back to article FYI: When Virgin Media said it leaked 'limited contact info', it meant p0rno filter requests, IP addresses, IMEIs as well as names, addresses and more

A Virgin Media server left facing the public internet contained more than just 900,000 people's "limited contact information" as the Brit cable giant's CEO put it yesterday. In fact, the marketing database also contained some subscribers' requests to block or unblock access to X-rated and gambling websites, unique ID numbers …

  1. lordminty

    Internet facing database?

    What sort of amateur Muppets are VM employing to build and secure their infrastrucure?

    This stuff is just so basic they deserve the full wrath of GDPR. Bring. It On.

    1. tfewster
      Facepalm

      Re: Internet facing database?

      Vermin Media by name and by nature.

    2. robidy

      Re: Internet facing database?

      Has Dido Harding and Co turned up at Virgin Media...having a ground hog moment...

      1. Anonymous Coward
        Anonymous Coward

        Re: Internet facing database?

        I wish she had, unfortunately for us she is a big wig at the NHS now I think. Just the person we need in post right now.

    3. robidy
      FAIL

      Re: Internet facing database?

      Just one by the down voting on this thread.

      I went past a place I stayed at 5 years ago the other week, the VM street cab door was still broken.

      We'd reported it numerous times over 10 years ago, says it all really, that annual inflation increase isn't for fixing the basics.

      1. Ben Tasker

        Re: Internet facing database?

        A place I rented a while back had a convenant on it saying you couldn't have a rooftop aerial.

        The reason was there was a community aerial, with the cable run and maintained by Virgin Media.

        It had broken 5 years before, and Virgin never fixed it despite many complaints/reports over the years.

        You might be unsurprised to hear that this led to them getting the princely total of 0 customers when they tried to push their cable/internet services on that particular road.

        Virgin Media are, and always have been, completely and utterly crap. They entice you in with sweet offerings, attempt to lock you in, and then leave your services to rot for as long as they think they can get away with.

        That they'd have done the same with a database is no real surprise

        1. EnviableOne

          Re: Internet facing database?

          TBF Sky are no better they're both now wned by large american cable providers that seek profit at all cost.

          But VM was hamstrung from the start, formed by the rapid merger of NTL and Telewest followed in quick succession by virgin mobile, the company took on the worst parts of all three and really hasnt recovered.

      2. Jellied Eel Silver badge

        Re: Internet facing database?

        I went past a place I stayed at 5 years ago the other week, the VM street cab door was still broken.

        I got one near me finally fixed. I'd reported it a couple of times before, then figured I'd make a few calls from the cab using my trusty 284/2 portable phone. A couple of days later, it was fixed.

        1. Anonymous Coward
          Anonymous Coward

          Re: Internet facing database?

          I had to google that...like your style sir!

          I got one fixed by telling them kids were storing what looked like fireworks in it...funny how quick they responded...are the content flamable.

          1. Alan Brown Silver badge

            Re: Internet facing database?

            "I got one fixed by telling them kids were storing what looked like fireworks in it..."

            Funnily enough, this works well for busted BT cabs too.

          2. Jellied Eel Silver badge

            Re: Internet facing database?

            I got one fixed by telling them kids were storing what looked like fireworks in it...funny how quick they responded...are the content flamable.

            Everything burns with an appropriate amount of thermite. Rest depends on the cab. Some will just contain a patch panel, others will have some active components which may include battery packs that may have some value if re-purposed.

            Often I think the biggest hazard is to pedestrians. The one I got fixed was on the footpath, so when the green door swung open, it pretty much blocked the path. Not helped by idiots also parking on the footpath, or reduced street lighting making it quite a hazard in the dark.

            Curious if fraud is much of a risk. I did wonder what'd happen if I tried patching a coax port to my place, but AFAIK the STB's still need to be registered. Butt-dialing would be a risk, as would being able to monitor calls, but that comes with the risk of detection and fairly hefty penalties. I should also mention that the calls I made were only to VM's fault line so they'd get the hint & fix it.

        2. Anonymous Coward
          Anonymous Coward

          Re: Internet facing database?

          I had a mate in my late teens that used to do stuff like this...he also repaired a lot of damaged doors for the shits and giggles...always thought he'd up as an engineer or something...

          ...he works in recruitment.

