Virgin Media Data Breach: Marketing Info Leaked Since April 2019

0
logo of virgin media, who were hit by this data breach

Virgin Media have had a data breach, and it can affect you even if you’ve never been a Virgin Media customer. The good news is, passwords and financial details aren’t affected. The bad news is, you could be more at risk of “phishing” and “spearphishing” attacks. Read on for our advice on how best to protect yourself.

What Virgin Media Leaked in this Data Breach

The database affected is a marketing database. Virgin have said the database was exposed since “at least” the 19th of April 2019, and “has been accessed recently”.

You’re in this database if:

  • You are an existing Virgin Media customer
  • You are a “potential customer”, presumably meaning Virgin bought your data to advertise to you or you signed up to a mailing list for their mobile, fixed line or broadband services.

According to Virgin Media the data breach affects around 900,000 people, all of whom should have been informed directly by Virgin in the past week. The information that is or may have been in the database includes:

  • Name
  • Home Address
  • Email
  • Phone Number
  • “Technical and product information”, such as current Virgin Media plan
  • Information from enquiries made through the Virgin Media website
  • Date of Birth, “in a very small number of cases”

Defining Phishing: How Attacks Work

Phishing is the practice of sending out emails that try and trick someone into doing something they wouldn’t want to do. Usually this means giving out passwords or card details but it can be other things from letting someone into a secure building, to getting someone to install a virus.

A screenshot of a phishing email, as users might receive following the Virgin Media data breach. The email claims "As a precaution measure against COIVID-19 in cooperation with National Insurance and National Health Services the government established new tax refund programme for dealing with the coronavirus outbreak in its action plan. You are eligeable to get a tax refund (rebate) of 128.34 GBP." This claim is followed by a link to "Access your funds now".
An example of a recent phishing email Play3r staff received. The start and end come from a real UK Government press release. However, unlike the claims made in this email, there is no money up for grabs. The UK’s coronavirus (COVID-19) action plan does not involve tax rebates. This is an attempt to trick someone into clicking the link, then maybe to get bank or national insurance details. We haven’t clicked the link and you shouldn’t either.

It’s important to note that although the URL stated in the above email is a legitimate NHS website address with information relating to the current health issues, if you click the link it will take you to a completely different website. That website will be under the control of the fraudster although it will look very official and probably mirror some aspects of the Gov.uk or NHS website in order to try to fool you into taking some kind of action. More on this below.

General examples of “phishing” include;

  • “For some very important reason, you should open this document or install this software”
  • “You forgot to pay this bill, quick, send us money to pay the bill”
  • “There’s a problem with your account for something, quick, log in here and fix it”
  • “You just bought this thing, if this wasn’t you, log in here to cancel it”
  • “You won money, expensive gadget, Bill Gates’ Lottery, etc. now do what we say to get the money”

It’s important to note that although the URL typed in the above email is a legitimate NHS website address with information relating to the current health issues, it’s very easy to change the target location of a link without changing the visible text in order to take you to a completely different website. That website will be under the control of the fraudster although it will look very official and probably mirror some aspects of the Gov.uk or NHS websites in order to try to fool you into taking some kind of action such as making a bank transfer to the fraudster in order to prove your identity and receive your windfall.

Spearphishing is phishing, but more targeted. A “spearphishing” attack uses personal data to be more believable. On a basic level these might be emails addressing you by name, or seeming to be from family and friends as the attacker will sometimes attempt to mimic the email address of loved ones so that you are more likely to click that link. On a more advanced level there have been attacks that used real passwords taken from past breaches. Spearphishing attacks are generally more carefully crafted than regular phishing and rely on the supposed familiarity with the sender in order for you to click that link or open that attachment.

How The Virgin Media Data Breach Puts You At Risk

The impact of this data breach is that the crooks behind it now have personal information to use. This means they can start to craft “spearphishing” attacks that use this information to seem believable.

Ultimately the database that leaked was an advertising database. That means Virgin Media had gathered up all the data they thought might help them persuade you. Now it’s helping criminals try to persuade you as well. You might start to receive, or already have been receiving, emails personalised to your hometown or address. These could also reference your ISP, internet plan, or even age.

The threat isn’t limited to email

The attacker who accessed this data (or anyone they sell it on to) doesn’t need to rely on you clicking a link in an email. They have your phone number, name, address, and more that they can use to “cold-call” you and try to persuade you that you are speaking to a Virgin Media employee, local council accounts department or anyone else you have a financial arrangement with. Once they have your trust they can instruct you to renew your financial info, initiate a bank transfer, threaten to cut off service for an unpaid bill, etc.
Virgin Media and many other companies operate a password system whenever you speak to them over the phone – that will prove to VM that you are who you say you are. Unfortunately it doesn’t work in reverse as Virgin doesn’t want to accidentally give your password to your housemate or anyone else who shouldn’t have access to the protected data if they call you at home.

The best thing to do if you receive a call warning that you owe money and urgently seeking payment to avoid a catastrophe is to ask for the caller’s name and department and then search for an appropriate phone number from the web and call them back. If the call is legitimate they will be happy for you to call them back, if it’s a scam they will likely try to keep you on the phone and bully you into making a payment before you have time to really think about it. In the past, this type of scammer has gone as far as to play a pre-recorded dialling tone down the line to make you think that the line has cleared so that you can dial the company yourself even though in reality you are still connected to the original incoming call. For this reason it is best to call back from another telephone line / mobile if you have access to one or wait a while before you return the call so that you can be sure that the line has properly cleared.

