SoylentNews

upstart writes in with an IRC submission for SoyCow4275:

FYI: When Virgin Media said it leaked 'limited contact info', it meant p0rno filter requests, IP addresses, IMEIs as well as names, addresses and more:

A Virgin Media server left facing the public internet contained more than just 900,000 people's "limited contact information" as the Brit cable giant's CEO put it yesterday.

In fact, the marketing database also contained some subscribers' requests to block or unblock access to X-rated and gambling websites, unique ID numbers of stolen cellphones, and records of whichever site they were visiting before arriving at the Virgin Media website.

This is according to British infosec shop Turgensec, which discovered the poorly secured Virgin Media info silo and privately reported it to the broadband-and-TV-and-phone provider. The research team today said the extent of the data spill was more extensive, and personal, than Virgin Media's official disclosure seemed to suggest.

Here, in full, is what Turgensec said it found in the data cache that was exposed from mid-April to this month:

• Full names, addresses, date of birth, phone numbers, alternative contact phone numbers and IP addresses – corresponding to both customers and “friends” referred to the service by customers.
• Requests to block or unblock various pornographic, gore related and gambling websites, corresponding to full names and addresses. IMEI numbers associated with stolen phones.
• Subscriptions to the different aspects of their services, including premium components.
• The device type owned by the user, where relevant.
• The “Referrer” header taken seemingly from a users browser, containing what would appear to be the previous website that the user visited before accessing Virgin Media.
• Form submissions by users from their website.

[...] The leaky server has since been hidden from view. Virgin Media's CEO Lutz Schüler said last night: "Based upon our investigation, Virgin Media does believe that the database was accessed on at least one occasion but we do not know the extent of the access or if any information was actually used."

He added: "The database did not include any passwords or financial details, such as credit card information or bank account numbers, but did contain limited contact information such as names, home and email addresses and phone numbers."

[...] In a separate email to its subscribers this week, Virgin Media tried to reassure its punters that the only records accessible from the marketing database were "contact details (such as name, home and email address and phone numbers), technical and product information, including any requests you may have made to us using forms on our website."

As it turns out, the words "technical and product information" were doing an awful lot of heavy lifting. Turgensec's strategically worded statement stops short of accusing Virgin Media of outright lying, but it is still rather damning.

"We cannot speak for the intentions of [Virgin Media's] communications team but stating to their customers that there was only a breach of 'limited contact information' is from our perspective understating the matter potentially to the point of being disingenuous," the infosec house said on Friday.

Turgensec also quibbled with the ISP's attempt to blame the security blunder on IT workers “incorrectly configuring” an internet-facing database. Rather, the database – which was filled with unencrypted plain-text records – was a sign of "systematic assurance process failure," Turgensec said.

Original Submission