          Sort of makes sense because thinking back he was far better at being a twat than a techie.

      3. JimboSmith Silver badge

        Re: Internet facing database?

        I got thoroughly annoyed when they got into bed with TiVo. My TiVo then stopped functioning with EPG data and became far less useful. This was apparently due to VM having an exclusive deal. Sadly before I could get the alternative EPG up and running the box became irreparably damaged.

        1. Kane
          Happy

          Re: Internet facing database?

          "Sadly before I could get the alternative EPG up and running the box became irreparably damaged."

          Was a large, blunt and heavy object attached to an equally large and heavy piece of wood involved?

        2. Anonymous Coward
          Anonymous Coward

          Re: Internet facing database?

          They probably changed standard. One of the EPG standards died out not that long ago...can't remember what it's called. HbbTV is the main standard now I think.

          Basically, it's the way they embed static payloads into the broadcast stream.

          I've always fancied having a poke around with the standard to see if it's possible to inject arbitrary payloads...from my understanding, most TVs / set top boxes are basically web browsers now. They're capable of running and displaying HTML5 and executing Javascript payloads and I'm fairly certain they don't verify the payloads. As long as you can intercept the DNS requests, you should in theory be able to redirect the requests sent by the devices to an arbitrary web server to grab your "custom" payload.

          I'm astonished TVs / set top boxes don't get hacked to fuck.

          As far as I know, there is no industry standard testing for security on TVs etc. They just test the compliance with various content delivery standards.

      4. paulf
        Alert

        Re: Internet facing database?

        Around this area the green cabinets (that I assume are VM) have a "report a fault with this cabinet on 0870..." stickers on them. Since 1. 0870 is near enough £1/minute from a mobile (and not particularly cheap from a landline), 2. There's no indication the number is definitely VM, 3. There's no unique identification code on the box to make reporting the fault easy; I've never bothered reporting the various VM cabinets with doors that have been forced open. If the local scallywags causing a bunch of costly damage to the kit in the cabinet isn't motivation enough to deliver an easy fault reporting system then they're hardly likely to hurry out and fix the doors because some random Joe calls their profit centre 0870 number.

        I did try to report a BT green cabinet once since that was at least a free call. I think the call centre droid's script would only cope with faults on a residential line and would only take the report on that basis. After the third attempt to make them understand it was one of their network cabinets I admitted defeat and just hung up.

    4. This post has been deleted by its author

    5. TheSkunkyMonk

      Re: Internet facing database?

      Less than a decade ago your modems speed used to be controlled by a file, on the modem.

    6. Anonymous Coward
      Anonymous Coward

      Re: Internet facing database?

      A tenner says the people who designed and managed that database are in India sitting in the next room to the utterly useless call centre staff.

      1. adam payne

        Re: Internet facing database?

        Or maybe they are next door to a scammers call centre.

        1. John Robson Silver badge

          Re: Internet facing database?

          That's what he said ...

      2. Loyal Commenter Silver badge

        Re: Internet facing database?

        RE: their call centre staff..

        A few weeks ago, when we had all those winter storms coming over, we had an impromptu hail shower one evening, with one very loud and very nearby lightning strike. This somehow managed to induce enough current in the Virgin cable to cause the "V6" TV box to rapidly stop working with a loud bang and bright blue flash. Oddly it didn't blow up the cable modem which is on the same bit of co-ax but on the other branch of the filter, which probably says either something about either the filter or the cable modem being more robust than the TV box, but I digress.

        When I called the Indian call-centre the next day and explained that it had been struck by lightning, the conversation went something like this:

        Me: "Hello, we had a thunderstorm last night and the TV box was struck by lightning and stopped working"

        Indian call centre worker: "What error code is it showing on the TV"

        Me: "There is no error. It was struck by lightning. It's dead"

        ICCW: "Are there any lights showing on the box"

        Me: "No. It's dead. There was a bright flash and a bang. It was struck by lightning"

        ICCW: "Is it plugged in

        etc.

        To their credit, they did send a new box out pretty quickly, but it goes to show that not even a so-called Act of God will get a call-centre operative to deviate from their script.

        1. John Robson Silver badge

          Re: Internet facing database?

          It’s not, it’s pining for the fjords.

    7. P. Lee

      Re: Internet facing database?

