Lost Virgin Media CD contains customer information
Technorati Tag: Security Breach
Date Reported:
6/20/08
Organization:
Virgin Group
Contractor/Consultant/Branch:
Virgin Media
Victims:
"customers that signed up to Virgin Media services in Carphone Warehouse stores from January this year"
Number Affected:
3,000
Types of Data:
Bank details, names and home addresses
Breach Description:
"Virgin Media is conducting an internal inquiry into why 3,000 customers' bank details were burned to a CD which was then lost, it emerged today."
Reference URL:
The Register
Finextra
PrecisionMarketing
Report Credit:
Chris Williams, The Register
Response:
From the online sources cited above:
Virgin Media - the entertainment and communications arm of Richard Branson's Virgin Group - has lost an unencrypted computer disc containing the bank account details of 3000 UK customers.
The incident came to light inside the company on 29 May.
Virgin Media is part way through individually contacting the people affected, who all signed up in Carphone Warehouse stores nationwide from January this year.
It is not known why the data was burned onto a CD
[Evan] This is the question we are all wondering. What goes through a person's mind when they do something that goes against common sense, anything?
A company spokesman told The Register that transferring sensitive data customer on CD goes against its policy of using secure FTP tranfers [sic].
[Evan] Some people call an FTP server that requires a username and password a "secure" FTP server. There is "standard" FTP, in which the server may or may not require a password, but where data is transferred in clear-text (unencrypted), then there is "secure" FTP where data is transferred encrypted. I hope that Virgin Media's definition is the latter and not the former.
The data on the CD was not encrypted and also included names and home addresses.
Virgin Media emphasised the blunder had been "isolated" and had never happened before.
[Evan] Do you think that this is the first data "blunder"?
This is an isolated incident which has affected a small number of our customers.
[Evan] 3,000 victims are 3,000 victims, no matter how many customers there are in total.
The staff involved in the incident are subject to the internal inquiry.
The firm contacted the Information Commissioner's Office when it discovered the loss and took its advice on how to inform customers.
It is paying for credit file protection for everyone whose banking information is now out in the wild, which means any fraud will be indemnified and credit histories will be unaffected.
[Evan] Credit monitoring, although better than nothing, is limited in scope.
While the financial cost to customers will be zero, and negligible for Virgin Media, the embarrassment should be massive.
"Customer privacy is of the highest important to us and we are undertaking a full review of our data protection policies and practices to ensure this matter does not occur again. We are very sorry this situation has occurred and for the inconvenience this has caused our customers."
Commentary:
It appears as though Virgin Media has data protection policies and practices. We can only guess how well written and communicated they are. If an employee was aware of and properly trained on policy and procedure and decided to violate those policies and procedures anyway, then that's one thing. If the employee was not aware of and trained, then this indicates a serious oversight on the part of the Virgin Media information security program. Information security training and awareness should not be underestimated.
Past Breaches:
Unknown
Date Reported:6/20/08
Organization:
Virgin Group
Contractor/Consultant/Branch:
Virgin Media
Victims:
"customers that signed up to Virgin Media services in Carphone Warehouse stores from January this year"
Number Affected:
3,000
Types of Data:
Bank details, names and home addresses
Breach Description:
"Virgin Media is conducting an internal inquiry into why 3,000 customers' bank details were burned to a CD which was then lost, it emerged today."
Reference URL:
The Register
Finextra
PrecisionMarketing
Report Credit:
Chris Williams, The Register
Response:
From the online sources cited above:
Virgin Media - the entertainment and communications arm of Richard Branson's Virgin Group - has lost an unencrypted computer disc containing the bank account details of 3000 UK customers.
The incident came to light inside the company on 29 May.
Virgin Media is part way through individually contacting the people affected, who all signed up in Carphone Warehouse stores nationwide from January this year.
It is not known why the data was burned onto a CD
[Evan] This is the question we are all wondering. What goes through a person's mind when they do something that goes against common sense, anything?
A company spokesman told The Register that transferring sensitive data customer on CD goes against its policy of using secure FTP tranfers [sic].
[Evan] Some people call an FTP server that requires a username and password a "secure" FTP server. There is "standard" FTP, in which the server may or may not require a password, but where data is transferred in clear-text (unencrypted), then there is "secure" FTP where data is transferred encrypted. I hope that Virgin Media's definition is the latter and not the former.
The data on the CD was not encrypted and also included names and home addresses.
Virgin Media emphasised the blunder had been "isolated" and had never happened before.
[Evan] Do you think that this is the first data "blunder"?
This is an isolated incident which has affected a small number of our customers.
[Evan] 3,000 victims are 3,000 victims, no matter how many customers there are in total.
The staff involved in the incident are subject to the internal inquiry.
The firm contacted the Information Commissioner's Office when it discovered the loss and took its advice on how to inform customers.
It is paying for credit file protection for everyone whose banking information is now out in the wild, which means any fraud will be indemnified and credit histories will be unaffected.
[Evan] Credit monitoring, although better than nothing, is limited in scope.
While the financial cost to customers will be zero, and negligible for Virgin Media, the embarrassment should be massive.
"Customer privacy is of the highest important to us and we are undertaking a full review of our data protection policies and practices to ensure this matter does not occur again. We are very sorry this situation has occurred and for the inconvenience this has caused our customers."
Commentary:
It appears as though Virgin Media has data protection policies and practices. We can only guess how well written and communicated they are. If an employee was aware of and properly trained on policy and procedure and decided to violate those policies and procedures anyway, then that's one thing. If the employee was not aware of and trained, then this indicates a serious oversight on the part of the Virgin Media information security program. Information security training and awareness should not be underestimated.
Past Breaches:
Unknown
Posts Atom 1.0
Comments