Whereas some places and organizations are usually extra prone to a cyberattack or different safety incidents involving information, it’s crucial for all firms to contemplate the cyber risk panorama. Hackers are more and more prolific and use more and more superior strategies and know-how to perpetrate information breaches.
Obtain our information on scaling third-party threat administration regardless of the percentages
With information breach reporting, everybody can preserve up-to-date with cyber dangers, study from errors dedicated by others, and preserve sturdy safety measures to guard delicate data, reminiscent of personally identifiable data (PII), medical information, or monetary particulars. This put up will study a number of the greatest information breaches to have an effect on companies in the UK.
The Greatest UK Information Breaches Ranked by Impression
The next record contains the most important information breaches within the UK ranked by affect (usually by the variety of information or clients affected), together with the kind of delicate information compromised, and an examination of how the info breach or cyber incident occurred.
1. Dixons Carphone
Date: July 2017 – April 2018
Impression: 14 million private information and 5.6 million fee card data
Dixons Carphone (now Currys) is a serious British electronics and telecoms retailer and companies supplier that runs a variety of UK shops, together with Currys PC World and Carphone Warehouse. In July 2017, hackers gained unauthorized entry to about 10 million private information and virtually 6 million fee playing cards, affecting virtually 14 million clients, by putting in malicious software program on over 5000 tills throughout varied places throughout England.
Private data that was compromised included:
Buyer names Bodily addresses and zip codesEmail addressesFailed credit score checksCredit card numbers
What frightened many individuals most about this breach is that Dixons Carphone took so lengthy to report the extent of the info safety failure. In June 2018, virtually a yr after the info breach began, the corporate stated about 1.2 million private information had been affected. Then, only a month later, in July 2018, it admitted that nearly ten instances that quantity had been compromised.
Within the case of the fee playing cards, the agency claimed that the overwhelming majority had been protected by the chip and pin 2FA system. Though practically 100,000 non-EU playing cards didn’t have that safety, Dixons Carphone reported discovering no confirmed proof of fraud regarding clients.
The Data Commissioner’s Workplace (ICO) launched an investigation that discovered the info of 14 million clients had been compromised between July 2017 and April 2018. The supply, it stated, was malware put in on 5,390 money desks at Dixons Journey and Currys PC World shops.
The ICO fined Dixons Carphone £500,000 (about $607,000) for “systemic failures” leading to insufficient safety measures and permitting vulnerabilities reminiscent of insufficient safety testing and software program patching. Carphone Warehouse, a subsidiary of Dixons Carphone, had been fined £400,000 only a yr earlier for related vulnerabilities that the corporate didn’t patch, ensuing within the most £500,000 advantageous.
Dixons apologized to its clients however suffered a extreme lack of buyer belief. Declining earnings led to the closure of about 100 Carphone Warehouse shops inside a yr. The Carphone Warehouse a part of the enterprise closed its doorways for the final time in 2020 resulting from this huge information breach and market-related challenges. In 2021, the corporate was completely rebranded to Currys following a sequence of subsequent company-wide missteps and fines.
2. Equifax
Date: 2011–2016
Impression: Round 15.2 million UK buyer information.
In 2016, main credit score monitoring agency Equifax suffered a breach affecting greater than 15 million UK buyer information that had been accessed over 5 years, together with delicate information of about 700,000 UK clients. The full affect of the info breach was round 145 million individuals, affecting clients based within the US.
For UK clients, unauthorized entry included:
Round 10,000 bank card numbersAbout 30,000 driving license particulars
In keeping with Equifax, a lot of the uncovered information didn’t pose a threat to British customers. It proposed utilizing proprietary and third-party risk-mitigation options to attenuate the chance of felony exercise reminiscent of id theft.
The reason for the info breach was traced again to a technician who failed to use a safety framework accurately, leaving the database weak. Equifax was criticized for not responding promptly to proof of human error and technological failures. In 2019, Equifax agreed to an enormous settlement with the FTC for $575 million and the utmost advantageous underneath EU regulation of £500,000.
3. Electoral Fee
Date: August 2021 (not found till October 2022)Impression: Roughly 40 million registered voters.
