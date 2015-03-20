[...] The leaky server has since been hidden from view. Virgin Media's CEO Lutz Schüler said last night: "Based upon our investigation, Virgin Media does believe that the database was accessed on at least one occasion but we do not know the extent of the access or if any information was actually used."

He added: "The database did not include any passwords or financial details, such as credit card information or bank account numbers, but did contain limited contact information such as names, home and email addresses and phone numbers."

[...] In a separate email to its subscribers this week, Virgin Media tried to reassure its punters that the only records accessible from the marketing database were "contact details (such as name, home and email address and phone numbers), technical and product information, including any requests you may have made to us using forms on our website."

As it turns out, the words "technical and product information" were doing an awful lot of heavy lifting. Turgensec's strategically worded statement stops short of accusing Virgin Media of outright lying, but it is still rather damning.

"We cannot speak for the intentions of [Virgin Media's] communications team but stating to their customers that there was only a breach of 'limited contact information' is from our perspective understating the matter potentially to the point of being disingenuous," the infosec house said on Friday.

Turgensec also quibbled with the ISP's attempt to blame the security blunder on IT workers “incorrectly configuring” an internet-facing database. Rather, the database – which was filled with unencrypted plain-text records – was a sign of "systematic assurance process failure," Turgensec said.