We are now two months away from the second anniversary of the enactment of the GDPR and we are still seeing major brands and businesses make basic mistakes and expose highly sensitive customer data to cyber-criminals.
The latest culprit is the supposedly forward-thinking technology business, Virgin Media, who, at the start of this month, admitted to exposing the personal details of 900,000 customers (and some non-customers).
How the breach happened
The incident has unfolded to show a situation far worse than what was initially portrayed by the brand. This avoidable breach was not the work of a sophisticated cyber attacker, but a “human error” incident that stemmed from a database that stored personal information being “incorrectly configured” by a member of staff who failed to follow the correct procedures.
To make matters worse, Virgin Media – one of the UK’s biggest internet service providers – only became aware of the breach when it was flagged by a third-party researcher at security firm TurgenSec. It has since revealed that the data was exposed for over ten months and Virgin Media had absolutely no idea, which is simply astounding.
Virgin Media must implement an immediate and thorough investigation to understand how the breach occurred and to identify precisely what data has been accessed, and take steps to ensure this never happens again.
The potential repercussions of the breach
The data that was exposed – which included names, home addresses, email addresses, phone numbers, and some contract information – is enough for criminals to execute scams like phishing emails.
Although not particularly sophisticated, phishing emails can be highly effective at catching victims off-guard and can be a lucrative source of income for cybercriminals. A report by Reuters found that the number of phishing attempts had grown by 65% over the past year and, between 2013 to 2015, cyber-criminals stole over $100m from Google and Facebook using this approach.
What these figures show is that any information that cyber-criminals get – whether that’s personal or financial data – can be used to steal money from data breach victims. With this in mind, it’s time that businesses start making cybersecurity a priority, or it’s open season for fraudsters; especially in cases like the Virgin Media breach when data has been left for them on a silver platter.
It’s also important to note that over a thousand customers have also had details exposed that links them to requests to block and unblock explicit websites, which is gold dust for criminals to try and extort money from victims.
Criminals could contact victims posing as Virgin Media to try and convince people to hand over more information or money. This is precisely what happened in the TalkTalk hack of 2015, when fraudsters used data exposed to contact customers and convince them to give them access to accounts and transfer funds to them.
Businesses have had more than enough ‘wakeup calls’ for data breaches: we are only three months into 2020 and we’ve already seen Virgin Media, Travelex, Regus and MGM involved in high-profile events. It’s staggering that the steps required to keep customer data safe and limit the reputational and financial damage associated with a breach are not being taken.
What can customers do?
Until businesses prioritize cybersecurity, consumers will need to take steps to protect themselves, and they can also bring a legal case for compensation against the business. Consumers need to remember that the GDPR and the preceding DPA 1998 gives them the right to claim damages for any distress caused by the loss of control, or misuse of, personal information exposed in a cybersecurity event.
Our firm has officially notified Virgin Media that we are taking action and our claimant base is growing every day. We encourage all those affected to come forward so we can hold Virgin Media accountable for these appalling shortcomings. You can join our action on the Virgin Media Group Action site here virginmediadatabreach.co.uk
Lessons are not being learned. The introduction of the GDPR and hefty financial penalties have not acted as the wake-up call it should have been. Cybersecurity must be taken seriously, and the lack of accountability and responsibility from big firms like Equifax, Travelex, BA and now Virgin Media is part of a recognizable trend.
Consumers need to take matters into their own hands and claim compensation for any business failing to protect their personal and financial information, and maybe this will help to stem the flow of data breaches when the costs of legal action hits home.