Virgin Media is reportedly one of the latest UK companies to suffer a data security breach. On 5 March 2020, it published a statement on its website explaining that one of its databases had been accessed without Virgin Media’s authorisation, due to a configuration issue. It is reported that the database had been left unsecured since April 2019 and that it contained information about (approximately) 900,000 existing and potential customers. Virgin Media states that the compromised information was mostly limited to contact and product data and importantly, did not contain financial information or passwords.
The statement sets out a number of frequently asked questions, with easy to understand responses. The ICO and affected data subjects have been notified and the statement provides customers with information about possible scams and phishing attacks aimed at helping them to better protect themselves and be aware of the risks in a heightened risk environment, in light of the incident.
Given the ICO’s most recent data breach decisions, it will be interesting to see how the ICO responds to this notification. Recent aggravating factors identified by the ICO include a failure to comply with internal IT policies or industry standards, inadequate patch management and penetration testing, inappropriate account privileges and permissions and lack of multi-factor authentication.
In addition, the ICO has made it clear that it will take into account the size and resources of a company, stating that it would expect larger and more technologically sophisticated organisations, such as Virgin Media to take more robust security measures to protect personal data against a breach. Mitigating factors may include how promptly Virgin Media acted once it discovered the breach and whether it has cooperated fully with the ICO.