The UK’s impartial elections watchdog was hit by a cyber assault that resulted within the compromise of a database containing electoral register data, spanning from 2014 to 2022. The breach was not found till October 2022, as famous by the ICO.
The compromised information included:
NamesAddressesDates of birthEmail addresses
The breach was notably regarding because of the group’s political sensitivity and the potential use of the info for international affect or disinformation campaigns. The assault started in August 2021 however was not found till October 2022, indicating that the attackers had unauthorized entry for over a yr, which highlights a serious vulnerability in crucial public infrastructure. Whereas the breach didn’t instantly have an effect on the voting course of, the extended entry to central democratic information raised severe questions concerning the safety posture of UK public methods.
4. EasyJet
Date: October 2019 – March 2020
Impression: 9 million clients & 2200 bank cards particulars
In Could 2020, EasyJet found {that a} information breach had allowed entry to 9 million buyer information. The breach affected clients that booked flights with the airline between October 17, 2019, and March 4, 2020.
Whereas EasyJet grew to become conscious of the breach in January 2020, the agency didn’t launch data to the general public till Could, saying solely that it had been a extremely subtle assault and that the hackers had been extra more likely to have been focusing on mental property than buyer information.
The airline’s forensic investigation discovered that hackers accessed the bank card particulars of 2208 clients. Other than this subset of consumers, cybercriminals didn’t entry different bank card particulars or passport numbers. Moreover, the safety workforce discovered no proof of misuse of private data.
Nevertheless, by Could 2020, Motion Fraud, the UK cybercrime reporting company, had obtained 51 bank card fraud stories that stemmed from the EasyJet safety breach. Presently, the UK ICO is investigating the incident, and EasyJet might face fines of as much as 4% of the airline’s 2019 turnover of £6,3 billion.
5. Marriott Worldwide
Date: 2014 – September 2018Impact: Roughly 339 million visitor information globally, 7 million of which had been UK residents.
Hackers had been in a position to compromise the visitor reservation database of Starwood inns (which Marriott acquired in 2016) in a steady assault lasting 4 years. The assault was found in 2018.
For UK clients, the compromised information included:
NamesHome addressesEmail addressesDates of birthPassport numbers (in some circumstances)
The Data Commissioner’s Workplace (ICO) initially meant to advantageous Marriott Worldwide £99.2 million. This was later diminished, with the ultimate advantageous amounting to £18.4 million (roughly $23.8 million). The intrusion went undetected for 4 years, highlighting a major safety failure and underscoring the reactive nature of their protection technique.
6. Uber
Date: October 2016Impact: 57 million customers and drivers worldwide; 2.7 million customers within the UK.
The breach was a cyber assault that compromised an enormous variety of buyer and driver accounts globally. Uber lined up the cyberattack by paying the hackers a ransom of $100,000 (£75,000) to delete the stolen information and preserve the incident secret. The quilt-up led to the departure of the Chief Safety Officer.
The compromised information included:
NamesEmail addressesMobile cellphone numbers
Uber’s violation of disclosure legal guidelines and failure to guard buyer information led to an enormous lack of public belief, leading to a $148 million advantageous within the US and establishing a major precedent towards such cover-ups.
6. The Nationwide Well being Service (NHS)
Date: July 2011 – July 2012
Impression: Over 1.8 million well being and worker information
The NHS is a publicly-funded healthcare system in England, certainly one of 4 main methods within the UK. Quantifying the affect of knowledge breaches on the NHS is advanced as a result of it contains so many healthcare organizations. Nevertheless, the sequence of breaches was one of many largest to have an effect on the healthcare trade within the UK.
The NHS information breach was the results of 16 main breaches and information leaks from NHS healthcare entities through the yr main as much as July 2012. The safety breaches passed off throughout a number of models of the Nationwide Well being Service, together with:
Central London Group Healthcare NHS TrustBelfast Well being and Social Care TrustTorbay Care TrustNHS SurreyBrighton and Sussex College Hospitals NHS TrustCentral London Group Healthcare NHS Belief
The ICO fined Central London Group Healthcare NHS Belief £90,000 for violating the Information Safety Act. The Pembridge Palliative Care Unit repeatedly faxed affected person lists to an incorrect recipient throughout three months in 2011, sending 45 faxes in whole and compromising the delicate data of 59 people, together with:
Medical diagnosesDomestic situationsResuscitation instructionsBelfast Well being and Social Care Belief
This information breach was brought on by delicate affected person data left accessible at Belvoir Park Hospital. The error occurred when six native trusts had been merged, and BHSC grew to become chargeable for over 50 websites.
