back to article Like a Virgin, hacked for the very first time... UK broadband ISP spills 900,000 punters' records into wrong hands from insecure database

Virgin Media, one of the UK's biggest ISPs, on Thursday admitted it accidentally spilled 900,000 of its subscribers' personal information onto the internet via a poorly secured database. The cableco said it "incorrectly configured" a storage system so that at least one miscreant was able to access it and potentially siphon off …

  1. Phil Endecott

    AWS S3 bucket, by any chance?

    1. Nano nano

      Simple Sharing Service.

    2. wolfetone Silver badge

      Probably a DynamoDB instance.

      1. Nano nano

        But for personal stuff, you would use a CMK for anything but primary key attribute.

  2. Anonymous Coward
    Devil

    Easier?

    Maybe it would be easier to just list the carriers that haven't had personal information hacked.

    1. ThatOne Silver badge

      Re: Easier?

      You forgot "yet".

      1. steven_t

        Re: Easier?

        And "found out they have"

        As in: "Maybe it would be easier to just list the carriers that haven't yet found out they have had personal information hacked."

    2. Doctor Syntax Silver badge

      Re: Easier?

      Maybe it would be easier to just list the carriers marketing departments that haven't had personal information hacked left stuff lying about in the open.

    3. John H Woods

      Re: Easier?

      "Maybe it would be easier to just list the carriers that haven't had personal information hacked."

      As a public service I can provide that list:

      You're welcome

  3. RM Myers
    Unhappy

    "there is a risk you might be targeted for ... nuisance marketing communications"

    Really, you mean Virgin customers have a chance that they won't be targeted? Is there anyone, anywhere, who has any data connection to the outside world who hasn't been targeted? If so, please share your secret.

    1. Doctor Syntax Silver badge

      Re: "there is a risk you might be targeted for ... nuisance marketing communications"

      "If so, please share your secret."

      The secret is not sharing secrets.

      1. Kane
        Black Helicopters

        Re: "there is a risk you might be targeted for ... nuisance marketing communications"

        "The secret is not sharing secrets."

        Setec Astronomy

        1. werdsmith Silver badge

          Re: "there is a risk you might be targeted for ... nuisance marketing communications"

          Virgin are probably only worried about this because they didn't get any money in return for this disclosure.

          Years ago I helped made an account system whereby a user could run an account with a PIN and no personal data. No future in it though, because there's no information to be processed for gain.

          1. Terry 6 Silver badge

            Re: "there is a risk you might be targeted for ... nuisance marketing communications"

            AND VM's email service seems designed to help phishing and scammers get their shit through to users. Almost as if they were working for the scammers.

            *Their own server side filters are unable to block variants of obvious spam words like b1tc0in/bit_coin/Bitc*in etc.

            *The filter rule settings for their web based emails allow only blocking of specific addresses (scammer@scammer.com) but not parts or variations of addresses (so scammer2@scammer.com will get through).

            *Don't actually have a "mark as spam" rule.

            *Aren't easy to find, let alone understand and use.

            *Make marking individual emails as Spam as difficult as possible. When you remove an email it automatically selects the next email in the list, but when you tick a different one doesn't untick that, so either a legit email gets moved to Spam with the actual Spam one or you have to go back through the list to find and untick it yourself if you didn't remember at the time. Also it will often refuse to let you mark a selection of several at the same time, declaring for some reason that these are "newsletters" despite them coming from weird or randomised addresses (wer234rj3n303@spammer.com) and that you have to report them as Spam 1 at a time. Like we can't make our own minds up without careful consideration. .Which is strange since it will cheerfully let you mark 2 at a time by accident (as above).

            It will stop you forwarding phishing emails to the authorities, because they contain Spam ( even though you haven't marked them as such yet ) so can obviously detect Spam that users are sending individually even if apparently unable to spot it when spambots send it out by the squillion.

    2. John Riddoch

      Re: "there is a risk you might be targeted for ... nuisance marketing communications"

      I get marketing emails from Virgin Media business on my work email address. I have never been in touch with them for anything. I submitted a GDPR data request (what info do you have, where did you get it from and why do you think you have permission to contact me?) and haven't had a response after 30 days. An email to the ICO is the next step.

      1. Anonymous Coward
        FAIL

        Re: "there is a risk you might be targeted for ... nuisance marketing communications"

        Well Virgin Medea have a vast database customers and non customer which they use to harass the general public. I had to join mps and still they mailed me right up to point they would have be fined. I think 900,000 customers might be unreasonably low figure, Brace for impact.

  4. Huw D

    Virgin are telling people to use strong passwords.

    The password policy on their accounts is 8-10 characters, numbers and letters only. No spaces. First character must be a letter...

    Go figure.

    1. jayAyyyy
      FAIL

      Absolutely this

      Breaks my password approach on many levels. On the odd occasion I do have to log into my virgin media account i always have to reset the password and it always ends up being something I can't remember.

