Clicky

Virgin Media ISP leak reveals some customers who requested porn to be unblocked

Privacy campaigners that said a porn ID system would lead to leaks have perhaps been vindicated.

Tired of censorship and surveillance?

Defend free speech and individual liberty online. Push back against Big Tech and media gatekeepers. Subscribe to Reclaim The Net.

We’ve almost become desensitized to data leaks over the last few years. It seems like there’s a new one every month due to irresponsible handling of user data.

Today’s story is something special though. Virgin Media didn’t just have a run-of-the-mill data leak or even a breach. Their entire customer database was publicly accessible online with no permissions or exploits required. To make matters worse, this database contained the pornography browsing habits of some customers.

Click here to display content from Twitter.
Learn more in Twitter’s privacy policy.

Why would Virgin Media have such information, you might be asking?

Great question, because there is, in fact, no good reason for them to have it.

Remember the UK’s attempt at a porn block last year?

Well, as much of a dumpster fire that was, it seems we didn’t even realize just how flaming that dumpster was until now.

As it turns out, the exposed database included details of more than one thousand users of Virgin Media’s cable TV and landline service that had used an online form to request that a porn website be blocked or unblocked.

In a straight out of Black Mirror revelation, these thousand users could potentially now be victims of targeted harassment or blackmail using information about what porn websites they like or dislike.

This was actually one of the reasons the porn block fell apart to begin with – the fear of “porn-watcher” lists getting leaked.

In case this story wasn’t bad enough, Virgin Media didn’t even acknowledge this part of it initially.

On Thursday they said that the details of 900,000 people were publicly accessible online and had been accessed “on at least one occasion” by an unknown user.

They claimed only phone numbers, home addresses and emails had been leaked, which is typical of data breaches and understandable in this case.

On Friday however, researchers at cyber-security firm TurgenSec took a look at the database itself and found much more intimate information.

“Stating to their customers that there was only a breach of ‘limited contact information’ is from our perspective understating the matter potentially to the point of being disingenuous,” TurgSec commented on Virgin Media’s far from adequate security and even worse handling of the leak.

Virgin Media acknowledged the findings and responded that only a small number of customers had this sensitive information stored in the database about them, and that none of it provides information “as to what, if anything, was viewed” by the customer.

“The information was in plain text and unencrypted, which meant anyone browsing the internet could clearly view and potentially download all of this data without needing any specialized equipment, tools, or hacking techniques,” said a representative from TurgenSec.

US-owned Virgin Media said they took security “very seriously” and informed the Information Commissioner’s Office (ICO) of the breach, as required by the GDPR.

“People have the right to expect that organizations will handle their personal information securely and responsibly. When that doesn’t happen, we advise people who may have been affected by data breaches to be vigilant when checking their financial records,” an ICO spokeswoman commented.

Virgin Media said they will be sending out emails to those that were affected by the breach warning them not to fall for phishing attacks, click unknown links or provide personal details to anyone who contacts them asking for any.

When you know this much about someone, you might think there’s not much left to find out.

But even seemingly simple trivia about someone like their first pet or the street they grew up on can be helpful to an attacker to better guess their password or answer their security question and gain access to their social media and maybe even their banking accounts.

If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net.

Tired of censorship and surveillance?

Defend free speech and individual liberty online. Push back against Big Tech and media gatekeepers. Subscribe to Reclaim The Net.

Read more

Share