How Best To Protect Yourself From Phishing

You should always be careful about unexpected emails, especially if they make you feel like you have to do something urgently to avoid embarrassment or inconvenience. Some general best practices are;

  • If an email seems scary, too good to be true, or otherwise “off”, take time to reflect before acting. Don’t be afraid to ask for advice from a trusted friend or do a quick Google search to see if others have received this email and what the outcome was for them.
  • If you’re worried about some kind of account being locked, or a fake order being placed, log in to check using the web address you know. This goes for phone numbers too, use a number you know is legitimate. Don’t use a link or number the email gave you.
  • Be very wary of “security verification”. It’s often used to trick people into blind compliance. If you receive a call from a company that uses ‘Two Factor Authentication’ such as a password to identify you as the account holder, never give that password to the caller, always phone the company back yourself on a number you know is legitimate.
  • Avoid clicking links and opening attachments in emails unless you’re certain they’re expected and legitimate. It’s easy to think “I’d better click that” in the moment. Sometimes even if you’re suspicious you think “I should find out more” – it’s best not to. Even if it goes no further, clicking a link tells the attacker that you’re reading their emails.
  • Finally – if for some reason you’re opening a word document from an email attachment (usually a bad idea), never hit an “enable content” button. Word blocks “macros”, effectively programs that are part of the document, as a last line of defense. A document might tell you “To view full content, please click ‘Enable Editing’ and then click ‘Enable Content'” – this is the file asking you to remove that last line of defense so it can infect you. It is not a message the office program will ever generate itself unless there is active content waiting to be enabled.

another example phishing email, purporting to be from amazon UK and apparently confirming the order of "prime platinum", whatever that's meant to be
A phishing email the author received a while ago, annotated with the red flags. Scary cost plus time pressure plus “click here to fix it” is a common formula. Not knowing your name is also a warning sign, but knowing your name doesn’t make an email legit. [Editor’s note: The sender’s email claims to be ***@amazon.co.uk, however you can see that it’s really being sent from ***@coordi21.com. Definitely a red flag and there are likely more that haven’t been circled.]
With this data breach, you also have to keep in mind that a lot of information that seems right could appear. Attackers can make simple programs that drop details in automatically once they have the data from a breach like this.

Security company Sophos have a more extensive article on phishing including a flowchart that’s worth reading.

How To Be Secure In General

The Virgin Media data breach didn’t involve passwords, but it’s never a bad time for a reminder about password safety. Some of the accepted wisdom is difficult to follow so we’ll try to also be practical.

Use hard to guess, easy to remember passwords. It’s all very well making your password “aJ4&┬úlk” but good luck remembering that. A long phrase like “Play3r is my favourite tech site because their logo is orange” will be a lot easier to remember and still very secure.

Never re-use essential passwords. Of course you shouldn’t re-use passwords at all, but many people do anyway. Really important things like email accounts should always have strong, unique passwords because if your email account is breached an attacker can use password reset tactics to access almost everything else. We’re not encouraging re-use, even for ‘mundane’ websites, but it’s better to use unique strong passwords for the most important things than not at all.

Writing down passwords is better than re-using them. There are lots of ways to mess up that start with writing down passwords, especially if you handle sensitive or valuable data. But be realistic. Data breaches affecting passwords happen, but very few domestic burglaries are looking for passwords. Writing a password down can make you more secure than the simple or re-used passwords. And, if you are writing them down, be smart about it… write them backwards, add extra characters before and/or after. So long as you can recognise which characters you need to ignore when trying them out again your written passwords are fairly safe even if they are discovered.

Try to reduce how much data is out there. If you don’t have to make an account for something, don’t. It’s one less password to remember. If a site offers to save your payment details, decline. They’re asking because you’re more likely to spend money if it’s easier to do so. By saying no you protect yourself both from data breaches and from impulse buys. Getting unused accounts deleted is also a good idea if you’re sure you’ll never want them.

Consider checking your email address at haveibeenpwned. To “pwn” is hacker slang for breaching the security of something, and haveibeenpwned.com is a site that checks email addresses against known data breaches. This can tell you what past data breaches might affect you. This doesn’t necessarily cover all breaches, but if they find that your username and password is already out in the wild then you need to change it.

Consider two-factor authentication for important things where available. Two-factor authentication, or 2FA, adds a second form of ID. Often this is a code generated on your phone, or emailed to you when you log in from a different computer. This can keep you secure if someone gets your password.

Finally, consider a password manager. But be careful. Password managers can have breaches and security flaws too. They’re better than blanket password you use for everything from your puppy’s Insta page through to your bank and GP surgery, but not as secure as having unique strong passwords that aren’t all stored somewhere behind a single master key.

Stay informed, inform others, think before you act – then act wisely.

[Another Editor’s note: Please know that even though this is a VERY long article crammed with advice, it is NOT a user guide on how to stay safe.
Threats are constantly evolving and as such the defences used against those threats also need to evolve. So, although we encourage you to bookmark this page and refer back to it in the future, as well as sharing it widely with your friends and relatives, there are going to be active threats that are not covered here because they hadn’t been conceived at the time of writing this article.
If you feel that any of the info here is no longer relevant for any reason or maybe a new wide-ranging threat has emerged that we should be warning our readers about, send us a message using the comments below and we’ll look into it and try to keep this page updated for as long as we reasonably can.]

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.