Like a Virgin, hacked for the very first time... UK broadband ISP spills 900,000 punters' records into wrong hands from insecure database Virgin Media, one of the UK's biggest ISPs, on Thursday admitted it accidentally spilled 900,000 of its subscribers' personal information onto the internet via a poorly secured database. The cableco said it "incorrectly configured" a storage system so that at least one miscreant was able to access it and potentially siphon off …
Really, you mean Virgin customers have a chance that they won't be targeted? Is there anyone, anywhere, who has any data connection to the outside world who hasn't been targeted? If so, please share your secret.
"The secret is not sharing secrets."
Virgin are probably only worried about this because they didn't get any money in return for this disclosure.
Years ago I helped made an account system whereby a user could run an account with a PIN and no personal data. No future in it though, because there's no information to be processed for gain.
AND VM's email service seems designed to help phishing and scammers get their shit through to users. Almost as if they were working for the scammers.
*Their own server side filters are unable to block variants of obvious spam words like b1tc0in/bit_coin/Bitc*in etc.
*The filter rule settings for their web based emails allow only blocking of specific addresses (scammer@scammer.com) but not parts or variations of addresses (so scammer2@scammer.com will get through).
*Don't actually have a "mark as spam" rule.
*Aren't easy to find, let alone understand and use.
*Make marking individual emails as Spam as difficult as possible. When you remove an email it automatically selects the next email in the list, but when you tick a different one doesn't untick that, so either a legit email gets moved to Spam with the actual Spam one or you have to go back through the list to find and untick it yourself if you didn't remember at the time. Also it will often refuse to let you mark a selection of several at the same time, declaring for some reason that these are "newsletters" despite them coming from weird or randomised addresses (wer234rj3n303@spammer.com) and that you have to report them as Spam 1 at a time. Like we can't make our own minds up without careful consideration. .Which is strange since it will cheerfully let you mark 2 at a time by accident (as above).
It will stop you forwarding phishing emails to the authorities, because they contain Spam ( even though you haven't marked them as such yet ) so can obviously detect Spam that users are sending individually even if apparently unable to spot it when spambots send it out by the squillion.
I get marketing emails from Virgin Media business on my work email address. I have never been in touch with them for anything. I submitted a GDPR data request (what info do you have, where did you get it from and why do you think you have permission to contact me?) and haven't had a response after 30 days. An email to the ICO is the next step.
Well Virgin Medea have a vast database customers and non customer which they use to harass the general public. I had to join mps and still they mailed me right up to point they would have be fined. I think 900,000 customers might be unreasonably low figure, Brace for impact.
Breaks my password approach on many levels. On the odd occasion I do have to log into my virgin media account i always have to reset the password and it always ends up being something I can't remember.
It's 2020 and 8 characters letters and numbers only is neither reasonable or responsible.
I know some companies have a separate password for phone, but I were never asked to set one up with VM, and I remember the droids asking for my 'VM password', then me hitting a dead end when I refused to communicate it. Again, that was years ago and hopefully they've given up on that practice.
The last few run ins I had with them I told them I couldn't remember the password, threw some random guesses out (all wrong) and waited till they said 'OK'. Which is frightening, albeit damn useful given VM had never once managed to have the same password or even secret question that I'd set before I gave up remembering it! Even worse, that worked on a mobile number they'd never seen before when I was trying to get my line reconnected!
Over the years I've actually used the price increases as the point where I switch or threaten to, on the phone as soon as you tell them your contract is for such and such money and If those terms change the early contract termination clause does not apply they start giving you discounts and try to keep you, so it's a question of keeping customers informed more than anything.
I do remember my dear Mama telling me recently that someone from Virgin had been ringing her mobile asking for me. I happen to have provided her with a sim card using my Virgin account.
At the time I just put it down to the usual level of competence displayed by Virgin. I now wonder if her mobile number appears against my name in the huge bucket of data they left open for the world and his dog to read.
