Whereas some areas and organizations are usually extra susceptible to a cyberattack or different safety incidents involving knowledge, it’s vital for all firms to think about the cyber risk panorama. Hackers are more and more prolific and use more and more superior methods and expertise to perpetrate knowledge breaches.
Obtain our information on scaling third-party danger administration regardless of the chances
With knowledge breach reporting, everybody can hold up-to-date with cyber dangers, study from errors dedicated by others, and preserve strong safety measures to guard delicate info, equivalent to personally identifiable info (PII), medical information, or monetary particulars. This submit will study a few of the largest knowledge breaches to have an effect on companies in the UK.
The Largest UK Information Breaches Ranked by Affect
The next record includes the most important knowledge breaches within the UK ranked by influence (sometimes by the variety of information or clients affected), together with the kind of delicate knowledge compromised, and an examination of how the info breach or cyber incident occurred.
1. Dixons Carphone
Date: July 2017 – April 2018
Affect: 14 million private information and 5.6 million fee card info
Dixons Carphone (now Currys) is a serious British electronics and telecoms retailer and companies supplier that runs quite a lot of UK retailers, together with Currys PC World and Carphone Warehouse. In July 2017, hackers gained unauthorized entry to about 10 million private information and nearly 6 million fee playing cards, affecting nearly 14 million clients, by putting in malicious software program on over 5000 tills throughout numerous areas throughout England.
Private info that was compromised included:
Buyer names Bodily addresses and zip codesEmail addressesFailed credit score checksCredit card numbers
What apprehensive many individuals most about this breach is that Dixons Carphone took so lengthy to report the extent of the info safety failure. In June 2018, nearly a yr after the info breach began, the corporate mentioned about 1.2 million private information had been affected. Then, only a month later, in July 2018, it admitted that just about ten occasions that quantity had been compromised.
Within the case of the fee playing cards, the agency claimed that the overwhelming majority had been protected by the chip and pin 2FA system. Though almost 100,000 non-EU playing cards didn’t have that safety, Dixons Carphone reported discovering no confirmed proof of fraud regarding clients.
The Data Commissioner’s Workplace (ICO) launched an investigation that discovered the info of 14 million clients had been compromised between July 2017 and April 2018. The supply, it mentioned, was malware put in on 5,390 money desks at Dixons Journey and Currys PC World shops.
The ICO fined Dixons Carphone £500,000 (about $607,000) for “systemic failures” leading to insufficient safety measures and permitting vulnerabilities equivalent to insufficient safety testing and software program patching. Carphone Warehouse, a subsidiary of Dixons Carphone, had been fined £400,000 only a yr earlier for comparable vulnerabilities that the corporate did not patch, ensuing within the most £500,000 wonderful.
Dixons apologized to its clients however suffered a extreme lack of buyer belief. Declining income led to the closure of about 100 Carphone Warehouse shops inside a yr. The Carphone Warehouse a part of the enterprise closed its doorways for the final time in 2020 as a consequence of this large knowledge breach and market-related challenges. In 2021, the corporate was completely rebranded to Currys following a sequence of subsequent company-wide missteps and fines.
2. Equifax
Date: 2011–2016
Affect: Round 15.2 million UK buyer information.
In 2016, main credit score monitoring agency Equifax suffered a breach affecting greater than 15 million UK buyer information that had been accessed over 5 years, together with delicate knowledge of about 700,000 UK clients. The overall influence of the info breach was round 145 million folks, affecting clients primarily based within the US.
For UK clients, unauthorized entry included:
Round 10,000 bank card numbersAbout 30,000 driving license particulars
In line with Equifax, many of the uncovered information didn’t pose a danger to British shoppers. It proposed utilizing proprietary and third-party risk-mitigation options to attenuate the danger of felony exercise equivalent to id theft.
The reason for the info breach was traced again to a technician who failed to use a safety framework appropriately, leaving the database weak. Equifax was criticized for not responding promptly to proof of human error and technological failures. In 2019, Equifax agreed to an enormous settlement with the FTC for $575 million and the utmost wonderful below EU regulation of £500,000.
3. EasyJet
Date: October 2019 – March 2020
Affect: 9 million clients & 2200 bank cards particulars
In Might 2020, EasyJet found {that a} knowledge breach had allowed entry to 9 million buyer information. The breach affected clients that booked flights with the airline between October 17, 2019, and March 4, 2020.
Whereas EasyJet grew to become conscious of the breach in January 2020, the agency didn’t launch info to the general public till Might, saying solely that it had been a extremely subtle assault and that the hackers had been extra prone to have been concentrating on mental property than buyer knowledge.
The airline’s forensic investigation discovered that hackers accessed the bank card particulars of 2208 clients. Except for this subset of shoppers, cybercriminals didn’t entry different bank card particulars or passport numbers. Moreover, the safety staff discovered no proof of misuse of non-public info.
