Original Virgin Media Disclosure Statement published on March 6th, 2020 as it appeared on the TurgenSec.com website.
This is our statement in response to the two most common questions sent to us by journalists following our disclosure to Virgin Media of a breach on 28th of February. This included personal information corresponding to approximately nine hundred thousand UK residents.
Do you feel that Virgin is being honest about the severity of this finding?
We cannot speak for the intentions of their communications team but stating to their customers that there was only a breach of “limited contact information” is from our perspective understating the matter potentially to the point of being disingenuous. We do not know if the people writing the statement knew all the facts when writing this statement, but here is what we know.
Would customers consider the following to be an accurate description of “limited contact information”:
- Full names, addresses, date of birth, phone numbers, alternative contact phone numbers and IP addresses – corresponding to both customers and “friends” referred to the service by customers.
- Requests to block or unblock various pornographic, gore related and gambling websites, corresponding to full names and addresses.
- IMEI numbers associated with stolen phones.
- Subscriptions to the different aspects of their services, including premium components.
- The device type owned by the user, where relevant.
- The “Referrer” header taken seemingly from a users browser, containing what would appear to be the previous website that the user visited before accessing Virgin Media.
- Form submissions by users from their website.
We would recommend that all customers affected by this breach immediately issue a GDPR request to Virgin Media to identify exactly what information has been breached, and what information the company continues to hold on them. The limited information issued by Virgin Media, in our opinion, does not adequately cover the extent of this.
Despite the reassurance they issued that “protecting our customers’ data is a top priority” we found no indication that this was the case. This wasn’t only due to a simple error made by a member of staff “incorrectly configuring” a database, as has been stated. There seems to be a systematic assurance process failure in how they monitor the secure configuration of their systems. All information was in plaintext and unencrypted – which means anyone browsing the internet could clearly view and potentially download all of this data without needing any specialised equipment, tools, or hacking techniques. Anyone with a web-browser could access it. It is regrettable that the company is shifting blame to a member of their staff, when they should have had a mature DevSecOps methodology that routinely looks for, identifies and mitigates these errors before customer’s data is exposed.
It is upsetting to see that even in a post GDPR world, companies are still not living up to the intended spirit of the law. Companies like to downplay the impacts whilst upselling their supposed care and due diligence in an attempt to place shareholder value over their customer’s rights. Their customers have a right to ensure their data is protected “by design” which in many cases it isn’t. It would seem highly unlikely to us that in this case, after being left open for 10 months, the data has not been obtained by multiple actors some potentially malicious.
The UK NCSC has some really good advice for how to securely architect cloud solutions and implement cyber security correctly. We would invite Virgin Media to adopt some of them before claiming that “protecting our customer’ data is a top priority”. TurgenSec also offers a set of services that prevent problems like this from occurring. The cost of utilising private third party security and implementing the guidance given by the NCSC is negligible in comparison to the potential fine that Virgin Media could now face. This could be up to 4% of their global annual turnover, a significant cost for a company with over 5 billion in annual revenue.
How did Virgin conduct itself after the disclosure?
In our view, Virgin’s initial response to the breach was strong – getting back to us immediately and keeping us updated on progress. Upon contacting Virgin we were called by the security team on the 28th of February and they escalated us to their parent company LibertyGlobal employees, one of whom stated they were on a Virgin Media contract.
The database was removed swiftly and the Liberty Global contacts informed us the database had been turned over to a third party forensics organisation which was analysing the content of the database.
We received systemic updates explaining that they could not provide us with information, but would as soon as possible. We did not seek any remuneration as a result of responsibly disclosing their breaches, but did request attribution as the reporting party. We were informed our request would be taken to those handling the situation.
Virgin Media instead went straight to the media and we were contacted 15 minutes before the article publication in the FT asking for a statement. This felt like an ambush by Virgin Media who did not value our contribution. Since then we have received no public credit or mention from Virgin Media, who used no part of what we put together in those 15 minutes.
This breach is an important case study in the wider debate of responsible disclosure and how companies should behave to encourage a positive cyber security research culture.
Disclosing breaches to companies (historically) is not without risk and in the past well-meaning security researchers looking to help have been criminally charged and faced prison time. As has been repeatedly stated, the nature of this disclosure was such that no data was illegally accessed or offensive techniques utilized. However, the fact remains that we had no legal obligation to disclose this & that we did so at our own cost, to the immediate benefit of the nine hundred thousand ordinary British people impacted. For the benefit of these individuals we have given the column headings of the data that was breached below, such that the relevant people can assess the exact scope of what may have been leaked about them.
As emphasized by the UK’s National Cyber Security Centre in their publication on coordinated vulnerability disclosure:
“It is important to us to credit you for what you did – if you wish. We will mention your name in a publication regarding the vulnerability.
As a thank you for helping us in better protecting our systems, we would like to reward every report of a vulnerability that was unknown to us at the time. The reward will depend on the severity of the vulnerability and the quality of the report.”
Given the above, we find it disappointing that Virgin Media did not make any reference to us in their disclosure, which they notified us about roughly 15 minutes before it went live. The only mention given was to their own internal security team. This does not encourage responsible disclosure from third parties in the future.
Going forward we hope that companies in the UK and internationally will take the lead of the National Cyber Security Centre and encourage security researchers to come forward with their findings without fear of entering into a situation where they can only lose. We believe that this culture would directly benefit the UK & International Community through the global reduction of Cyber Crime.
The Data Headings as Observed By TurgenSec