Virgin Media left contact information for 900,000 people exposed in an improperly configured marketing database, the company said in a statement Thursday. The exposed data was accessed by outside actors at least once, the company said, but is now properly secured.
The phone numbers, addresses and emails for "customers and potential customers" were in the database, according to UK-based Virgin Media. The data didn't include any financial information or login credentials. The database was accessible for about 10 months, from April 2019 through February 2020. Virgin Media is contacting affected people directly to let them know their data was exposed.
"We have strict security processes and policies in place but, in this instance, we fell short of our usual standards," the company said in a statement.
The database joins the countlessexposed on the internet every day. As companies transition data to cloud servers, they frequently fail to use password protection or encryption tools that keep random internet users from accessing data simply by entering the correct IP address into their web browser.
A cottage industry of researchers seeks out the exposures and tries to. Virgin Media didn't confirm whether it owned the server that was storing the information, or how it initially learned of the exposure.
The exposure puts victims at risk of phishing attacks, in which scammers might contact them by phone or email and try to get them to reveal even more personal information. Virgin Media said in an announcement of the exposure that it will never email or call customers to ask for banking details.
"We urge people to remain cautious before clicking on an unknown link or giving any details to an unverified or unknown party," Virgin Media CEO Lutz Schüler said in a statement. In a note to affected users, the company suggested visiting the UK Information Commissioner Office's website on avoiding identity theft, and other resources for protecting yourself from phishing attacks.