      It's 2020 and 8 characters letters and numbers only is neither reasonable or responsible.

    2. FrogsAndChips Silver badge

      And then the first thing they do when you contact them, to confirm your identity, is to ask you for your password. For security reasons, y'know. At least that's what they did 4 years ago.

      1. Felonmarmer

        Also when they contact you.

      2. Huw D

        IIRC, a few years ago a number of ISPs were storing passwords in plaintext.

        1. Velv
          FAIL

          Yup, a number of years ago Virgin Media sent me a reminder of my password by snailmail.

      3. Dabooka

        Might be wrong

        But I'm fairly sure the password for the online account and talking to the CC droids is different.

        Both are weak mind.

        1. Valerion

          Re: Might be wrong

          Correct, the one for talking to the phone drones is not your online password.

          1. FrogsAndChips Silver badge

            Re: Might be wrong

            I know some companies have a separate password for phone, but I were never asked to set one up with VM, and I remember the droids asking for my 'VM password', then me hitting a dead end when I refused to communicate it. Again, that was years ago and hopefully they've given up on that practice.

            1. Paul Shirley

              Re: Might be wrong

              The last few run ins I had with them I told them I couldn't remember the password, threw some random guesses out (all wrong) and waited till they said 'OK'. Which is frightening, albeit damn useful given VM had never once managed to have the same password or even secret question that I'd set before I gave up remembering it! Even worse, that worked on a mobile number they'd never seen before when I was trying to get my line reconnected!

      4. ravenstar68

        The password you are asked for over the phone is NOT your email password though.

        It is a separate security word.

  5. Andre Carneiro

    Soooo.... are they being fined?

    1. KittenHuffer Silver badge

      But if they're fined they'll put pass that on to their customers as a price increase!

      So they lose our data, and then we have to pay more because they do!

      1. Amentheist
        Thumb Up

        Over the years I've actually used the price increases as the point where I switch or threaten to, on the phone as soon as you tell them your contract is for such and such money and If those terms change the early contract termination clause does not apply they start giving you discounts and try to keep you, so it's a question of keeping customers informed more than anything.

        1. Paul Shirley

          Beware, recently they've only offered insultingly small retention deals unless you wait till the about 2-3 weeks before disconnection after actually giving notice.

      2. Anonymous Coward
        Anonymous Coward

        You could always walk away from them if there cost was passed on.

    2. Doctor Syntax Silver badge

      It seems inevitable. An appropriate fine would be about two years of their complete marketing budget. It seems to be marketing who were responsible - kill their expenses and put them on bread and water for a while.

  6. KittenHuffer Silver badge
    FAIL

    Hmmm

    I do remember my dear Mama telling me recently that someone from Virgin had been ringing her mobile asking for me. I happen to have provided her with a sim card using my Virgin account.

    At the time I just put it down to the usual level of competence displayed by Virgin. I now wonder if her mobile number appears against my name in the huge bucket of data they left open for the world and his dog to read.

  7. Anonymous Coward
    Anonymous Coward

    We take our responsibility to protect your personal information seriously.

    no, we really do. Unlike all those other companies that have been hacked, etc. Our case is UNIQUE. I repeat: We take our responsibility to protect your personal information SERIOUSLY.

    1. Doctor Syntax Silver badge

      Re: We take our responsibility to protect your personal information seriously.

      I'm not sure "hacked" is the right term for "tripping up over stuff somebody left lying around on the pavement".

      1. Anonymous Coward
        Anonymous Coward

        Re: We take our responsibility to protect your personal information seriously.

        "hacked" is good news within bad news, trust me. "Hacked" implies they didn't fuck up - somebody else fucked them up. An evildoer, you know, not our fault guv!

    2. Alistair Dabbs

      Re: We take our responsibility to protect your personal information seriously.

      "seriously", "top priority" etc...

      I bet you Virgin Media's office bins get emptied every day. This means, by definition, they take customer security less seriously than emptying a wastebasket.

    3. Claptrap314 Silver badge

      Re: We take our responsibility to protect your personal information seriously.

      https://www.youtube.com/watch?v=v5fdB79lMYU

  8. Anonymous Coward
    Anonymous Coward

    Well I'm a Virgin Media customer, and I haven't had any such notification from them. I can't say I'm reassured, as it is equally likely that Virgin has messed up its notification process as it is that my details weren't on that database.

    1. Rich 11 Silver badge

      I received one and I'd be happy to forward my notification to you, if you like. Just send me your name, home address, email address and account number; I'll be right on it.

  9. irrelevant

    Gdpr

    I got the email about the beach too. The email they sent to had only been given them on a "cable my street" enquiry in 2015. They also emailed me in 2018 to tell me "we hold some of your details, as required or permitted by law or regulation and will do so for a limited period of time. Don’t worry, they’re safe and sound."

