Virgin Media’s Data Breach Shows Why Risk Silos Fail

News about data breaches never draws much traffic for Commsrisk. I assume that is because breaches happen so often. We all know the advice about changing passwords on a regular basis, and never using the same password for multiple sites. When everybody knows the advice for how to manage a risk, it means that risk has become commonplace. And whilst regular journalists do a poor job of reporting the errors found on so many phone bills, or the frauds that are particular to the telecoms industry, they know how to repeat the words of a CEO apologizing for a data breach. This month saw Lutz Schüler, CEO of Virgin Media (pictured) saying sorry to his customers:

We recently became aware that one of our marketing databases was incorrectly configured which allowed unauthorised access. We immediately solved the issue by shutting down access to this database, which contained some contact details of approximately 900,000 people, including fixed line customers representing approximately 15% of that customer base. Protecting our customers’ data is a top priority and we sincerely apologise.

Schüler also admitted that database had been accessed by an unknown user “at least” once. The breach could have been worse, in that the compromised data did not include passwords or information about credit cards or bank accounts. However, Virgin Media have been criticized for understating the severity of the breach, which was brought to their attention by security business TurgenSec. Perhaps TurgenSec were peeved that Virgin Media did not publicly thank them for their assistance, but TurgenSec issued their own statement which argued Virgin Media were not being as transparent as they seemed.

We cannot speak for the intentions of their communications team but stating to their customers that there was only a breach of “limited contact information” is from our perspective understating the matter potentially to the point of being disingenuous.

TurgenSec has a point if their claims are accurate. Whilst Schüler’s press release only said that “limited contact information” was maintained on the compromised database, TurgenSec said it stored:

  • Full names, addresses, date of birth, phone numbers, alternative contact phone numbers and IP addresses – corresponding to both customers and “friends” referred to the service by customers.
  • Requests to block or unblock various pornographic, gore related and gambling websites, corresponding to full names and addresses.
  • IMEI numbers associated with stolen phones.
  • Subscriptions to the different aspects of their services, including premium components.
  • The device type owned by the user, where relevant.
  • The “Referrer” header taken seemingly from a users browser, containing what would appear to be the previous website that the user visited before accessing Virgin Media.
  • Form submissions by users from their website.

Perhaps Schüler is a fine leader with many special qualities. However, there is nothing special about a CEO apologizing for a data breach whilst playing down its significance. Most of Schüler’s words could have been copied from the excuses proffered by dozens of other CEOs in similar circumstances. His announcement ended with a customary refrain:

We have kept the Information Commissioner’s Office fully updated since we became aware of this incident.

Does anyone feel comforted by the ultimate paper pushers of the data protection industry reviewing what went wrong, long after the fact? Their ‘investigation’ will solely consist of listening to Virgin Media’s rationalizations. This will focus on detail, when the real question should be why a business can be so ineptly managed that it sets up a database that stores personal details for 900,000 customers, and puts no security around it whatsoever, without anyone noticing for a period of 10 months. The database would have remained insecure for even longer, had it not been for the goodwill of the external organization that told Virgin Media about their foolishness.

Instead of talking to Virgin Media, the Information Commissioner’s Office should rather ask for the insights of TurgenSec, who seem to have a much better grasp of what went wrong.

There seems to be a systematic assurance process failure in how they monitor the secure configuration of their systems. All information was in plaintext and unencrypted – which means anyone browsing the internet could clearly view and potentially download all of this data without needing any specialised equipment, tools, or hacking techniques. Anyone with a web-browser could access it. It is regrettable that the company is shifting blame to a member of their staff, when they should have had a mature DevSecOps methodology that routinely looks for, identifies and mitigates these errors before customer’s data is exposed.

It is upsetting to see that even in a post GDPR world, companies are still not living up to the intended spirit of the law. Companies like to downplay the impacts whilst upselling their supposed care and due diligence in an attempt to place shareholder value over their customer’s rights. Their customers have a right to ensure their data is protected “by design” which in many cases it isn’t. It would seem highly unlikely to us that in this case, after being left open for 10 months, the data has not been obtained by multiple actors some potentially malicious.

Whilst Virgin Media’s management team tried to push blame down their hierarchy, away from themselves, TurgenSec are right to point fingers at the very top. I believe a quick glance at the remit of Virgin Media’s C-level team is sufficient to understand why abysmal failures like this keep happening.

  • They have a CEO, whose background is in marketing.
  • They have a COO, whose background is in marketing.
  • They have an acting CFO, whose job is to manage money and do the accounts.
  • They have a CTO/CIO who may or may not be responsible for auditing the technology her team implements.
  • They have an exec who strength lies in managing call centers, an exec who focuses upon enterprise customers, and an exec for fibre optics.
  • They have a chief lawyer, whose job is to argue her business does a good job of complying with data protection law.
  • They do not have somebody to take a comprehensive view of risk.

Somebody in Virgin Media may or may not have been allocated some responsibility for preventing breaches like this. But if personal data for 900,000 customers can be breached by anyone with a web browser then it is fair to assume internal controls are implemented by somebody who is grossly incompetent, or more probably that they lack the remit and resources to monitor all the stupid screw-ups being made by their marketing-led colleagues. At this point I might have been tempted to ask why Richard Branson is not personally apologizing for this breach, but everybody knows Branson is only interested in marketing.

Human beings are fallible. It is in our nature to make mistakes. When it comes to a serious breach like this, blaming a lone employee for not securing a database is to miss the point entirely. Data protection is everybody’s responsibility, starting at the very top, but translating that responsibility into action requires an organization that is designed to make it happen. Virgin Media’s top team is not designed to address risk. And if none of them are incentivized to manage risk, then nobody else in the business will be properly incentivized either.

We are still a long way from the appointment of Chief Risk Officers being considered normal for telcos. But without somebody standing alongside the CEO, arguing for the resources to methodically and efficiently manage the full range of business risks, then mistakes like these will keep happening. Human nature is not going to change; we must change the way businesses are run to protect ourselves from the foibles of human nature. The most important step will be acknowledging that we will never manage risk systematically until somebody manages risk as a system of thought, on behalf of the whole business. Telcos are too complicated to effectively manage risk any other way.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.