Virgin Mobile Polska data breach

An unauthorised party exploited a flaw in Virgin Mobile Polska's prepaid-registration application to access the personal data of over 114,000 subscribers, including PESEL identity numbers and ID-card details. Poland's data-protection authority fined the operator nearly PLN 2 million for inadequate security testing.

On 2 January 2020, Virgin Mobile Polska, a Polish mobile virtual network operator, informed customers that an unauthorised person had accessed the personal data of subscribers by exploiting a flaw in the company's prepaid-service registration system. The case became one of Poland's most-cited GDPR enforcement actions.

What happened

Virgin Mobile Polska's IT system was designed so that data exchange between internal applications would occur only after verifying certain parameters drawn from prepaid customers' registration applications — a check meant to confirm that any request to transfer data came from an authorised entity. In practice, that verification did not work, and the mechanism had never been properly tested before deployment.

An unauthorised party discovered the broken verification logic and used it to extract subscriber records — essentially abusing an application loophole rather than breaking encryption or stealing credentials. The operator detected the breach in December 2019 and notified the Polish supervisory authority (UODO) on 18 December 2019.

Impact

The personal data of 114,963 subscribers was accessed.
Exposed fields included names, PESEL national identity numbers, ID-card series and numbers, telephone numbers, and NIP tax identifiers.
Because PESEL and ID-card data underpin identity verification across Polish banking and government services, affected subscribers faced an elevated identity-theft risk.

Regulatory outcome

On 3 December 2020, UODO imposed a fine of PLN 1,968,524 (about EUR 460,000) on Virgin Mobile Polska. The regulator's core finding was not the breach itself but the company's failure to regularly and systematically test, measure, and evaluate the effectiveness of its technical safeguards — a direct breach of GDPR's "security of processing" and accountability principles. After the operator challenged the decision and a court remanded it, the supervisory authority re-examined the case in 2023 and again concluded the measures had been inadequate.

Why it matters

The Virgin Mobile Polska case is a landmark interpretation of GDPR Article 32: regulators made clear that ad-hoc or incidental security reviews do not satisfy the requirement for regular testing of technical measures. For telecom operators handling national identity numbers at scale, the decision underscored that untested application logic is itself a compliance failure — the absence of a known exploit does not excuse the absence of proactive security validation.

Timeline

December 1, 2019

An unauthorised party exploits a verification flaw in Virgin Mobile Polska's prepaid-registration application to access subscriber data.

December 18, 2019

Virgin Mobile Polska notifies Poland's data-protection authority (UODO) of the personal-data breach.

January 2, 2020

The operator publicly informs customers that registration confirmations containing personal data were accessed by an unauthorised person.

December 3, 2020

UODO imposes a fine of PLN 1,968,524 (about EUR 460,000) for insufficient technical and organisational safeguards, including lack of regular testing.

January 1, 2023

After a court remand, the Polish supervisory authority re-examines the case and again finds the security measures inadequate.

Sources

edpb.europa.euhttps://www.edpb.europa.eu/news/national-news/2021/polish-dpa-virgin-mobile-polska-incidental-safeguards-review-not-regular_en

dudkowiak.comhttps://www.dudkowiak.com/blog/gdpr-nearly-pln-2-million-fine-imposed-on-virgine-mobile-polska-for-violation-of-the-gdpr.html

edpb.europa.euhttps://www.edpb.europa.eu/news/national-news/2023/polish-sa-has-once-again-investigated-virgin-mobiles-personal-data-breach_en

en.wikipedia.orghttps://en.wikipedia.org/wiki/Virgin_Mobile_Polska

Related incidents

Vulnerability exploitContainedSeptember 22, 2022

Optus customer data breach

An unauthenticated API endpoint exposed personal data of 9.8 million current and former Optus customers — names, dates of birth, passport and driver's licence numbers — to a single anonymous attacker.

Victim: Optus (Singtel)
Loss: $140.0M
Records: 9.8M

Vulnerability exploitResolvedOctober 21, 2015

TalkTalk customer data breach

An SQL injection attack — committed primarily by four British teenagers — exposed personal data on roughly 157,000 TalkTalk customers including bank account details. Triggered a record £400,000 UK ICO fine.

Victim: TalkTalk Telecom Group
Loss: $90.0M
Records: 157.0K

WiperContainedFebruary 24, 2022

Viasat KA-SAT AcidRain wiper

One hour before Russia's invasion of Ukraine, Sandworm operators deployed the AcidRain wiper against Viasat KA-SAT satellite modems, bricking ~30,000 European terminals and 5,800 German wind turbines and disabling Ukrainian military command-and-control.

Victim: Viasat KA-SAT (subscribers across Ukraine and Europe)
Loss: $100.0M

Vulnerability exploitResolvedDecember 25, 2020

Reserve Bank of New Zealand Accellion FTA breach

Attackers exploited a zero-day in the legacy Accellion File Transfer Appliance to breach New Zealand's central bank, accessing commercially and personally sensitive files; the cleanup cost the Reserve Bank around NZ$3.5 million.

Victim: Reserve Bank of New Zealand (Te Pūtea Matua)
Loss: $2.4M