    I guess five years is a "limited period" by some definitions, but I doubt this can be considered "safe and sound"...

    1. Anonymous Coward
      Joke

      Re: Gdpr

      > I got the email about the beach too

      That would be somewhere in the Virgin Islands, presumably?

      1. Huw D

        Re: Gdpr

        They've got 99 Breach related problems, but the beach ain't one.

  10. HardwareHarry

    The solution to all these companies leaking our PI

    Perhaps we're looking at the problem backwards. Rather than having personal information, perhaps we should ditch what current defines ourselves (names, addresses, etc) with random class 4 UUIDs that could be replaced at will.

    Maybe Patrick McGoohan was wrong; maybe I am a number, albeit it a ever rotating one. "Honey, can you call 2fd35886-32df-4a0f-afe8-a5f2a1adb498 and 8afbecfc-d10c-45d8-8d59-effc1621c8cc and tell them that dinner's ready?"

    1. ClockworkOwl
      Go

      Re: The solution to all these companies leaking our PI

      Finally a good use for blockchain!

      Crypto ID FTW!!!

    2. Jellied Eel Silver badge

      Re: The solution to all these companies leaking our PI

      Maybe Patrick McGoohan was wrong; maybe I am a number, albeit it a ever rotating one. "Honey, can you call 2fd35886-32df-4a0f-afe8-a5f2a1adb498 and 8afbecfc-d10c-45d8-8d59-effc1621c8cc and tell them that dinner's ready?"

      IPv6 already does that, sort of.

      But if it's not leaking, it's phishing. I had my first ever call from 'BT' telling me my Internet connection is slowing down. Was mildly amusing stringing their 'technical expert' along..

      "Can you tell me your IP address?" "yup".. "And?".."It's your DHCP server, you tell me.."

      "Can you press the button on the left of your keyboard between Ctrl and Alt?".."ok".."Now type in msconfig".."ok".."you should see a window..".."nope".."Try pressing Win+R again".."ok, still nothing".."What version of Windows are you running?".."I'm not.."

      But I got bored and hung up before being convinced to download a really vital tune-up app. Curious part was they wanted me to install Chrome, which I guess doesn't say much for it's security. But was interesting to experience a phishing trip and could see how they catch the unwary, especially if they've got their grubby mits on some personal information to make the calls more convincing.

      1. john.w

        Re: The solution to all these companies leaking our PI

        Being retired I feel it is my moral duty to keep these people on the line for as long as possible and it can be fun.

  11. MiguelC Silver badge
    Devil

    "We are very sorry to have to inform you that..."

    Yes, they really are sorry that they have to inform us, if only they could have kept it all hidden like in the good old days...

  12. cg0

    I've had marketing disabled since 2017, had the email

    I opted out of marketing since 2017 so I thought I'd be safe but no, I still got the email from Virgin stating my data was part of the leak. Does this mean Virgin Media has been illegally storing my data as I thought under GDPR they couldn't store my data for marketing purposes if I explicitly didn't give them concent.

    1. Dan 55 Silver badge

      Re: I've had marketing disabled since 2017, had the email

      You didn't give them consent to do anything with it, but they're still hoarding it like Gollum hoards his precious.

      1. FrogsAndChips Silver badge

        Re: I've had marketing disabled since 2017, had the email

        They may have a legitimate reason for keeping the address, if only to record opt-out choice, but there's no reason to keep that in an active marketing database.

        1. Dan 55 Silver badge

          Re: I've had marketing disabled since 2017, had the email

          I guess Virgin are about to find out the hard way (hopefully) that adding a gdpr_consent column to the table but keeping the same information anyway is not the right thing to do.

      2. Rich 11 Silver badge

        Re: I've had marketing disabled since 2017, had the email

        they're still hoarding it like Gollum hoards his precious

        Someone needs to warn them that it didn't end well for Gollum.

        1. HardwareHarry

          Re: I've had marketing disabled since 2017, had the email

          Dunno, something about the thought of Virgin Media plunging into fiery lava while desperately clutching their prized customer marketing database does feel like a movie I'd watch.

          1. John Brown (no body) Silver badge

            Re: I've had marketing disabled since 2017, had the email

            "like a movie I'd watch."

            Well, maybe a Youtube 2 minute clip anyway.

  13. Rob Crawford

    Walked away from virgin a few weeks ago

    One of the reasons for leaving was the constant requests from their 'technical support' creatures wanting my mobile number, despite them refusing to do anything unless I was phoning from the house anyway.

    Funny enough in the past when I gave them my mobile number I always got calls from them trying to sell me a mobile contract.

    I wonder if the cnurrent users of my old numbers are receiving calls from Vm wanting to fix their infected machines (or similar.)

