The names, addresses, contact details and emails of 900,000 people has potentially been breached from a Virgin Media marketing database. It also contains more than 1,000 records connecting customers to pornographic, extreme violence and gambling websites. Some customers could now be vulnerable to possible extortion attempts. The company database has been vulnerable for ten months, with Virgin Media stating that the database has been accessed by a third party at least once. Fortunately, the database did not contain any passwords or financial information of its customers. Virgin Media has claimed that protecting its ‘customers data is a top priority’ but the company that discovered the breach (TurgenSec) has stated that they found ‘no indication that this was the case.’ Virgin Media intends to contact its customers that are at risk of extortion to offer advice. Virgin Media’s failure to secure its database could land the company with a fine.
This is not the first time that the telecommunication and technology industry has been the target of a cyber attack causing a data breach. The companies, Three, TalkTalk and Sage Group have all been attacked over the last few years. TalkTalk’s 2015 data breach landed the company with a £400,000 fine for its security failings. At that time the United Kingdoms (UK) Data Protection Act 1998 stated that the maximum fine was £500,000, but that fine is now a fraction of what companies can be fined.
The European Unions (EU) General Data Protection Regulations (GDPR) that came into force in May 2018 applied into UK law with the Data Protection Act 2018, means that companies can now be fined a maximum of ‘20 million Euros or 4% of the undertakings total annual worldwide turnover in the preceding financial year, whichever is higher.’ Since the introduction of the GDPR British Airways has been threatened with a £183 million pound fine for a data breach of 380,000 people’s financial and personal details between August and September 2018. British Airways and the Information Commissioners Office (ICO) agreed to extend its regulatory process until the 31st March 2020, so we shall have to wait for the outcome.
All of this highlights how important it is for all business to adequately protect its clients’ data. The department for digital, culture, media and sport have stated that cyber-attacks are a persistent threat to businesses and charities. Around 32% of businesses and 22% of charities reported having cyber security breaches in 2018/2019. For medium sized businesses the figure was 60% and 61% for large businesses. It is important to protect all ‘smart’ devices as hackers only need to find the weakest link to gain access as most devices are connected. This could be a ‘smart’ phone, doorbell or toaster.
Written by Samuel Killoran who is a Law Student at Solent University.