I apologise for the length of this post in advance. It should take you about a minute to read it. The data breach that everyone is talking about does matter. It matters that so much of our personal information (900,000) plus customers have through no fault of their own had personal details left open to anyone and anything to use as they see fit. What makes it so bad is that the information is all in ONE DATABASE, so that means I or you could look at it, and see name, email address, postal address, phone number, account number etc etc all in go. We wouldn't even to have search for it and put it altogether to start spamming, or scamming people!
https://www.virginmedia.com/help/data-incident tells us about a "data breach" which Virgin Media says in part 'some of your personal information, stored on one of our databases has been accessed without permission'. Apparently this happened from April 2019 up to the last few days when TurgenSec (an IT Security Company) made Virgin Media aware of a unsecured and unencrypted database being accessible online. The database contained 900,000 (nearly 1 MILLION) customers details.
Virgin Media state: "Protecting people’s data is key to our business, which is why we have strict security processes and policies in place" Clearly in this case their so called security is a shambles. 10 months of being accessible online without passwords, or logged in security is quite frankly appalling. They didn't even see there was a problem within a week, a month or even a few months. No it took someone else to tell them there was an issue.
Their responses on their website reads in part - "Based upon our investigation, the database was accessed at least once. Unfortunately, we don’t know how much of the database was accessed, or if any of the information has been used." Which to me means they really do not have a clue as to how much information is now out there in the dark web for fraudsters to use.
I know people have asked for compensation online at Facebook, but at the very least I think Virgin Media should offer ALL OF THEIR AFFECTED customers a free year of credit monitoring service, AND sort out their customer login page to allow SPecI@L charac-ters instead of a rubbish "Your password is between 6 and 10 characters, begins with a letter and contains a number" which is insufficient.
I understand that online Content Management Systems will always be targets of hacking, or misconfigured security setups, but come on Virgin Media - be honest and be transparent about what has happened, who dropped the ball and instead of telling customers how they can protect themselves, doing something constructive to protect YOUR customers! No doubt the ICO will fine you heavily but that will not help Mr & Mrs Smith, or the elderly gentleman or woman who will fall foul of someone calling them claiming to be from Virgin Media. No wonder your Trustpilot scores are so bad.
You need to be completely honest with your customers, you need to help them so you can re-instill faith in the company. I have been a customer with you for years and no I won't swap to another provider, but come on help your customers now with more than just some lame advice.
come on help your customers now with more than just some lame advice.
Why would VM bother to do more when people openly state that:
no I won't swap to another provider
You just told them that regardless of what they do, you'll keep paying their well padded bills. That's not much of a negotiating position, if I might be so bold.
VM is a huge, US owned, lard-backsided bureaucracy. It exists to make as much money as possible, and whilst there's nothing wrong with that motive, we have to accept that our relationship with VM is a Faustian pact. They really, really do not care about customers, all they want is money. And so long as people tolerate VM's premium prices, sometimes unreliable service, shocking poor support and customer service, and indeed their cavalier attitude to data security, there's no incentive to change. Read other threads in which VM staff have repeatedly said how sorry VM is...but that they reject outright that the data breach is any basis for compensation to those affected. How many "sorry"s would you like? The company has an unlimited supply, and they are being handed out very generously in response to this.
So, VM's approach to this and any other problem that arises from their approach to running an ISP is "suck it up, or leave". The choice is there for all customers. As far as I know this breach didn't affect me, if it had I'd be off as soon as I am out of contract.
I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more
Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks
"Apparently this happened from April 2019 up to the last few days when TurgenSec (an IT Security Company) made Virgin Media aware of a unsecured and unencrypted database being accessible online. The database contained 900,000 (nearly 1 MILLION) customers details."
So far I haven't seen anything to suggest that the data has actually been accessed by any unauthorised group other than the whistle blower, TurgenSec. So, until proven otherwise, it remains a potential rather than an actual breach.
I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media, I'm a VM customer. There are no guarantees that my advice will work. Learn more
Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks
⋮ So far I haven't seen anything to suggest that the data has actually been accessed by any unauthorised group other than the whistle blower, TurgenSec. So, until proven otherwise, it remains a potential rather than an actual breach. ⋮
BBC's reporting suggests TurgenSec and at least one unknown party accessed the data here:
Virgin Media breach 'linked customers to porn' ⋮ The UK telecoms company revealed on Thursday that one of its "marketing databases" containing details of 900,000 people was open to the internet and had been accessed "on at least one occasion" by an unknown user. ⋮
"AND sort out their customer login page to allow SPecI@L charac-ters instead of a rubbish "Your password is between 6 and 10 characters, begins with a letter and contains a number" which is insufficient."
Problem is the legacy systems involved won't allow it, so unless you plan on funding them ripping out literally every piece of legacy equipment and rebuilding entire portions of the network from scratch i don't see this happening
Thing is you don't "need" super long passwords, 10 characters is ample enough to make something random that isn't going to be guessed easily and certainly not within a timeframe most people will care about, the main issue is that people just don't want to have to deal with passwords that are random enough for that and would instead prefer to be able to just slap an @ or a ! on the end of their dogs name in the hopes that it makes them feel more secure, i've used the same password on here for around a decade or so and not had any issues with my account being compromised, its not even that complicated a password either
f8Ei5FdP9c fits within the password limitations, its complicated enough to avoid being found with a rainbow table and its unlikely to be bruteforced in any meaningful amount of time without actually managing to dump the user DB in the first place, but we come back to the issue that people mostly can't be bothered to think up unique passwords for logins, at the end of the day you don't need a password that takes a billion years to crack, it just needs to be complicated enough that people will just skip you and move on to the poor idiots using password1 as their password instead, you just need to be above the low hanging fruit and they will for the most part leave you alone as they aren't looking to put in the effort needed to crack your password when they can just crack 50 others in the same time
good post, I only found out today as I have had no email from virgin advising if I was on the database, amazing that the security was so slack.I will make enquires to see if I am affected.I agree password should be stronger and have done my own posts on that. One of my VM contact emails may be affected and had difficulty with it recently today (password) as it is my VM user name. Strange that the event was not on bbc news. Recent hacking of Tesco and boots in past few days also indicates hackers are getting busy with stolen data, I had to change passwords but it means they have your email address.
more worries I could do without, virgin should review their security and bring in 2 step verification using sms or recovery email.
suggestion for virgin, why nor split the email away from the virgin account so each would have its own separate password, having one password for both means a hacker can get into both your personal VM account which has your bills/payemt details etc as well as the access to all email accounts primary and secondary.This could enable a hacker to access some services, if it was a mobile log in that might enable free usage?, although I have not used the mobile login myself so unsure how the data breach would affect mobile.
I have changed passwords recently so hope that is enough to provide protection.