Virgin Media exposed PII of 900000 users via unsecured database

Good point. This is a process failure, not the actions of a malicious individual. Do you have controls in place to find this kind of breach?…:

[…] The unprotected database was not discovered by Virgin Media but by security firm TurgenSec that alerted the company about the exposure on 28th February. In an official statement posted on its website, the firm said Virgin Media massively understated the extent of the breach, to the point of “being disingenuous” to its customers.

According to TurgenSec, the unsecured database contained the following information which, the firm says, does not fit the accurate description of “limited contact information” as stated by Virgin Media:

  • Full names, addresses, date of birth, phone numbers, alternative contact phone numbers and IP addresses – corresponding to both customers and “friends” referred to the service by customers.
  • Requests to block or unblock various pornographic, gore related and gambling websites, corresponding to full names and addresses.
  • IMEI numbers associated with stolen phones.
  • Subscriptions to the different aspects of their services, including premium components.
  • The device type owned by the user, where relevant.
  • The “Referrer” header taken seemingly from a user’s browser, containing what would appear to be the previous website that the user visited before accessing Virgin Media.
  • Form submissions by users from their website.

“There seems to be a systematic assurance process failure in how they monitor the secure configuration of their systems. All information was in plaintext and unencrypted – which means anyone browsing the internet could clearly view and potentially download all of this data without needing any specialised equipment, tools, or hacking techniques. Anyone with a web-browser could access it,” the firm said.

“It is regrettable that the company is shifting blame to a member of their staff, when they should have had a mature DevSecOps methodology that routinely looks for, identifies and mitigates these errors before customer’s data is exposed.


Original article here