Back to Cases
cybersecurityTelecommunications · 2020
Virgin Media Limited
Virgin Media Limited left a marketing database containing personal data of approximately 900,000 customers incorrectly configured and publicly accessible online for approximately ten months between April 2019 and February 2020. The ICO found Virgin Media failed to conduct a Data Protection Impact Assessment for the database, failed to apply basic access controls, and failed to maintain procedures for regular security testing — the misconfiguration was discovered not by Virgin Media's own monitoring but by a security researcher. The exposed data included names, home addresses, email addresses, and phone numbers.
Fine Imposed€585,000.0
Authority
ICO-UK
Regulation
UK General Data Protection Regulation + Data Protection Act 2018
Max fineHigher tier: £17.5M or 4% of global annual turnover; standard tier: £8.75M or 2%
Statusactive
Key Takeaways
- Database security configuration is a GDPR Art. 32 obligation — organisations must implement access controls, conduct DPIAs for new data assets, and run regular security testing rather than relying on external discovery of misconfigurations.