I got the email about the beach too. The email they sent to had only been given them on a "cable my street" enquiry in 2015. They also emailed me in 2018 to tell me "we hold some of your details, as required or permitted by law or regulation and will do so for a limited period of time. Don’t worry, they’re safe and sound."
I guess five years is a "limited period" by some definitions, but I doubt this can be considered "safe and sound"...
Perhaps we're looking at the problem backwards. Rather than having personal information, perhaps we should ditch what current defines ourselves (names, addresses, etc) with random class 4 UUIDs that could be replaced at will.
Maybe Patrick McGoohan was wrong; maybe I am a number, albeit it a ever rotating one. "Honey, can you call 2fd35886-32df-4a0f-afe8-a5f2a1adb498 and 8afbecfc-d10c-45d8-8d59-effc1621c8cc and tell them that dinner's ready?"
Maybe Patrick McGoohan was wrong; maybe I am a number, albeit it a ever rotating one. "Honey, can you call 2fd35886-32df-4a0f-afe8-a5f2a1adb498 and 8afbecfc-d10c-45d8-8d59-effc1621c8cc and tell them that dinner's ready?"
IPv6 already does that, sort of.
But if it's not leaking, it's phishing. I had my first ever call from 'BT' telling me my Internet connection is slowing down. Was mildly amusing stringing their 'technical expert' along..
"Can you tell me your IP address?" "yup".. "And?".."It's your DHCP server, you tell me.."
"Can you press the button on the left of your keyboard between Ctrl and Alt?".."ok".."Now type in msconfig".."ok".."you should see a window..".."nope".."Try pressing Win+R again".."ok, still nothing".."What version of Windows are you running?".."I'm not.."
But I got bored and hung up before being convinced to download a really vital tune-up app. Curious part was they wanted me to install Chrome, which I guess doesn't say much for it's security. But was interesting to experience a phishing trip and could see how they catch the unwary, especially if they've got their grubby mits on some personal information to make the calls more convincing.
I opted out of marketing since 2017 so I thought I'd be safe but no, I still got the email from Virgin stating my data was part of the leak. Does this mean Virgin Media has been illegally storing my data as I thought under GDPR they couldn't store my data for marketing purposes if I explicitly didn't give them concent.
One of the reasons for leaving was the constant requests from their 'technical support' creatures wanting my mobile number, despite them refusing to do anything unless I was phoning from the house anyway.
Funny enough in the past when I gave them my mobile number I always got calls from them trying to sell me a mobile contract.
I wonder if the cnurrent users of my old numbers are receiving calls from Vm wanting to fix their infected machines (or similar.)
You mean like the one on my desk right now - that is actually from VM, and will join the hundreds of others that I've put in the bin.
When they move to DOCSIS 3.1 I might have another look at them, until then the extent of the asymmetry in their connections is untenable. Of course I'll need a DOCSIS 3.1. plain modem as well..
Hmm, you seem to know about this.
For a long time I wanted to replace their rubbish SuperHub (sic) and they've always refrained from giving a direct answer to I can or not. Can I buy a DOCSIS modem and replace the hub, or is my connection intrinsically linked to the actual modem too?
As you may tell, I know SFA about cable connections.
It’s modem mode isn’t...
You should be able to sub in any modem, there is a chance you’ll need to spoof a MAC address.
I have (or I might have recently thrown out) an old NTL/Telewest cable modem that was genuinely a cable modem, there is nothing special about their crappy hub.
Thanks for the replies.
It's currently in modem mode but it causes problems with my router in another room, with devices often struggling to find each other. Its options are very limited, and much prefer a decent all-in-one.
Funnily enough the router it attaches to is my old fibre modem (as in fibre broadband, not FTTP), which is no good where I now live. Hence VM connection.
Virgin Media are still sending invoices to my other half 2yr after she cancelled. They won't talk to her about this unless she logs in through the cutomer portal, which she can't do because she's not a customer and she cancelled the contract.
I've told her to take it to the ICO since they are holding incorrect personal data which is unlawful. But she's too nice and can't really be bothered to deal with them since they were idiots when she was a customer, and have continued to be idiots.
Enjoy your fine Virgin.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
