Who would be liable for this sort of data leak - the supplier or Virgin Media?
Who would be liable for this sort of data leak - the supplier or Virgin Media?

A student has discovered a security vulnerability in the software which Virgin Media uses for recruitment and job applications.

The vulnerability is alleged to affect between 30,000 to 50,000 job applicants, who could have had their personal details from their CV released on the internet. Alikhan Uzakov, who discovered this while filling out an application form like this one, went on to release a blog post detailing his discovery.

Uzakov has explained how when he was offered the option to upload his CV, the URL generated also revealed the name of the directory where his CV was being stored.

Uzakov said: “When I opened the directory I was able to see all past and present applications. This was a broken access control. In layman terms this means that access to certain data was allowed without authorisation.

Uzakov added: “About 30,000 to 50,000 applications, past and present, were accessible. Personal information including telephone numbers, emails, where someone lives, and other details were out there in the open: my personal information was exposed as well.”

Concluding, Uzakov said: “As soon as I found that there was a vulnerability I reported it to Virgin Media via Twitter. I didn't get a reply despite the Virgin Media account being relatively active and tweeting other people. They responded once I gave a call to the central office in London Hammersmith about 24 hours after initial contact.”

The vulnerability has now been fixed and Alikhan and Virgin Media did proceed to thank Uzakov a number of times via phone and email.

Uzakov pointed out that Virgin Media has chosen not to reward him for his find. The company said: “At the moment there is no programme to reward people for finding vulnerabilities … we can't give you a preference over other candidates since it's unfair.”

Rightly so, Uzakov reminded Virgin Media that had he been someone with malicious intent, he could have done a lot worse and might not have reported it at all. He said:“The goal of [my] post is to promote more openness. Companies should look into their security and maybe reward anyone who finds something wrong and reports it. Vulnerabilities should not be publicly disclosed until patched.”

Speaking to the Express newspaper, a spokesperson for Virgin Media said: “After a vulnerability on the third party company's website was identified, the website was suspended and the issue is being fixed. The service will be resumed soon. Virgin Media's systems were not affected in any way.”