Virgin Media has notified the Information Commissioner's Office (ICO) that data belonging to over 900,000 customers has been accessed by an unauthorised third party, the company confirmed on Thursday.
The database is said to have been "incorrectly configured" by a member of staff and left exposed online, according to a statement given to the BBC.
The information related to marketing data for existing and potential customers, who were alerted to the leak in an email on Thursday evening. It's believed the database was left exposed online from at least 19 April 2019.
Although investigations have only just begun, Jonathan Compton, UK compliance lawyer and partner at DMH Stallard, argues that, given what we know so far, Virgin Media could face serious sanctions under GDPR, which sets fines at a maximum of 4% of global turnover, or €20 million.
"It is important to note that this was not a case of a secure database being hacked. No, this was an “error by a member of staff not following correct procedures," said Compton.
"Fines towards the maximum of the applicable Act are likely," he added. "This was a serious breach, over a long period, affecting nearly 1m people.
He also added that the situation is "aggravated by the fact that this was not the result of a hack but the result of negligence".
The data exposed includes names, email addresses, phone numbers and details regarding technical services and products the customers may have sought information on. The company has stressed that passwords and payment information were not included in the database.
In its email to customers, seen by IT Pro, Virgin said it was aware there had been a leak of information and that it has taken immediate steps to shut down access to the databases. The company also said it had launched a "full independent forensic investigation" into the incident and has also notified the Information Commissioner's Office.
The fact that the ICO has been notified at this stage suggests that Virgin Media believes the incident could infringe on the data rights of its customers. An ICO spokesperson confirmed to IT Pro that Virgin has made contact, and that it is "making enquiries".
One issue that may be investigated closely is whether the company was justified in its retention of user data from prospective customers who may have only expressed an interest in using the company's services but never initiated a contract.
-
The Race Is On for Higher Ed to Adapt: Equity in Hyflex Learning -
Google faces 'first of its kind' class action for search ads overcharging in UKNews Google faces a "first of its kind" £5 billion lawsuit in the UK over accusations it has a monopoly in digital advertising that allows it to overcharge customers.
-
ICO admits it's too slow dealing with complaints – so it's eying up automation to cut staff workloadsNews The UK's data protection authority has apologized for being slow to respond to data protection complaints, saying it's been overwhelmed by increased workloads.
-
“Limited resources” scupper ICO probe into EasyJet breachNews The decision to drop the probe has been described as “deeply concerning” by security practitioners
-
Surge in workplace monitoring prompts new ICO guidelines on employee privacyNews Detailed guidance on how to implement workplace monitoring could prevent data protection blunders
-
TikTok could be hit with £27m fine for failing to protect children's privacyNews Social media firm issued with a notice from the ICO for potential violations of UK data protection laws
-
What is AdTech and why is it at the heart of a regulation storm?In-depth The UK data regulator has come under heavy fire for consistently delaying much-needed action, privacy groups say
-
ICO crackdown on AI recruitment part of three-year vision to save businesses £100 millionNews ICO25 outlines a fresh approach that involves releasing learning materials, advice, and a new ICO-moderated discussion forum for businesses
-
Clearview AI fined £7.5m over improper use of UK dataNews Australian facial recognition firm collected 20 billion images from the internet without consent in order to build its database
-
UK data watchdog cut IT spending by £1.2 million during pandemicNews The ICO’s IT budget has been slashed by around 23% since 2019
