Almost 1 million Virgin Media records exposed via insecure database

The data included email addresses, phone numbers and physical addresses, but no payment information or passwords, the company says.

Laura Hautala
Laura Hautala
Laura Hautala
Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials 2022 Eddie Award for a single article in consumer technology
2 min read

An unsecured Virgin Media marketing database exposed contact information for almost 1 million people, the company said Thursday.

Graphic by Pixabay/Illustration by CNET

Virgin Media left contact information for 900,000 people exposed in an improperly configured marketing database, the company said in a statement Thursday. The exposed data was accessed by outside actors at least once, the company said, but is now properly secured.

The phone numbers, addresses and emails for "customers and potential customers" were in the database, according to UK-based Virgin Media. The data didn't include any financial information or login credentials. The database was accessible for about 10 months, from April 2019 through February 2020. Virgin Media is contacting affected people directly to let them know their data was exposed.

"We have strict security processes and policies in place but, in this instance, we fell short of our usual standards," the company said in a statement.

The database joins the countless insecure caches of personal data exposed on the internet every day. As companies transition data to cloud servers, they frequently fail to use password protection or encryption tools that keep random internet users from accessing data simply by entering the correct IP address into their web browser.

A cottage industry of researchers seeks out the exposures and tries to get companies to fix them. Virgin Media didn't confirm whether it owned the server that was storing the information, or how it initially learned of the exposure.

The exposure puts victims at risk of phishing attacks, in which scammers might contact them by phone or email and try to get them to reveal even more personal information. Virgin Media said in an announcement of the exposure that it will never email or call customers to ask for banking details.

"We urge people to remain cautious before clicking on an unknown link or giving any details to an unverified or unknown party," Virgin Media CEO Lutz Schüler said in a statement. In a note to affected users, the company suggested visiting the UK Information Commissioner Office's website on avoiding identity theft, and other resources for protecting yourself from phishing attacks.