Virgin Media Facing up to $5.5 Billion Data Breach Compensation Bill

Virgin Media Ltd, which provides television, telephone and internet services throughout the United Kingdom may have to fork out up to £4,500,000,000 (roughly $5.5 billion) after a data security breach in which personal information belonging to its customers was published online.

The data of a staggering 900,000 customers (representing some 15% of Virgin’s entire customer base) was accessible from April 2019 until the 28th of February 2020.
In a statement, Virgin Media CEO Lutz Schüler acknowledged that there had been a breach and said that it occurred because “one of our marketing databases was incorrectly configured”. The cause of the incorrect configuration was apparently the negligence of a Virgin employee. Mr Schüler offered his sincere apologies on behalf of his company to those customers affected.

Exposed Data
Although passwords and financial details were not included in the information that was compromised, the database concerned did contain customers’ names, personal email addresses, telephone numbers and their Virgin Media contract details.
-The independent IT company that originally informed Virgin of the breach in its system, TurgenSec, found details that could link some of the customers concerned to what it described as ‘explicit websites’.
-According to Turgensec, the information exposed included all of the following and more;
-Names, postal addresses, dates of birth, telephone numbers, and IP addresses.
-Requests to block (or indeed unblock) pornographic, gore-related and gambling websites.
-IMEI numbers associated with stolen telephones.
-Subscriptions to the different aspects of Virgin’s services.
-The device type (i.e. the make and model of the computer, tablet or smartphone) owned by the user.
-The “Referrer” header taken seemingly from the user’s browser, potentially including the previous website visited before accessing Virgin Media.
User form submissions from their website.

Pending Legal Action
Some reports have indicated that Virgin Media Limited could expect to face a major “Class actions lawsuit” following the data breach. This is, to a certain extent, a misnomer. Under the law of England and Wales, there is in fact no precise equivalent to an American class action.
There are, however, a number of somewhat similar procedures by which collective or representative legal actions can be brought before a British court. Some judicial commentators also believe that the advent of the GDPR has led to a significant expansion of the use of collective actions in the UK. This is somewhat unsurprising; given the sheer number of people who may be similarly impacted in the event of an online data breach involving a company with a large customer base, collective legal action is a logical option for claimants.
One British legal firm, Your Lawyers, has already suggested that Virgin media is liable for the financial and emotional distress suffered by the customers concerned, and should expect to pay damages of approximately £5,000 sterling, i.e $6,145, per claimant. Given that up to 900,000 customers could potentially have a valid claim against Virgin, the settlements could total more than $5.5 billion.

More “Class Action” lawsuits to come?
Much like other recent data breach cases against companies as big as Google, Cathay Pacific and Amazon, for a layman it may seem rather strange that a company whose activities revolve around the internet and telecommunications could be so lax when it comes to GDPR compliance. The regulation was introduced as long ago as May 2018, after an ample period of notice.

Virgin has stated that the error was due to simple employee negligence, if that is the case it could prove to have been a very costly error indeed. The scale of the potential damages, and the added probability of the proliferation of class action lawsuits, should serve as stark warning to all companies to get their houses in order when it comes to GDPR.

About Eoin Campbell 21 Articles
Eoin P. Campbell is an honours law graduate (LL.B) from Queen's University Belfast and is a qualified solicitor. Eoin has moved from practicing law to teaching. Eoin is currently lecturing in law at two universities in Lyon, France, including a master's degree course in cyberlaw. Eoin provides commentary with a legal perspective on cybersecurity and data protection.