Nevertheless, by Might 2020, Motion Fraud, the UK cybercrime reporting company, had obtained 51 bank card fraud experiences that stemmed from the EasyJet safety breach. At present, the UK ICO is investigating the incident, and EasyJet might face fines of as much as 4% of the airline’s 2019 turnover of £6,3 billion.
4. The Nationwide Well being Service (NHS)
Date: July 2011 – July 2012
Affect: Over 1.8 million well being and worker information
The NHS is a publicly-funded healthcare system in England, one in all 4 main programs within the UK. Quantifying the influence of knowledge breaches on the NHS is advanced as a result of it includes so many healthcare organizations. Nevertheless, the sequence of breaches was one of many largest to have an effect on the healthcare trade within the UK.
The NHS knowledge breach was the results of 16 main breaches and knowledge leaks from NHS healthcare entities in the course of the yr main as much as July 2012. The safety breaches happened throughout a number of items of the Nationwide Well being Service, together with:
Central London Group Healthcare NHS TrustBelfast Well being and Social Care TrustTorbay Care TrustNHS SurreyBrighton and Sussex College Hospitals NHS TrustCentral London Group Healthcare NHS Belief
The ICO fined Central London Group Healthcare NHS Belief £90,000 for violating the Information Safety Act. The Pembridge Palliative Care Unit repeatedly faxed affected person lists to an incorrect recipient throughout three months in 2011, sending 45 faxes in complete and compromising the delicate info of 59 people, together with:
Medical diagnosesDomestic situationsResuscitation instructionsBelfast Well being and Social Care Belief
This knowledge breach was brought on by delicate affected person info left accessible at Belvoir Park Hospital. The error occurred when six native trusts had been merged, and BHSC grew to become liable for over 50 websites.
When criminals bodily broke into Belvoir Park Hospital in 2010, they photographed and uploaded affected person and employees information, some courting again to the Fifties. Regardless of the hospital enhancing bodily safety, one other bodily knowledge breach occurred in April 2011.
The compromised knowledge comprised hundreds of affected person and employees information, together with:
Medical recordsScans of lab resultsX-raysStaff info, together with unopened payslips
The ICO’s investigation decided that the Belief didn’t take satisfactory steps to safe info and fined the hospital £225,000. Moreover, the Belief applied a coverage of destroying unneeded information.
Torbay Care Belief
Torbay Care Belief was fined £175,000 when it by accident printed a spreadsheet containing the private info of over 1000 NHS workers on-line, together with:
NamesBirth datesSalariesNational insurance coverage ID numbers
Though no affected person knowledge was straight compromised, the ICO seen the incident as a serious failure of safety insurance policies as a consequence of a scarcity of steerage for workers and no system of checks to determine knowledge leakage.
NHS Surrey
NHS Surrey was fined by the ICO £200,000 when it was discovered that over 3000 affected person information had been found on-line. The safety breach was the results of secondhand NHS computer systems that had been auctioned off on eBay, ones that the info and {hardware} destruction firm had did not destroy correctly. The ICO additionally discovered three further NHS computer systems containing delicate affected person info, all of which had been bought on-line.
The duty was nonetheless below NHS Surrey for failing to watch and test with their third-party service supplier that information had been correctly destroyed. The service supplier provided free destruction companies in alternate for salvaged elements however had did not destroy the laborious drives containing the delicate info.
Brighton and Sussex College Hospitals NHS Belief
Brighton and Sussex College Hospitals NHS Belief suffered the most important wonderful from the ICO within the NHS knowledge breaches of £325,000 when it was found that arduous drives containing tens of hundreds of affected person information had been bought on-line. Someday between October and November 2010, 252 laborious drives had been auctioned off and bought on eBay, containing info together with:
Affected person medical conditionsDisability recordsDisability residing allowancesChildren’s affected person experiences
In an identical scenario as NHS Surrey, Brighton and Sussex College Hospitals NHS Belief had contracted a {hardware} destruction firm to get rid of the laborious drives, which they’d failed to take action. The hospital claimed it couldn’t afford the wonderful and appealed the ICO’s determination. Nevertheless, they misplaced the attraction and settled to pay a lowered wonderful of £260,000.
5. Virgin Media
Date: March 2020
Affect: 900,000 clients
Buyer namesHome addressesEmail addressesPhone numbersDevice typeSubscription kind
The information leak occurred by a database misconfiguration by an worker who did not comply with correct procedures. Virgin Media rapidly found the breach and shut down all associated databases containing the leaked info.
6. JD Wetherspoon
Date: June 2015
Affect: Over 650,000 clients
Excessive-street pub chain JD Wetherspoon discovered that there had been a knowledge breach in December 2015, about six months after the breach happened. It’s believed {that a} Russian group was behind the assault, hacking the chain’s previous web site for fee card particulars.