  14. Mattjimf

    Seeing as I keep getting crap delivered addressed to the The Occupier, am I and the countless others in the same boat in trouble?

    1. Roj Blake Silver badge

      Only if your name really is Theo C. Cupier

      1. Androgynous Cupboard Silver badge

        You can't opt out of "The Occupier" post, only post that is addressed to you. But if a suitably motivated individual changed their name by deed poll to Theo C. Cupier...

    2. Huw D

      "I give any post addressed to 'The Occupier' to my Israeli housemate" - Shappi Khorsandi

  15. Anonymous Coward
    Anonymous Coward

    Great, now I've got to move house and change my DOB.

    1. Anonymous Coward
      Anonymous Coward

      I wonder how my mother will feel about changing her maiden name.

      1. Stuart Halliday
        Trollface

        As if we would

        As if anyone gives these services your true DOB, Mother's name....

        You don't right?

  16. John Robson Silver badge

    "nuisance marketing communications"

    You mean like the one on my desk right now - that is actually from VM, and will join the hundreds of others that I've put in the bin.

    When they move to DOCSIS 3.1 I might have another look at them, until then the extent of the asymmetry in their connections is untenable. Of course I'll need a DOCSIS 3.1. plain modem as well..

    1. Dabooka
      Go

      Re: "nuisance marketing communications"

      Hmm, you seem to know about this.

      For a long time I wanted to replace their rubbish SuperHub (sic) and they've always refrained from giving a direct answer to I can or not. Can I buy a DOCSIS modem and replace the hub, or is my connection intrinsically linked to the actual modem too?

      As you may tell, I know SFA about cable connections.

      1. Anonymous Coward
        Anonymous Coward

        Re: "nuisance marketing communications"

        You can put the not-so-SuperHub into modem mode and use your own router behind it.

        A lot of people do that apparently.

        1. John Robson Silver badge

          Re: "nuisance marketing communications"

          It’s modem mode isn’t...

          You should be able to sub in any modem, there is a chance you’ll need to spoof a MAC address.

          I have (or I might have recently thrown out) an old NTL/Telewest cable modem that was genuinely a cable modem, there is nothing special about their crappy hub.

          1. Dabooka
            Thumb Up

            Re: "nuisance marketing communications"

            Thanks for the replies.

            It's currently in modem mode but it causes problems with my router in another room, with devices often struggling to find each other. Its options are very limited, and much prefer a decent all-in-one.

            Funnily enough the router it attaches to is my old fibre modem (as in fibre broadband, not FTTP), which is no good where I now live. Hence VM connection.

  17. 0laf Silver badge
    FAIL

    Fuds

    Virgin Media are still sending invoices to my other half 2yr after she cancelled. They won't talk to her about this unless she logs in through the cutomer portal, which she can't do because she's not a customer and she cancelled the contract.

    I've told her to take it to the ICO since they are holding incorrect personal data which is unlawful. But she's too nice and can't really be bothered to deal with them since they were idiots when she was a customer, and have continued to be idiots.

    Enjoy your fine Virgin.

    1. davenewman

      Re: Fuds

      Sometimes the solution is to write a letter. They cannot prevent you posting to them.

  18. Dave R

    Normal Working Procedure

    Call me a Cynic but isn't this the same with a lot of the big companies, " We have never been hacked so I don't need the big Security Budget" . I bet their Security Budget has just been given a big boost. I received my letter yesterday.

  19. anonymous boring coward Silver badge

    Bit of a slag now then, like Talk Talk.

  20. PermissionToSpeakPlease
    FAIL

    How to be vigilant...

    Got their email, and was struck by the advise on "How to be vigilant by not providing your personal information to anyone suspicious".

    Bit late for that now, right?

    1. Dan 55 Silver badge

      Re: How to be vigilant...

      Do beardy old men count as suspicious?

  21. Dabooka
    Mushroom

    I love these responses for data breaches

    'We've fucked up! Here's what you need to do to protect yourself!'

    Clowns.

  22. adam payne

    The now-secured marketing database – containing names, home and email addresses, and phone numbers, and some dates of birth, plus other info – had been left open since mid-April 2019

    The marketing department strikes again.

  23. michaelvirks

    Let's not forget that these are the same people who openly admit to storing customers' passwords in PLAIN TEXT in 2020...

  24. Tom 7

    Nominative Determism.

    I have a feeling el reg has a list of company names and appropriate headlines and old hacks who go out and fulfil them when news is slow.

  25. LG76

    I got the email too, super irritating seeing as i'm not, nor have i ever been a customer so didn't consent for them to hold my info.

  26. Stuart Halliday
    Facepalm

    Plonkers

    Can we ask that Virgin takes it's own advice and uses strong passwords....

  27. JCitizen
    Devil

    HA! Great headline!!

    I could just hear the song in my head as I read it!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like