The security breach involved phone numbers, home addresses and emails but no financial information or passwords added the mobile phone group.
It is one of the largest data breaches to occur in the UK and at least one person outside of the company accessed the information, said Virgin.
However, it added it was the result of human error and not a cyberattack.
Even so, following the introduction of GDPR Virgin potentially faces a hefty fine for the mistake.
Once organisations become aware of a data breach they have up to 72 hours to inform the industry regulator the ICO.
Companies found to be in breach of the rules can face a fine of up to £17.6mln or 4% of global revenues, whichever is larger.