The stolen knowledge included the next:
Dates of birthEmail addressesPhone numbersLast 4 digitals of fee playing cards
The cybercriminals uploaded the client particulars to the darkish net, desiring to promote them. Nevertheless, fortunately, the enterprise mentioned the restricted card fee particulars compromised couldn’t be used to commit fraud. JD Wetherspoon officers mentioned that they’d taken so lengthy to detect the info breach solely as a result of a third-party firm hosted the web site.
JD Wetherspoon in the end was not fined by the ICO, and CEO, John Hutson, reiterated that satisfactory steps had been taken to safe knowledge on their major area and no clients had been compromised.
7. British Airways
Date: June 2018 – September 2018
Affect: 500,000 fee card particulars
In 2018, British Airways suffered a knowledge breach that compromised the fee card info of just about 500,000 clients. The assault originated from the British Airways web site, resulting in the theft of buyer knowledge by a third-party fee service. Cybercriminals diverted consumer visitors from the official British Airways web site to a fraudulent website the place they harvested knowledge, compromising about 500,000 clients.
The regulator’s investigation uncovered weak safety measures that left delicate knowledge inadequately unprotected, together with:
Entry credentialsName and handle informationPayment card informationTravel reserving particulars
The ICO supposed to wonderful British Airways £183.4 million, the equal of 1.5% of its world turnover in 2017. Many thought of this lenient contemplating the Normal Information Safety Regulation (GDPR) authorizes regulators to wonderful violators as a lot as 4% of their annual world turnover. Nevertheless, after contemplating the corporate’s testimony and the financial harm of COVID-19, the ICO agreed to scale back the wonderful to £20 million.
That is nonetheless the most important wonderful ever issued by the ICO for a GDPR violation. Moreover, many purchasers needed to cancel their bank cards after the incident, by which British Airways provided to compensate these financially affected by the info breach.
8. Wonga
Date: April 2017
Affect: As much as 270,000 buyer information
UK’s largest payday mortgage firm, Wonga, suffered a knowledge breach in 2017 that compromised the info of as much as 270,000 of the agency’s thousands and thousands of shoppers. This is among the UK’s largest knowledge breaches involving monetary info. The breached knowledge of previous and current clients included:
Buyer namesBank account numbersSort codesThe final 4 digits of financial institution playing cards
Wonga officers mentioned the info breach affected about 245,000 UK clients and 25,000 from Poland. Along with a sequence of poor enterprise practices, Wonga in the end fell into administration, indicating the shutdown and closure of the corporate.
9. Three Cellular UK
Date: November 2016
Affect: 130,000 buyer information
Telecom and web service supplier Three suffered a knowledge breach in 2016 when cybercriminals gained unauthorized entry to the agency’s improve database utilizing an worker’s entry credentials. The purpose was to falsely approve cellphone upgrades for purchasers and try to steal the system upgrades earlier than they reached their vacation spot.
In line with an organization spokesman, cybercriminals accessed over 130,000 clients’ private particulars to make pretend smartphone upgrades. The fraudsters are believed to have ordered cellphone upgrades for over 400 clients and intercepted the telephones earlier than they arrived.
Monetary particulars remained uncompromised in the course of the hack, however the cybercriminals had been capable of entry the next private knowledge:
Buyer namesPhone numbersDates of birthHome addresses
In the end, three people had been arrested in reference to the safety breach and system fraud.
10. TalkTalk
Date: October 2015
Affect: 157,000 information
The TalkTalk knowledge breach was an assault that occurred in 2015, leading to over 157,00 information being uncovered, together with monetary knowledge from over 15,000 financial institution accounts. As well as, hackers acquired:
Buyer namesAddressesDates of birthEmail addressesPhone numbersCredit card informationBank particulars
Happily, the cardboard numbers had been obscured, making them unusable in that type.
The assault occurred when TalkTalk acquired Tiscali’s UK operations, which gave the chance for hackers to entry the database by exploiting recognized SQL injection vulnerabilities.
The ICO investigated TalkTalk’s compliance with the Information Safety Act and issued a large £400,000 ($510,000) wonderful out of a most of £500,000. It concluded that the agency had did not implement primary safety measures that might have prevented the info breach and correctly protected clients’ private knowledge. Moreover, TalkTalk revealed that the cyber assault had value the corporate greater than 100,000 clients and £60 million ($76 million) spent on mitigating the info breach.
11. Interserve
Date: Might 2020
Affect: 113,000 employees information
The assault led to 16 compromised accounts and 283 programs. In addition they uninstalled the agency’s antivirus resolution. They encrypted the private knowledge of 113,000 employees members, together with:
Contact detailsBank account detailsNational insurance coverage numbersReligionEthnic originReligionSexual orientationDisability informationHealth info
UK Data Commissioner John Edwards mentioned in response to the incident, “The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office.”
