What lessons can we learn from Virgin Media?
By Gerry Grant, Chief Security Officer
On the 5th March it was reported that Virgin Media had left a database containing over 900,000 customers and potential customers details accessible online. The database didn’t even have a password on it.
It transpired that the database had been online for 10 months and over that period anybody who knew where to find it would have been able to access it and read all the information stored in it. Virgin Media stated that the database was accessed on at least one occasion. They were also at pains to reassure customers that the information contained no financial information or passwords and that the breach was not the result of a ‘hack’ but an ‘incorrectly configured’ database.
In an attempt to help and alleviate customers concerns over this incident Virgin Media set up a Help and Advice page to answer people’s common questions.
The page starts by addressing what happened and again reiterates that no ‘financial’ information or passwords were included in the database. What was included though was names, home and email addresses and phone numbers. They stated that in a small number of cases it also included dates of birth. Plenty of information there then for someone to try and steal your identity or attempt to take out credit cards or loans on your behalf.
A few days later it transpired that the database also contained details of a form used to ask Virgin to unblock certain websites of sensitive nature. These included the type of websites that you might not want your mum to know you visit. Potentially this gives a cyber criminal all the information that they need to send an email to these customers threatening to release viewer preferences to all the victim’s contacts to try and embarrass them unless a fee is paid. This is a common tactic used by criminals called ‘Sextortion’.
The help page then goes on to say that Virgin Media had not been hacked and, in that respect, I suppose they are correct. No actual hacking was needed seeing as the database was left unsecured on the public internet for anyone to find and access.
They also advise that should any customers be concerned that they have become the victim of a crime as a result of this data breach, then they should contact Action Fraud. Now, this is an excellent idea should you live in England or Wales. Action Fraud works very hard in lots of areas and would certainly be the place to turn, unless of course you live in Scotland. Police Scotland do not subscribe to the services offered by Action Fraud. If you live in Scotland, then the advice would be to contact 101 and speak to someone there.
Although no passwords were included in the database, on their help page Virgin Media suggest that users have a strong password. They even link to a page that gives ‘advice’ on creating a strong password.
Some of this advice is good, some of it is a little outdated to say the least. The advice states you should use a combination of uppercase, lowercase and, if possible, special characters in your password. It also states, correctly, that criminals will use a ‘dictionary’ attack to try and steal your password. This is where the attacker runs through a long list of words and tries each word to see if it matches your password. In order to combat this Virgin Media suggest a good tip is to replace letters for numbers in your password. They even give the example of replacing an S with the number 5. Criminals are smart. They know that lots of people do this and when they conduct a dictionary attack the will put in place ‘substitution’ rules to do these simple replacements of numbers for letters. In reality, the password “P@55w0rd1” is no more secure than “Password1”.
The truth is, the longer your password the more secure it is. The best passwords are at least 15 or 16 characters long. The National Cyber Security Centre (NCSC) even advise that the best passwords are made up of three random words
To make matters worse, when you try to set a password for Virgin Media, they do not allow use of special characters such as @ or !. They only let you set a password of between 8 and 10 characters that only contains letters or numbers, even though they advise you to use special characters!
What can we learn from this?
Well firstly, always double check the configurations of all your databases, ensuring that they are not publicly facing, unless they really need to be.
Secondly, do your best to make sure that any customer data is encrypted. That way if anyone does access it, it will be much harder for them to read it unless they can decrypt the data.
And thirdly, review your password policies to ensure that they are robust and match any advice that you have given users.
On a final note, make staff aware that they need to be extra vigilant and report any phishing emails that look like they are from Virgin Media. This is an ideal time for criminals to take advantage of a current news story to try and dupe people in to panic.
Virgin Media confirms data breach hits 900,000 customers
Database contained personal information related to sensitive website access requests