When criminals bodily broke into Belvoir Park Hospital in 2010, they photographed and uploaded affected person and employees information, some courting again to the Fifties. Regardless of the hospital enhancing bodily safety, one other bodily information breach occurred in April 2011.
The compromised information comprised hundreds of affected person and employees information, together with:
Medical recordsScans of lab resultsX-raysStaff data, together with unopened payslips
The ICO’s investigation decided that the Belief didn’t take sufficient steps to safe data and fined the hospital £225,000. Moreover, the Belief carried out a coverage of destroying unneeded information.
Torbay Care Belief
Torbay Care Belief was fined £175,000 when it unintentionally printed a spreadsheet containing the non-public data of over 1000 NHS staff on-line, together with:
NamesBirth datesSalariesNational insurance coverage ID numbers
Though no affected person information was instantly compromised, the ICO considered the incident as a serious failure of safety insurance policies resulting from a scarcity of steering for workers and no system of checks to establish information leakage.
NHS Surrey
NHS Surrey was fined by the ICO £200,000 when it was discovered that over 3000 affected person information had been found on-line. The safety breach was the results of secondhand NHS computer systems that had been auctioned off on eBay, ones that the info and {hardware} destruction firm had didn’t destroy correctly. The ICO additionally discovered three extra NHS computer systems containing delicate affected person data, all of which had been offered on-line.
The accountability was nonetheless underneath NHS Surrey for failing to observe and examine with their third-party service supplier that information had been correctly destroyed. The service supplier supplied free destruction companies in change for salvaged components however had didn’t destroy the exhausting drives containing the delicate data.
Brighton and Sussex College Hospitals NHS Belief
Brighton and Sussex College Hospitals NHS Belief suffered the most important advantageous from the ICO within the NHS information breaches of £325,000 when it was found that tough drives containing tens of hundreds of affected person information had been offered on-line. Someday between October and November 2010, 252 exhausting drives had been auctioned off and offered on eBay, containing data together with:
Affected person medical conditionsDisability recordsDisability dwelling allowancesChildren’s affected person stories
In the same state of affairs as NHS Surrey, Brighton and Sussex College Hospitals NHS Belief had contracted a {hardware} destruction firm to get rid of the exhausting drives, which they’d failed to take action. The hospital claimed it couldn’t afford the advantageous and appealed the ICO’s choice. Nevertheless, they misplaced the enchantment and settled to pay a diminished advantageous of £260,000.
7. Virgin Media
Date: March 2020
Impression: 900,000 clients
Buyer namesHome addressesEmail addressesPhone numbersDevice typeSubscription sort
The information leak occurred by a database misconfiguration by an worker who didn’t observe correct procedures. Virgin Media rapidly found the breach and shut down all associated databases containing the leaked data.
8. JD Wetherspoon
Date: June 2015
Impression: Over 650,000 clients
Excessive-street pub chain JD Wetherspoon discovered that there had been an information breach in December 2015, about six months after the breach passed off. It’s believed {that a} Russian group was behind the assault, hacking the chain’s outdated web site for fee card particulars.
The stolen information included the next:
Dates of birthEmail addressesPhone numbersLast 4 digitals of fee playing cards
The cybercriminals uploaded the client particulars to the darkish net, aspiring to promote them. Nevertheless, fortunately, the enterprise stated the restricted card fee particulars compromised couldn’t be used to commit fraud. JD Wetherspoon officers stated that they’d taken so lengthy to detect the info breach solely as a result of a third-party firm hosted the web site.
JD Wetherspoon finally was not fined by the ICO, and CEO, John Hutson, reiterated that sufficient steps had been taken to safe information on their principal area and no clients had been compromised.
9. British Airways
Date: June 2018 – September 2018
Impression: 500,000 fee card particulars
In 2018, British Airways suffered an information breach that compromised the fee card data of virtually 500,000 clients. The assault originated from the British Airways web site, resulting in the theft of buyer information by a third-party fee service. Cybercriminals diverted consumer site visitors from the official British Airways web site to a fraudulent website the place they harvested information, compromising about 500,000 clients.
