GDPR Data Breach could result in Maximum Fine for Virgin Media

In the United Kingdom the Information Commissioner’s Office (ICO) has been contacted by Virgin Media to advise them that the personal data belonging to over 900,000 customers has been illegally obtained by an unauthorised third party in breach of the European Union’s General Data Protection Regulation.

A statement that was released by the company to BBC News says that the database of the group was “incorrectly configured” by an internal member of staff, Due to this the data remained exposed online. The data in question was linked to marketing data for existing and potential customers, who were alerted to the leak in an email on Thursday evening. Intitial estimates are that the database was left exposed up until at least 19 April 2019.

Jonathan Compton, UK compliance lawyer and partner at DMH Stallard, has claimed that the Virgin Media group could the highest of possible GDPR financial sanctions under GDPR. This would mean either 4% of global turnover or €20 million, whichever figure is higher.

He said: “It is important to note that this was not a case of a secure database being hacked. No, this was an ‘error by a member of staff not following correct procedures’. Fines towards the maximum of the applicable Act are likely. This was a serious breach, over a long period, affecting nearly 1m people.”

TurgenSec, the company that first noticed that the marketing database was publicly accessible contacted Virgin Media to made them aware of it. Since the breach became public the group that  said that Virgin Media were being “disingenuous” to claim that only “limited contact information” had been breached. The data that was impacted includes names, email addresses, phone numbers and details related to technical services and products the customers were interested in. The company has been keen to emphasise that passwords and payment details were not held on the database.

They said: “We cannot speak for the intentions of their communications team but stating to their customers that there was only a breach of “limited contact information” is from our perspective understating the matter potentially to the point of being disingenuous. We do not know if the people writing the statement knew all the facts when writing this statement, but here is what we know.”

In addition to this they advised Virgin Media Customers to submit a GDPR request to ascertain if their data was impermissibly share. They said: “We would recommend that all customers affected by this breach immediately issue a GDPR request to Virgin Media to identify exactly what information has been breached, and what information the company continues to hold on them. The limited information issued by Virgin Media, in our opinion, does not adequately cover the extent of this.” You can read the full statement here.

Issuing a statement after the incident was revealed, Lutz Schüler, CEO of Virgin Media said: “We recently became aware that one of our marketing databases was incorrectly configured which allowed unauthorised access. We immediately solved the issue by shutting down access to this database.”
This is just the latest in a number of high-profile data breaches and cyber attacks in the telecoms and technology industry, with TalkTalk, Three and Sage Group all included.