As reported by BBC News, a Virgin Media database containing the personal details of 900,000 people was left unsecured and accessible online for 10 months, the company has admitted. The information was accessed “on at least one occasion” by an unknown user. The database, which was for marketing purposes, contained phone numbers, home and email addresses. It did not include passwords or financial details. The breach was not due to a hack or a criminal attack, but because the database had been “incorrectly configured” by a member of staff not following the correct procedures, Virgin Media said.
Dark web data brokers are hard at work scraping up any piece of data exposed or breached. With each ounce of information, cybercriminals are putting the pieces of a consumer’s identity together to create a full data profile of an innocent consumer. Cybercriminals use these real consumer identity profiles to open lines of credit, or take over online accounts to fraudulently secure goods and services on the Internet. This is why constantly monitoring security systems for any vulnerability is key to prevent potential breaches. However, once the data has been stolen, companies can still protect the victims of the breach by improving their online user verification measures. We are seeing more companies include behavioral technologies in their arsenal to verify users based on their behavior instead of relying on their personal information which could have been stolen. This is helping render much of this stolen data valueless, as it is not enough for bad actors to succeed in their schemes.
Despite repeated high profile cases of companies failing to secure their servers properly this is clearly still a widespread problem. While Virgin Media didn’t store any passwords in the database it did contain customer contact information which can still be used by criminals to aid their phishing campaigns. What is troubling is that it is unknown how much, if any, information was accessed during the 10 months the database was exposed and that’s why holistic visibility is a key part of good cyber security hygiene.
Everyone needs to approach cyber security with a holistic mindset, ensuring that you have multiple layers to your security which can provide visibility over your network. Monitoring at the DNS level can also provide insights into where data is being exposed to the web and what might be leaving your network. On top of this, educating your employees on good cyber practice, including how to spot threats and problems could help avoid situations like this in the future.
This recent breach highlights once again the challenges that Internet Service Providers (ISP) face to protect sensitive customer data. In this case a human error seems to have been the root cause of the configuration error that lead to the breach. However, it\’s surprising that it took Virgin Media ten months to detect and patch the flaw. In simple terms, these types of breaches occur because many organisations still lack adequate monitoring and controls to automatically detect and proactively respond to servers & applications misconfiguration before damage has been caused.
The strongest protection against these types of breaches is to implement an effective defence-in-depth approach. For example, at one layer, an automated and continuous vulnerability assessment program should be put in place to detect & alert on critical flaws. This must be backed by the right controls where remediation can be applied as soon as high risk vulnerabilities are detected. An effective change control mechanism must also be in place to ensure that changes applied to production systems are peer-reviewed to minimise human errors that could cause serious data breaches.
Network & security managers, as well as infosecurity executives, must have the right cyber risk management and reporting tools to give them visibility on risk profiles of critical digital assets. That way, network and application flaws can be detected, prioritised, and remediated quickly for high risk assets.
The moment a breach like this is made public is the most dangerous time for any customers of the business that fell victim. Criminal organisations will take full advantage of the fear and vulnerability it generates in the whole consumer community. It is absolutely vital that Virgin Media customers do not engage with, or respond to, any unsolicited communication from anyone claiming to be from Virgin Media. Emails, telephone calls; criminals will use every method they can to trick people into sharing more information they can then use to commit more crimes. They will play on the fact that the breach is new and potentially dangerous and customers will, quite rightly, want to do all they can to protect themselves. It’s the perfect time for criminals to act. Don’t reply to emails. Don’t give any information over the phone. Check with Virgin independently if you are worried. Don’t help criminals make a bad situation even worse.
It is important to note here is that this is more like a phone-book lost, than a breach affecting passwords or credentials. It can be used by attackers to tie a real name to your email, but for the end users the leak as an incident is of less importance. It is good to see that Virgin is working with informing authorities as well as the affected customers. Overall, this is just one more of the open exposed databases leading to breaches we are seeing lately, a breach not due primarily to poor security, but due to no security at all – a situation we see occurring most frequently by mistake or lack of control.