The regulator’s investigation uncovered weak safety measures that left delicate information inadequately unprotected, together with:
Entry credentialsName and deal with informationPayment card informationTravel reserving particulars
The ICO meant to advantageous British Airways £183.4 million, the equal of 1.5% of its international turnover in 2017. Many thought of this lenient contemplating the Normal Information Safety Regulation (GDPR) authorizes regulators to advantageous violators as a lot as 4% of their annual international turnover. Nevertheless, after contemplating the corporate’s testimony and the financial injury of COVID-19, the ICO agreed to cut back the advantageous to £20 million.
That is nonetheless the most important advantageous ever issued by the ICO for a GDPR violation. Moreover, many shoppers needed to cancel their bank cards after the incident, during which British Airways supplied to compensate these financially affected by the info breach.
10. Wonga
Date: April 2017
Impression: As much as 270,000 buyer information
UK’s largest payday mortgage firm, Wonga, suffered an information breach in 2017 that compromised the info of as much as 270,000 of the agency’s hundreds of thousands of consumers. This is among the UK’s greatest information breaches involving monetary data. The breached information of previous and current clients included:
Buyer namesBank account numbersSort codesThe final 4 digits of financial institution playing cards
Wonga officers stated the info breach affected about 245,000 UK clients and 25,000 from Poland. Along with a sequence of poor enterprise practices, Wonga finally fell into administration, indicating the shutdown and closure of the corporate.
11. Three Cell UK
Date: November 2016
Impression: 130,000 buyer information
Telecom and web service supplier Three suffered an information breach in 2016 when cybercriminals gained unauthorized entry to the agency’s improve database utilizing an worker’s entry credentials. The aim was to falsely approve cellphone upgrades for purchasers and try to steal the gadget upgrades earlier than they reached their vacation spot.
In keeping with an organization spokesman, cybercriminals accessed over 130,000 clients’ private particulars to make faux smartphone upgrades. The fraudsters are believed to have ordered cellphone upgrades for over 400 clients and intercepted the telephones earlier than they arrived.
Monetary particulars remained uncompromised through the hack, however the cybercriminals had been in a position to entry the next private information:
Buyer namesPhone numbersDates of birthHome addresses
Finally, three people had been arrested in reference to the safety breach and gadget fraud.
12. TalkTalk
Date: October 2015
Impression: 157,000 information
The TalkTalk information breach was an assault that occurred in 2015, leading to over 157,00 information being uncovered, together with monetary information from over 15,000 financial institution accounts. As well as, hackers acquired:
Buyer namesAddressesDates of birthEmail addressesPhone numbersCredit card informationBank particulars
Happily, the cardboard numbers had been obscured, making them unusable in that type.
The assault occurred when TalkTalk acquired Tiscali’s UK operations, which gave the chance for hackers to entry the database by exploiting identified SQL injection vulnerabilities.
The ICO investigated TalkTalk’s compliance with the Information Safety Act and issued an enormous £400,000 ($510,000) advantageous out of a most of £500,000. It concluded that the agency had didn’t implement primary safety measures that might have prevented the info breach and correctly protected clients’ private information. Moreover, TalkTalk revealed that the cyber assault had value the corporate greater than 100,000 clients and £60 million ($76 million) spent on mitigating the info breach.
13. Interserve
Date: Could 2020
Impression: 113,000 employees information
The assault led to 16 compromised accounts and 283 methods. In addition they uninstalled the agency’s antivirus resolution. They encrypted the non-public information of 113,000 employees members, together with:
Contact detailsBank account detailsNational insurance coverage numbersReligionEthnic originReligionSexual orientationDisability informationHealth data
UK Data Commissioner John Edwards stated in response to the incident, “The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office.”
Upon investigation, the ICO discovered that Interserve had violated a variety of insurance policies, together with:
Continued use of out of date server working systemsLack of data safety coaching for employeesUse of out of date community protocolsPoor privileged account managementPoor incident response
Two years later, Interserve was fined £4.4 million for failure to enact sufficient safety insurance policies and breaching the info safety regulation. Moreover, the corporate went into administration resulting from a sequence of economic points and unhealthy enterprise practices and was offered off and damaged aside to international firms.
