The penalties could be quite steep for Virgin Media according to one lawyer. He says compensation could be around £5000 per claimant. Math only takes over from there.
Earlier this month, we brought you a report that Virgin Media had suffered from a data leak. In all, 900,000 customers had been exposed. The data was left on a server for a period of 10 months. While some were downplaying the severity of the leak, some researchers suggest that the data included intimate information about affected customers. This includes customers porn browsing habits among other things.
While 900,000 customers is a pretty small number by Freezenet standards, that doesn’t mean the bill facing the company is small by any means. This is because the ISP, in part, is situated in a GDPR country. So, unlike a country like Canada, privacy laws actually have teeth. Of course, GDPR is only one angle. There is also the more nebulous nature of civil penalties. At least one lawyer is saying that the penalties could reach into the billions of pounds. In a story that suggests that a class action lawsuit is headed Virgin Media’s way, an observation was made that Virgin Media could face £5000 in penalties per claimant. A simple multiplication formula suggests that penalties could run up to £4.5 billion in penalties. From Infosecurity Magazine:
Aman Johal, director at Your Lawyers, the legal firm supporting those affected in taking action, stated: “Virgin Media failed to take the steps required to keep customer data safe. It is vital for the company to understand the severity of this breach. When data is left exposed online it is open season for fraudsters to scam and attack vulnerable people. Your Lawyers has formally notified Virgin Media that we are taking action and our claimant base is growing daily. We urge anyone affected by the breach to make a claim as soon as possible.”
The breach was caused by an incorrectly configured database, and exposed sensitive customer information such as full names, email addresses, dates of birth and contact numbers since at least April 19 2019. Additionally, some customers had details of their contract exposed. This included requests to block or unblock pornographic or explicit websites, potentially enabling blackmail and extortion opportunities for fraudsters.
Johal added: “This is a serious breach of consumer rights and it’s time companies like Virgin Media abide by the law and implement stricter cybersecurity measures to protect its customers from future data breaches. There’s simply no excuse now given the volume of preceding breaches, and this was an avoidable event. Even though the breach occurred due to ‘human error,’ we must hold Virgin Media to account.”
The other thing about this is how GDPR could theoretically be a factor in all of this as well. It all depends on how the information was stored, what policies are in place, when and (if so) how the company notified authorities, but the company could face liabilities thanks to the GDPR. If authorities find fault with how Virgin Media handled people’s personal information or how it was reported, then the company could be liable for 2% of annual global turnover. That alone can easily sting any company of any size.
This is definitely a reminder that when word of a leak or breach had occurs first comes out, this is only the beginning of a long and painful road. There’s law enforcement involvement, legal involvement, possible court cases, internal and external investigation to name a few things that can happen.
In an ideal world, other companies will see something like this happen and think, “Hey, maybe we should make sure something like this never happens to me” and take preventative measures accordingly. Whether it’s the social aspect of losing people’s personal information, the legal liabilities that can ensue, or the prospect of share values tanking in the process, there are a lot of theoretical ways that stories like this should spur better policies to protect people’s personal information.
Unfortunately, the reality is is that a lot of companies, when they do see stories like this, simply sit back and think, “Wow, sucks to be them, but that will never happen to me” and carry on with business as usual. The problem with business as usual is that things have changed in the last few decades where everything is being digitized. This makes the prospect of having hundreds of thousands or millions of peoples data easily transmitted into the wrong hands as opposed to the prospect of, at worst, accidentally leaving a box of 25 people’s personal information lying around in a parking lot. We’ve experienced a major shift in technology and common sense security needs to adjust accordingly.
Another problem with these major data leaks and breaches is the fact that it can be difficult for the human mind to comprehend. Not everyone is able to grasp the gravity of losing, say, 900,000 customers information. It can get to the point where it just looks like a number. When the thinking goes back to it just being a number, it can stunt action because, who cares? It’s just a number, right? So, what gets lost in all of this is that there are actual people behind those numbers. Whether it’s a stolen credit card or compromising information on you out there, it doesn’t necessarily lessen the hurt people experience.
If you see an unexplained $10,000 charge on your credit card, chances are, it will feel like your whole world is turned upside down. Most people will look at that and say, “I’m going to lose my apartment/basement suite/house”. Unless you are an ultra wealthy person, losing $10,000 all of a sudden is completely life altering. The knee jerk reaction to that may be talking to the bank about it to get it reversed, but that is no guarantee that you’ll get the money back or the charge cancelled. There are stories out there where banks or credit cards simply look at the victim and say, “This is your fault, you didn’t secure your information, we’re not going to cover that.”
The unfortunate thing in all of this is that we are going to continue to see cases like this in the future as well. GDPR is working on fixing this situation while other countries are simply lagging behind on the legal front. More people are going to get hurt and liabilities will continue to rack up. As long as attitudes stay the same that all of this is no big deal or it doesn’t affect them, we’ll continue to see stuff like this in the future at a scary rate. The only people who are celebrating all of this are the identity thieves and scammers because this gravy train of fraud isn’t stopping any time soon.
Drew Wilson on Twitter: @icecube85 and Facebook.
