Virgin Media, a UK telephone, cable TV and internet services provider released a statement two weeks ago admitting that they had exposed certain personal data of up to 900,000 people.
The short story is that they admitted it, they apologized, they informed both the affected people and the relevant authorities, and they set up a help and advice page for customers.
Great stuff, except…
While these days it isn’t surprising to read ’Big company leaks massive amounts of personal data’ stories, I wanted to pick apart the way that they’ve announced this leak because a lot of it doesn’t sit right with me.
There are ways you should announce a breach, and ways you shouldn’t. Transparency is key to reduce the damage to the trust relationship between you and your business partners, users and customers.
- They said… the data included “contact details (such as name, home and email addresses and phone numbers), technical and product information, including any requests you may have made to us using forms on our website […] Please note that this is all of the types of information in the database.”
That last statement is pretty vague. And what kind of technical and product information? What kind of requests?
It turns out some of those requests were to unblock various ‘adult-themed’ sites (I won’t say more than that). Now together with full names and addresses this obviously raises the possibility of blackmail.
- They said… “This was not a cyber-attack”. “Our database was not hacked”. It was a “data incident”.
Now technically speaking this is true, and they used the tired old phrase that it happened “as a result of the database being incorrectly configured.
We all know that these days this means that someone left an unencrypted database freely accessible over the internet, with no authentication needed.
If you leave your front door open for 10 months and then tell the world with pride that no one burgled you, perhaps you are missing the point – especially when you are safekeeping other people’s stuff!
Whatever Virgin Media’s Security Policy, it can only be good if it is correctly implemented and audited.
- They said… “We take our responsibility to protect personal information seriously.”
I have trouble feeling the sincerity that I’m sure is meant by this statement.
How can a company legitimately make this claim after they have been caught with the proverbial pants down doing the exact opposite of taking information security security. They left personal data unprotected and free available for 10 months!
- They said… “We recently became aware that some personal information […] has been accessed without permission.”
As someone who works in the cybersecurity field, this really got my goat. Yes they “became aware” because a third-party security company discovered it and did the right thing by telling them.
Brit infosec outfit TurgenSec privately reported the find to Virgin Media, but haven’t received any acknowledgement from the TV telco. It was they who among other things noted the more expansive type of information that was being stored in the unprotected database, the information that Virgin Media failed to publicly disclose.
My impression from the TurgenSec post is that they’re pretty ticked off. It states “We cannot speak for the intentions of their communications team but stating to their customers that there was only a breach of “limited contact information” is from our perspective understating the matter potentially to the point of being disingenuous. ”
Some companies handle data leaks better than others. Just look at this list of examples.
The point is that when you process personal data and that data is leaked or stolen, it’s not just the press that will be hounding you to understand what exactly happened, the regulators can also come down on you like a ton of bricks.
Being up-front, honest and contrite during a potential data breach is smart. We all make mistakes, but we have little time or energy for those found to be selling half truths to cover their butts..
It goes without saying that companies should be doing everything they can to prevent leaks like this, but crucially they should also be planning how best to communicate if something does happen.
The experts at TBG Security can help your business do whatever it can to prevent cyber incidents, from effective policy to penetration testing. They can also help you plan for what to do in the unfortunate event that a breach does occur.
TBG Security is here to help.