14. Camelot Group
Date: November 2016
Impression: 26,500 buyer information
Camelot Group’s Nationwide Lottery web site was focused by cybercriminals in late 2016, accessing 26,500 out of 9.5 million buyer information. In fewer than 50 circumstances, the hackers stole the identical entry credentials that clients used on different on-line companies.
Compromised information included:
Buyer namesDates of birthTransaction historiesAccount preferencesLast 4 digits and the expiry date of fee playing cards
Camelot was in a position to rapidly droop all affected accounts and labored intently with the NCSC to catch the criminals. The ICO assessed no fines after the incident.
15. Debenhams Flowers
Date: February 2017 – April 2017
Impression: 26,000 clients
Retailer Debenhams reported an information breach in April 2017 that 26,000 of its clients had their private information compromised by a third-party e-commerce firm. Solely the Debenhams Flowers clients had been affected and never Debenhams.com clients. The information that was compromised included:
NamesAddressesPayment particulars
Debenhams Flowers has not been fined and has labored rapidly with Ecomnova to stop fraudulent prices. As well as, it doesn’t look like information had been misused within the aftermath of the assault.
16. Travelex
Date: December 2019
Impression: 17,000 clients
On New 12 months’s Eve 2019, forex change agency Travelex suffered an information breach within the type of a ransomware assault — particularly, Sodinokibi — with cybercriminals locking staff out of their system and stopping forex transactions throughout the UK. In response, the agency shut down web sites throughout 30 nations.
The hackers demanded round £5 million for the protected return of 5GB of stolen delicate consumer information, together with:
Dates of birthNational insurance coverage numbers (social safety numbers)Bank card data
The cybercriminals achieved the info breach by exploiting a vulnerability within the agency’s digital personal community (VPN), permitting them to realize unauthorized entry with out legitimate entry credentials. They might additionally disable multi-factor authentication, in addition to view logs and cached passwords.
Though the VPN had addressed this vulnerability months earlier than the assault, Travelex failed to use the patch. In addition they didn’t notify the ICO inside 72 hours that there had been a breach that posed a threat to individuals’s rights and freedoms, which comes with a penalty of 4% of the corporate’s international turnover.
The Peterborough-based agency paid greater than £2 million in bitcoin of a demanded £4.6 million to the ransomware gang. Moreover, it suffered 4 months of enterprise interruption with the corporate taking down its website, affecting personal clients and huge enterprise companions, together with HSBC and Royal Financial institution of Scotland.
It was estimated that Travelex and its mother or father firm, Finablr, misplaced roughly £25 million within the following quarter in Q1 of 2020 because of the cyber assault. Quickly after, Travelex went into administration and underwent a whole firm restructuring to cut back its debt.
17. Tesco Financial institution
Date: November 2016
Impression: 8,261 clients, £2.26 million stolen
British retail financial institution Tesco Financial institution was hit by cybercriminals in 2016, leading to virtually £2.26 million stolen from buyer financial institution accounts. The financial institution’s makes an attempt to restrict the injury by appearing rapidly and freezing its on-line methods efficiently thwarted over 80% of the assaults, however the hackers had already taken cash out of over 8000 accounts. It took the Tesco financial institution fraud safety workforce two days from the time the breach was famous to cease the assault.
As a result of there have been hundreds of makes an attempt to make false transactions, the hypothesis is that the hackers generated genuine debit card numbers and tried to make transactions that took cash from buyer accounts.
The Monetary Conduct Authority (FCA) cited that Tesco Financial institution’s technique of distributing debit card numbers was at fault — they issued debit card numbers in sequential order, which allowed the hackers to rapidly generate new false debit playing cards based mostly on the following quantity within the sequence.
The FCA additionally fined Tesco Financial institution £23.5 million for the incident, citing failure to reply rapidly to the assault, utilizing a defective card distribution system, solely blocking fraudulent bank card transactions and never debit playing cards, and using a weak authorization system. As a result of Tesco Financial institution cooperated absolutely with the FCA and compensated clients absolutely, the advantageous was finally diminished to £16.4 million.
