Virgin Media has reported a data breach affecting 900,000 customers, caused by a failure to secure a marketing database.
The company says the incident was not due to a cyberattack, but rather a misconfigured database which left personal details unsecured and available for anyone to access for 10 months.
The breach compromised sensitive customer information, including phone numbers, email and home addresses, though no financial information was leaked.
- Virgin Media says there's no mass broadband outage - but customers disagree
- Facebook data breach sees millions of personal details leaked online
- Virgin Media set to supercharge UK broadband speeds
Researchers have also claimed that the information held on the database could link customers to pornography and other explicit websites.
Virgin Media confirmed the database held records of roughly 1,100 customers who had asked for certain sites to be unblocked via an online form.
The company has confirmed the information was accessed “on at least one occasion” by an unauthorised user.
Virgin Media data breach
Virgin Media first became aware of the issue last week, after it was identified by a researcher at security firm TurgenSec.
The majority of those affected were customers with television or landline telephone accounts, though some mobile customers also featured on the database.
The nature of the compromised information means the group is at increased risk of phishing attacks, nuisance calls and identity theft.
“We recently became aware that one of our marketing databases was incorrectly configured, which allowed unauthorised access. We immediately solved the issue by shutting down access,” Lutz Schüler, CEO of Virgin Media, said in a statement.
“Based upon our investigation, Virgin Media does believe the database was accessed on at least one occasion, but we do not know the extent of the access or if any information was actually used.”
“Protecting our customers’ data is a top priority and we sincerely apologise,” he added.
However, TurgenSec believes the data exposed is more extensive and incriminating than Virgin Media first let on, and could also be used to hold victims to ransom.
"Stating to their customer that there was only a breach of 'limited contact information' is from our perspective understating the matter potentially to the point of being disingenuous," said a TurgenSec researcher.
"These highly sensitive details could be used by cyber-criminals to boost the chances of extorting money from victims."
Virgin Media has informed the Information Commissioner’s Office and alerted the affected individuals via email.
- Here's our choice of the best antivirus services on the market