Virgin’s communication strategy can be easily analysed by non-PR people as myself, but the important thing we should learn here is how critical it is to identify company assets, and more specifically “incorrectly configured” assets, a term used by Virgin in its breach notice.
Ten months is a long time for all that data to have just been sitting there, waiting to be found. Having well defined and executed security processes to keep IT assets patched as well as security technologies to prevent, detect and react to security events should help in the prevention of such a lengthy breach.
One more crucial element is having well trained teams, who provide the additional layer that that technology can’t: human judgement, business understanding and critical thinking.
Can it happen to any company? Definitely Yes! Could Virgin have addressed this matter better from a security perspective? Most probably so.