Upon investigation, the ICO discovered that Interserve had violated quite a lot of insurance policies, together with:
Continued use of out of date server working systemsLack of data safety coaching for employeesUse of out of date community protocolsPoor privileged account managementPoor incident response
Two years later, Interserve was fined £4.4 million for failure to enact satisfactory safety insurance policies and breaching the info safety regulation. Moreover, the corporate went into administration as a consequence of a sequence of monetary points and dangerous enterprise practices and was bought off and damaged aside to overseas firms.
12. Camelot Group
Date: November 2016
Affect: 26,500 buyer information
Camelot Group’s Nationwide Lottery web site was focused by cybercriminals in late 2016, accessing 26,500 out of 9.5 million buyer information. In fewer than 50 instances, the hackers stole the identical entry credentials that clients used on different on-line companies.
Compromised knowledge included:
Buyer namesDates of birthTransaction historiesAccount preferencesLast 4 digits and the expiry date of fee playing cards
Camelot was capable of rapidly droop all affected accounts and labored intently with the NCSC to catch the criminals. The ICO assessed no fines after the incident.
13. Debenhams Flowers
Date: February 2017 – April 2017
Affect: 26,000 clients
Retailer Debenhams reported a knowledge breach in April 2017 that 26,000 of its clients had their private knowledge compromised by a third-party e-commerce firm. Solely the Debenhams Flowers clients had been affected and never Debenhams.com clients. The information that was compromised included:
NamesAddressesPayment particulars
Debenhams Flowers has not been fined and has labored rapidly with Ecomnova to stop fraudulent fees. As well as, it doesn’t seem to be knowledge had been misused within the aftermath of the assault.
14. Travelex
Date: December 2019
Affect: 17,000 clients
On New 12 months’s Eve 2019, forex alternate agency Travelex suffered a knowledge breach within the type of a ransomware assault — particularly, Sodinokibi — with cybercriminals locking workers out of their system and stopping forex transactions throughout the UK. In response, the agency shut down web sites throughout 30 nations.
The hackers demanded round £5 million for the protected return of 5GB of stolen delicate consumer knowledge, together with:
Dates of birthNational insurance coverage numbers (social safety numbers)Bank card info
The cybercriminals achieved the info breach by exploiting a vulnerability within the agency’s digital personal community (VPN), permitting them to attain unauthorized entry with out legitimate entry credentials. They may additionally disable multi-factor authentication, in addition to view logs and cached passwords.
Though the VPN had addressed this vulnerability months earlier than the assault, Travelex failed to use the patch. In addition they did not notify the ICO inside 72 hours that there had been a breach that posed a danger to folks’s rights and freedoms, which comes with a penalty of 4% of the corporate’s world turnover.
The Peterborough-based agency paid greater than £2 million in bitcoin of a demanded £4.6 million to the ransomware gang. Moreover, it suffered 4 months of enterprise interruption with the corporate taking down its website, affecting personal clients and huge enterprise companions, together with HSBC and Royal Financial institution of Scotland.
It was estimated that Travelex and its dad or mum firm, Finablr, misplaced roughly £25 million within the following quarter in Q1 of 2020 because of the cyber assault. Quickly after, Travelex went into administration and underwent a whole firm restructuring to scale back its debt.
15. Tesco Financial institution
Date: November 2016
Affect: 8,261 clients, £2.26 million stolen
British retail financial institution Tesco Financial institution was hit by cybercriminals in 2016, leading to nearly £2.26 million stolen from buyer financial institution accounts. The financial institution’s makes an attempt to restrict the harm by performing rapidly and freezing its on-line programs efficiently thwarted over 80% of the assaults, however the hackers had already taken cash out of over 8000 accounts. It took the Tesco financial institution fraud safety staff two days from the time the breach was famous to cease the assault.
As a result of there have been hundreds of makes an attempt to make false transactions, the hypothesis is that the hackers generated genuine debit card numbers and tried to make transactions that took cash from buyer accounts.
The Monetary Conduct Authority (FCA) cited that Tesco Financial institution’s technique of distributing debit card numbers was at fault — they issued debit card numbers in sequential order, which allowed the hackers to rapidly generate new false debit playing cards primarily based on the subsequent quantity within the sequence.
The FCA additionally fined Tesco Financial institution £23.5 million for the incident, citing failure to reply rapidly to the assault, utilizing a defective card distribution system, solely blocking fraudulent bank card transactions and never debit playing cards, and using a weak authorization system. As a result of Tesco Financial institution cooperated totally with the FCA and compensated clients totally, the wonderful was in the end lowered to £16.4 million.
