Virgin Media has four weeks to admit responsibility for a data breach that affected 900,000 customers – or it could be forced to pay £4.5billion in compensation, lawyers say
- Virgin Media said breach occured because its database was wrongly configured
- Your Lawyers say the IT firm has just four weeks to admit liability for the breach
- It plans to launch a Group Action Claim following the 10-month breach in data
- Each customer affected could win up to £5,000, according to the law firm
- Some 900,000 customers’ data was accessed by a third-party last year
Virgin Media has just four weeks to admit legal responsibility for a data breach that affected 900,000 customers or it could be forced to pay up to £4.5billion in compensation.
It comes after Virgin Media said the breach – which exposed data including porn sites accessed – occurred because its database was incorrectly configured, allowing unauthorised access to one third-party.
Your Lawyers, a firm based in Chesterfield, Derbyshire, said it could get people who had their full names and contact details released up to £5,000 each.
The information was accessible from April 2019 until February 28, 2020.
Aman Johal, Director of Your Lawyers, said: ‘Our Group Action Claim against Virgin Media is now live and I encourage anyone affected to sign up for representation now.
Your Lawyers, a firm based in Chesterfield, Derbyshire, has offered to help people who had their full names and contact details released get up to £5,000 each from Virgin Media (file)
‘Unbelievably, Virgin Media failed to take the necessary steps to keep people’s data safe for a sustained period of time, and, shockingly, it took a third-party security researcher to identify the issue.
‘We know from experience that, when personal data is exposed online, it leaves victims vulnerable to cyberattacks and attempts at fraud, such as phishing scams.
‘Customers will no doubt have bought into the Virgin Media brand that has been nurtured by Richard Branson for years and will rightly expect their personal data be properly protected. For this to have happened is an inexcusable breach of consumer rights.
‘Your Lawyers will hold Virgin Media to account for this avoidable breach of private information, and we will do everything possible to ensure justice for the victims prevails. The door is open for victims to join the action, and now is the time to act.’
It is not known what would happen if Virgin Media did admit liability for the breach.
The information in the database did not include passwords or financial details but did contain names, email addresses, phone numbers and details of customers’ contracts with the service.
However, the independent IT company that alerted Virgin to the breach found details that linked some customers to ‘explicit websites’, it told MailOnline.
Virgin Media blamed the error on the negligence of a staff member who did not follow correct procedures.
Virgin Media declined to comment.
If the tech giant doesn’t admit liability Your Lawyers will file an application for a Group Litigation Order (GLO) in an effort to get compensation for those affected.
With the legal case now active against Virgin Media victims have been asked to forward and bring a claim.
Your Lawyers already represents almost 2,000 Claimants in the case, having received thousands of enquiries, and claimant numbers are expected to continue to rapidly grow.
Virgin Media blamed the error on a staff member not following correct procedures. The information was accessible from April 2019 until February 28, 2020
On March 5 this year it was revealed that Virgin Media had suffered a data breach that compromised the personal information of 900,000 individuals.
Their personal details were left freely accessible in an online database for ten months between April 2019 and February 2020 and were accessed by an unknown third party at least once, meaning those customers affected could be at risk from cyberattacks and fraud.
The incorrectly configured database exposed full names, email addresses, dates of birth, contact numbers and, in some cases, details that linked customers to pornography and explicit websites, potentially leaving them open to blackmail and extortion.
The majority of victims were customers with TV or telephone landline accounts, while a smaller percentage of Virgin Mobile customers were also affected.
Your Lawyers ia a consumer action and data breach law firm representing thousands of claimants in over 50 group and multi-party actions.
The firm said it was likely the GLO would go ahead because Virgin Media is not expected to agree to the Alternative Dispute Resolution (ADR).
A final court deadline could be established soon, it says.
In March Virgin Media CEO Lutz Schuler said the company shut down access to the affected database as soon as it was made aware of the breach.
Speaking at a media conference in London, Schuler said: ‘There is no evidence that the data taken has been used in the wrong way.
‘We want to avoid any panic.
‘We all have enough on our plate with coronavirus at the moment but we have to be open about it,’ said Schuler, who added that he would apologise to customers for the breach.
The company, which is conducting an ongoing investigation, said it believes the database was accessed at least once but does not know to what extent or if any information was used.
‘Protecting our customers’ data is a top priority and we sincerely apologise,’ it said.
‘We are now contacting those affected to inform them of what happened.’
Virgin is now urging its customers to remain cautious before ‘clicking on an unknown link or giving any details to an unverified or unknown party’.
Was your data released during the breach?
If you’d like to join the action go to Your Lawyers here to claim.
The Financial Times reported that this breach affected about 15 percent of Virgin Media’s paying customers, including some with Virgin Mobile.
However, data from non-customers could have also been included that came from ‘refer a friend’ promotions.
Virgin Media is Britain’s second-largest broadband company and owned by billionaire John Malone’s Liberty Global, according to The Financial Times.
The vulnerability of the customer data was first discovered by information security provider TurgenSec, as reported by the FT and confirmed to MailOnline by the company.
‘The breach was discovered by TurgenSec as part of a routine sweep of databases,’ a spokesperson at TurgenSec told MailOnline.
‘Despite reassurance issued that ‘protecting our customers’ data is a top priority’ we found no indication that this was the case.
‘This wasn’t only due to a simple error made by a member of staff “incorrectly configuring” a database, as has been stated.
TurgenSec added that information was in plaintext and unencrypted – which means anyone with a web-browser could clearly view and potentially download all the data without needing any specialised equipment or hacking techniques.
‘It is regrettable that the company is shifting blame to a member of their staff, when they should have had a mature DevSecOps methodology that routinely looks for, identifies and mitigates these errors before a customer’s data is exposed.’
With almost one million customers affected, the breach is deemed one of the largest by a UK firm in recent years.
‘This data breach has exposed the data of almost a million Virgin Media customers and whilst no financial details or passwords were included, those customers are likely to be worried,’ said Adam French, Which? consumer rights expert.
‘It is vital that Virgin Media continues to provide clear information on what has happened.
‘For anyone concerned they could be affected, it’s good practice to update your password after a data breach.
‘Also, be wary of emails regarding the breach, as scammers may try and take advantage of it.’
Virgin said that online security advice and help on a range of topics is available to customers on its website.
It says it has contacted all the affected individuals with advice on what to do next.
VIRGIN MEDIA’S STATEMENT ON THE DATA BREACH
‘We recently became aware that some personal information, stored on one of our databases has been accessed without permission. Our investigation is ongoing and we have contacted affected customers and the Information Commissioner’s Office.
The database was used to manage information about our existing and potential customers in relation to some of our marketing activities. This included: contact details (such as name, home and email address and phone numbers), technical and product information, including any requests you may have made to us using forms on our website. In a very small number of cases, it included date of birth. Please note that this is all of the types of information in the database, but not all of this information may have related to every customer.
To reassure you, the database did NOT include any passwords or financial details, such as bank account number or credit card information.
We take our responsibility to protect personal information seriously. We know what happened, why it happened and as soon as we became aware we immediately shut down access to the database and launched a full independent forensic investigation.’