Virgin Media loses 3,000 customer bank details

Unencrypted bank account details were recorded to a CD and transferred by hand

Virgin Media has confessed to losing the bank details of 3,000 new customers last month.

The company is currently phoning the affected customers and has contacted all but a few hundred, a Virgin Media spokesman told vnunet.com.

All the customers involved have been offered credit file protection, in essence a close watch on all their financial transactions, and automatic indemnity should a theft occur.

The lost data concerned customers who signed up for Virgin Media services at Carphone Warehouse.

Unencrypted bank account details were recorded to a CD and transferred by hand between Virgin Media headquarters and another office. During the journey, on 29 May, the CD was lost.

There is no evidence that the CD has fallen into criminal hands, the spokesman told vnunet.com.

Copying customer details to CD is forbidden under Virgin Media's data handling policy, the spokesman said. Policy dictates that such data should be encrypted and transferred by FTP.

"This is an isolated incident which has affected a small number of our customers," Virgin Media said in a prepared statement.

"We are in the process of contacting all of the affected customers to ensure we meet our responsibilities and fully support them through this process."

Virgin staff receive rolling data protection training which is refreshed regularly, the spokesman told vnunet.com, adding that the individual responsible is "being dealt with" and "has probably learned their lesson".

"Customer privacy is of the highest important to us and we are undertaking a full review of our data protection policies and practices to ensure this matter does not occur again," he said.

"We are very sorry this situation has occurred and for the inconvenience this has caused our customers."

Virgin has reported the loss to the Office of the Information Commissioner (ICO), which is investigating the incident.

A spokeswoman for the ICO told vnunet.com that the investigation has only just begun and that no decision has yet been made as to what action will be taken against Virgin Media.

Under the newly enacted Criminal Justice and Immigration Act the ICO has the power to impose substantial fines on companies which flagrantly breach data protection laws.

"It is of great concern that Virgin Media did not encrypt the disc containing personal information as this is one security measure that can help prevent data breaches from occurring," said a prepared statement from the ICO.

"The Information Commissioner has called for stronger powers to enable the ICO to carry out inspections without consent to ensure effective compliance with the Data Protection Act.

"It is important that these powers extend to the private sector as well as to government departments."

The incident is reminiscent of the catastrophic data loss at the HM Revenue & Customs last year when two CDs containing the details of millions of citizens were put into the internal mail and lost.