock various pornographic, gore related and gambling websites,” although a report last Friday by the BBC suggests that this block/unblock data was present only for about 1,100 of the customers affected by the breach leak.

What to do

Virgin Media secured the errant database pretty quickly, so it’s no longer open for any more crooks to find and steal.
The company has also set about contacting customers whose Virgin Media accounts were affected, meaning that are probably millions of people in the UK who will be watching out for an email but ultimately won’t hear anything because they weren’t affected.
As we know, this is the sort of vacuum into which cybercriminals love to step – sending phishing scams that pretend to be security notifications.
Our recommendations, therefore, are as follows:

• If you receive an email claiming to be from Virgin Media, ignore contact details in that email. Use an existing account or your original contract to find an official phone number or website, and get in touch that way. It’s slightly less convenient (assuming the email is genuine) but it makes it very much harder for the crooks to trick you into contacting them instead (making the more likely assumption that the email is fake).
• Read our article, What you sound like after a data breach. We wrote it a few years ago as a satirical piece, but there’s a lot in there you can learn from. As Mark Stockley put it back in 2015, “Hopefully you’ve never had anything stolen in a data breach, but if you have, I hope you’ve been spared the salted wound of the non-apology.”
• Learn how to build a cybersecurity-aware culture in your own business. Sophos CISO Ross McKerchar has six tips to bolster the “human firewall” that makes it less likely you’ll let data leak out in the first place.