      >What sort of amateur Muppets are VM employing to build and secure their infrastrucure?

      Cloud muppets.

  2. This post has been deleted by its author

  3. Anonymous Coward
    Anonymous Coward

    Limited™ contact information

    "...did contain limited contact information such as names, home and email addresses and phone numbers."

    What would they consider "not limited"? Fax number, the name of your carrier pigeon, semaphore flag colour?

    1. Persona Silver badge

      Re: Limited™ contact information

      "Fax number, the name of your carrier pigeon, semaphore flag colour" ……. low hanging fruit. You can trivially guess those 3 for >99% of the population.

    2. choleric

      Re: Limited™ contact information

      The manufacturer of your doorbell, unless it's Ring.

      Your WiFi router password, unless it's a Virgin Media suppli... doh.

      Some of your online account handles, until those accounts are hacked.

      Your mother's maiden name, how quaint.

      Your MI5 UID, mind you that's the same thing as a Facebook login these days so that's gone too.

    3. Anonymous Coward
      Anonymous Coward

      Re: Limited™ contact information

      > What would they consider "not limited"?

      We have friends who have all their eggs in the VM basket. We were staggered to find that they shell out close to £300 a month to VM. For a tenth of that, one would expect 10 times better response from a supplier.

      1. Danny 14

        Re: Limited™ contact information

        Fucking hell. ,£300 a MONTH? What do they get?

        1. robidy

          Re: Limited™ contact information

          Wow the max package I could make without discount was £140....

  4. DanceMan
    Joke

    No longer a Virgin mediz?

    Now that it's been penetrated.

  5. tip pc Silver badge

    No excuse for not encrypting that data at rest or in transit even behind closed doors.

    Got customer data of any kind? Encrypt it at rest and ensure access via some key management system. Even plant it in the loud if you want but ensure your basic data storages d access policy is high enough to ensure my data you’ve collated without my knowledge is safe and secure.

    1. Angry IT Monkey

      Re: No excuse for not encrypting that data at rest or in transit even behind closed doors.

      In my experience most companies think they don't need to encrypt data because "To reach it they'd need to break into our network and then we'd be fscked anyway".

      It takes time and money to make changes to insecure applications, which cuts into profits, share prices and ultimately exec bonuses.

      1. Alan Brown Silver badge

        Re: No excuse for not encrypting that data at rest or in transit even behind closed doors.

        "It takes time and money to make changes to insecure applications, which cuts into profits, share prices and ultimately exec bonuses."

        So do GDPR fines.

        I just hope there's an audit trail for the "I told you so" moment when manglement attempt to shit on staff who tried to do the right thing (and that those staff kept copies of the warnings they issued)

      2. Loyal Commenter Silver badge

        Re: No excuse for not encrypting that data at rest or in transit even behind closed doors.

        To reach it they'd need to break into our network and then we'd be fscked anyway

        You might be surprised by the number of attacks that come from within a corporate network, especially if the organisation is large and doesn't treat its techies well. Any organisation that takes security seriously practises proper data hygiene both externally and internally (oo-er).

  6. ForthIsNotDead
    Unhappy

    Which is why...

    I've been running DNS over HTTPS for about six months...

    1. Anonymous Coward
      Anonymous Coward

      Re: Which is why...

      I avoided this by taking a carrot rectally at every mealtime. Or possibly not being a VM customer.

      Or have I misunderstood this game and we aren't just throwing random bits of unrelated content into comments.

      P.s. DNS over HTTPS won't stop VM's porn blocks, your requests to VM to remove blocked sites or your browser telling VM about your browsing history unless you have Javascript disabled/blocked.

      1. Paul Shirley

        Re: Which is why...

        It's fun calling it the porn filter but the fscking things block much more and aren't much good at stopping porn. First time I had one disabled it was keeping me from vital engagement with various beer sites. Most recently I discovered the 3UK filter has a love/hate relationship with the Internet Archive, as in sometimes it blocked it, other times it didn't, demonstrating how bloody useless the filters are!

        1. Alan Brown Silver badge

          Re: Which is why...

          "First time I had one disabled it was keeping me from vital engagement with various beer sites. "

          I ran into it blocking the Sarracens rugby club website. Some might think that's vaguely pronographic but if you're trying to park around Watford you need to access that website to know the availability of public carparks on match days.

