Virgin Media faces £4.5BILLION compensation payout after data breach

Virgin Media faces £4.5BILLION compensation payout after data breach left personal details of 900,000 customers online for 10 months, lawyers say

  • Virgin Media could pay £4.5billion to 900,000 customers affected by breach 
  • Company said personal details were left online for 10 months from last April
  • Law firm Your Lawyers have offered to take a class action against Virgin Media 
  • An incorrectly configured database contained personal data from consumers
  • Names, emails and phone numbers were exposed, but no financial details

Virgin Media could be forced to pay up to £4.5billion to customers whose personal data was published online – including details of porn sites accessed, a law firm says.

Your Lawyers, a firm based in Chesterfield, Derbyshire, has offered to help people who had their full names and contact details released get up to £5,000 each. 

Earlier this month Virgin Media said the breach occurred because its database was incorrectly configured, allowing unauthorised access to one third-party. 

The information was accessible from April 2019 until February 28, 2020. 

The law firm says a Group Compensation Action could force the company to cough up thousands of pounds per customer for undue financial and emotional distress. 

Your Lawyers, a firm based in Chesterfield, Derbyshire, has offered to help people who had their full names and contact details released get up to £5,000 each from Virgin Media (file)

The information in the database did not include passwords or financial details but did contain names, email addresses, phone numbers and details of customers’ contracts with the service.

However, the independent IT company that alerted Virgin to the breach found details that linked some customers to ‘explicit websites’, it told MailOnline.  

Virgin Media blamed the error on the negligence of a staff member who did not follow correct procedures.  

Aman Johal, Director at Your Lawyers, revealed the firm had formally notified Virgin Media it was taking action.

He said: ‘Virgin Media failed to take the steps required to keep customer data safe. It is vital for the company to understand the severity of this breach.

‘When data is left exposed online it is open season for fraudsters to scam and attack vulnerable people.

‘Our claimant base is growing daily. We urge anyone affected by the breach to make a claim as soon as possible.’

Virgin Media blamed the error on a staff member not following correct procedures. The information was accessible from April 2019 until February 28, 2020

Mr Johal described the release of the information as a ‘serious breach of consumer rights’ for which there ‘is simply no excuse’.  

‘Even though the breach occurred due to “human error”, we must hold Virgin Media to account,’ he added. 

MailOnline has approached Virgin Media for comment. 

Virgin Media CEO Lutz Schuler said the company recently became aware of the issue and immediately shut down access to the affected database.  

Speaking at a media conference in London, Schuler said: ‘There is no evidence that the data taken has been used in the wrong way.

‘We want to avoid any panic. 

‘We all have enough on our plate with coronavirus at the moment but we have to be open about it,’ said Schuler, who added that he would apologise to customers for the breach. 

The company, which is conducting an ongoing investigation, said it believes the database was accessed at least once but does not know to what extent or if any information was used. 

‘Protecting our customers’ data is a top priority and we sincerely apologise,’ it said.  

‘We are now contacting those affected to inform them of what happened.’ 

Virgin is now urging its customers to remain cautious before ‘clicking on an unknown link or giving any details to an unverified or unknown party’.   

Was your data released during the breach? 

If you’d like to join the action go to Your Lawyers here to claim. 

The Financial Times reported that this breach affects about 15 percent of Virgin Media’s paying customers, including some with Virgin Mobile.

However, data from non-customers could have also been included that came from ‘refer a friend’ promotions.   

Virgin Media is Britain’s second-largest broadband company and owned by billionaire John Malone’s Liberty Global, according to The Financial Times.

The vulnerability of the customer data was first discovered by information security provider TurgenSec, as reported by the FT and confirmed to MailOnline by the company. 

‘The breach was discovered by TurgenSec as part of a routine sweep of databases,’ a spokesperson at TurgenSec told MailOnline.

‘Despite reassurance issued that ‘protecting our customers’ data is a top priority’ we found no indication that this was the case. 

‘This wasn’t only due to a simple error made by a member of staff “incorrectly configuring” a database, as has been stated. 

TurgenSec added that information was in plaintext and unencrypted – which means anyone with a web-browser could clearly view and potentially download all the data without needing any specialised equipment or hacking techniques. 

‘It is regrettable that the company is shifting blame to a member of their staff, when they should have had a mature DevSecOps methodology that routinely looks for, identifies and mitigates these errors before a customer’s data is exposed.’ 

With almost one million customers affected, the breach is deemed one of the largest by a UK firm in recent years.

‘This data breach has exposed the data of almost a million Virgin Media customers and whilst no financial details or passwords were included, those customers are likely to be worried,’ said Adam French, Which? consumer rights expert.

‘It is vital that Virgin Media continues to provide clear information on what has happened. 

‘For anyone concerned they could be affected, it’s good practice to update your password after a data breach. 

‘Also, be wary of emails regarding the breach, as scammers may try and take advantage of it.’

Virgin said that online security advice and help on a range of topics is available to customers on its website.  

It says it has contacted all the affected individuals with advice on what to do next.    


‘We recently became aware that some personal information, stored on one of our databases has been accessed without permission. Our investigation is ongoing and we have contacted affected customers and the Information Commissioner’s Office.

The database was used to manage information about our existing and potential customers in relation to some of our marketing activities. This included: contact details (such as name, home and email address and phone numbers), technical and product information, including any requests you may have made to us using forms on our website. In a very small number of cases, it included date of birth. Please note that this is all of the types of information in the database, but not all of this information may have related to every customer.

To reassure you, the database did NOT include any passwords or financial details, such as bank account number or credit card information.

We take our responsibility to protect personal information seriously. We know what happened, why it happened and as soon as we became aware we immediately shut down access to the database and launched a full independent forensic investigation.’   

Source: Read Full Article