          1. Anonymous Coward
            Anonymous Coward

            Re: Which is why...

            For some reason VM decided to block our Exchange server's HTTPS address. We only realised when a couple of different customers reported being unable to connect to their email when at home on wifi, yet had no problem when at work or using mobile data. Finally tracked down to them being VM customers, and after several weeks got VM to fix their glitch.

    2. Anonymous Coward
      Anonymous Coward

      Re: Which is why...

      And that solves what? You still need to connect to the IP address you've cunningly resolved in secret and when you do it's in plain sight because -newsflash - IP headers are not encrypted (unless tunnelled).

      1. Brewster's Angle Grinder Silver badge

        Re: Which is why...

        How many "small" web sites have dedicated IP addresses? They're going to be shared hosting.

        1. Anonymous Coward
          Anonymous Coward

          Re: Which is why...

          I doubt many scammers or government agencies give a damn if you visit MrsMigginsTeaRoom.com. They want to know which bank/porn site/online retailer you visited and they are generally dedicated sites. Whats more the internet is bigger than the web in case you didn't realise.

  7. chivo243 Silver badge
    Holmes

    Usual blowing, hot air following

    Yes, the PR team blowing on this one hoping it will spin off well... Not happening. Keep blowing...

  8. macjules
    Paris Hilton

    Only 1,100 Users

    So let's see: security of processing (Article 32 GDPR), (data processing principles (Article 5 GDPR) and can probably throw in lawfulness of processing (Article 6 GDPR). Those 3 put together place Virgin Media in the higher fine bracket, i.e. £20m or 4% of global annual turnover.

    Paris: since we lack a schadenfreude icon ...

    1. The Mole

      Re: Only 1,100 Users

      A request to unblock a particular porn site also had the potential to expose sexual orientation in at least some cases. That puts it into the category of sensitive personal data which may well push the fines higher still.

      1. The Nazz

        Re: Only 1,100 Users

        Look, when i requested "Breeder" websites, i really did, honest guv, want to find suppliers of puppies with good kennel club lineage.

        And jesus, did i get inundated with "puppies" and how come, none of those folks' eyes ever water? Mine would be pouring.

    2. EnviableOne

      Re: Only 1,100 Users

      and its based on Liberty Global's annual turnover from 2019

      $11,541,500,000

      so up to $461,660,000

      thats if the ICO get off their ass and do something

  9. Fred Dibnah

    "Companies like to downplay the impacts whilst upselling their supposed care and due diligence in an attempt to place shareholder value over their customer's rights.”

    Well said. Capitalism at its ‘best’.

  10. Anonymous Coward
    Anonymous Coward

    We may be VM

    But you're F__ked

  11. Chris Hills

    Join the class litigation

    If you got an email from Virgin Media, Irgvings Law are setting up a class action. https://www.irvingslaw.com/gdpr-data-breach/

    1. Muscleguy

      Re: Join the class litigation

      Thanks for that link. MOST interesting.

    2. John Brown (no body) Silver badge

      Re: Join the class litigation

      ...and in 5-10 years, the aggrieved participants will get 50p knocked off their next months bill once legal fees are taken from the eventual out of court settlement.

      1. Alan Brown Silver badge

        Re: Join the class litigation

        The amount consumers get back isn't really the point in a GDPR case - the idea is to cause MAXIMUM POSSIBLE PAIN to the offending company, "pour encourager pour les autres"

        We know that whatever ICO fine is announced will be negotiated down to "fuck all" behind closed doors but it's far harder for them to hide it in court discovery, avoid the litigation costs OR the commercial hurt that comes from exposure of the decisionmaking processes that led to this shit happening

        Ideally you want to make the management so toxic that nobody will ever hire them again.

        1. Mike 137 Silver badge

          Re: Join the class litigation

          Unfortunately punitive damages are not permitted in such cases - they very rarely are in general, at least under English law, and class action (where permitted, but not in the UK) generally leads to compensation of fourpence per claimant. In reality, even the GDPR maximum fines are little more than an assumed cost of doing business to the large internet service providers.

          A while back under the previous information commissioner I suggested that instead of fines there should be an official audit, officially specified remediation and re-audit to demonstrate fulfilment, all at the expense of the breached party. This was on the basis that it would do more good by actually fixing the problem. I also recommended the same approach in the US. The response from the UK was that it would be too expensive to implement, and from the US - silence.

          Just as we now take for granted that software is crap that needs constant fixing, infosec in general is widely assumed to subsist in installation of a few appliances and reactive response in the aftermath of attack. As at Equifax, it's typically not even seen as necessary to maintain the appliances.

          1. Loyal Commenter Silver badge

            Re: Join the class litigation

            Unfortunately punitive damages are not permitted in such cases - they very rarely are in general, at least under English law, and class action (where permitted, but not in the UK) generally leads to compensation of fourpence per claimant. In reality, even the GDPR maximum fines are little more than an assumed cost of doing business to the large internet service providers.

            The GDPR maximum fines are 2% or 4% of global annual turnover (I can't remember the exact criteria for whether it's 2% or 4%). The relevant word there is turnover, not profit. Now, I suspect VM's margins are more than 4%, but such a maximum fine really could be fairly described as punitive, and would certainly be hefty enough to wipe out any shareholder dividends and damage the share price. The trouble is, they'd probably just pass the cost onto the customers, unless the legislation explicitly prevents them from doing so.

            1. FrogsAndChips Silver badge

              Re: Join the class litigation

              There's probably nothing that would prevent them from passing the costs to the clients, but the price increase would have to be so large that you can expect all clients who aren't locked in a monopoly to jump ship immediately.

            2. EnviableOne

              Re: Join the class litigation

              4% of Global turnover of the undertaking, which has case law to say that would be the entire Liberty Global Group

  12. TheSkunkyMonk

    Wonder how many people bought that data?

    From Virgin?

  13. Anonymous Coward
    Anonymous Coward

    "We strongly refute any claim that we have acted in a disingenuous way.

    as a saying goes in another language, if you caught red-handed, loudly proclaim it is not your hand at all! How to do that? I dunno, ask Trump...

  14. Wolfclaw
    FAIL

    Time ICO Sharpens Teeth

    £20m or 4% looking like an interesting ICO prospect !

  15. talk_is_cheap

    vm....

    having spend some time trying to purchase a service from VM it is clear they could not run a bath let alone a piss up in a brewery. They make talktalk look like a well run business.

  16. VseGood

    There is no privacy on the Internet.

    1. My-Handle

      Then we have one of two choices.

      1: Drop trou, bend over and resign ourselves to what follows

      2: Decide that there should be privacy on the internet and determine what actions need to be taken to reasonably achieve this.

      A 4% turnover fine seems like a fine example of the latter to me.

  17. dodiman

    160 fibre down?

    It all makes sense now. No need to cut 11 tubes on the 160 fibre cable to nuke he server. In an emergency, just pull the mains!

  18. Simon Harris

    "records of whichever site they were visiting before arriving at the Virgin Media website"

    The only times I ever visit the Virgin Media site are from a non-Virgin device to find out why my Virgin cable has gone down again.

  19. maffski

    Virgin Media's CEO Lutz Schüler said last night...

    "Based upon our investigation, Virgin Media does believe that the database was accessed on at least one occasion but we do not know the extent of the access or if any information was actually used."

    Given that they know the security researchers accessed it what Virgin Media's CEO Lutz Schüler actually said last night was 'We have no logs for this server or for the network routing to it so have no way of knowing if, or how often, this information was accessed.'

  20. adam payne

    "Based upon our investigation, Virgin Media does believe that the database was accessed on at least one occasion

    Is makes me think you really don't know how many times people have accessed it. I quick point though, it only takes one occasion to spill the info.

    Turgensec also quibbled with the ISP's attempt to blame the security blunder on IT workers “incorrectly configuring” an internet-facing database. Rather, the database – which was filled with unencrypted plain-text records – was a sign of "systematic assurance process failure," Turgensec said.

    Incorrectly configured public facing site = very stupid

    Plain text records = FFS

    Unencrypted = #Captainpicarddoublefacepalm

  21. MOH

    "Virgin Media added it is developing a tool to allow customers to search exactly what of their account information was exposed."

    I can't help feeling part 2 of this story is yet to come

  22. Alperian

    Does this include Virgin Media Business? Might sound a daft question, but they appear to keep everything separate.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like