Cybersecurity and data breaches from around the UK this year
Everyone loves a good list. So here’s one about the biggest and most absorbing cyber-attacks and hacks suffered by British organisations in the past six months or so.
According to new government figures, around 46% of businesses have now suffered a digital attack. So, with 5.5 million companies in the UK, that suggests around 2.5 million may have been hit. It’s a huge issue and one that’s notoriously difficult to tackle – as these businesses found out to their cost.
Debenhams: May 2017
A malware attack in early May exposed 26,000 Debenhams Flowers' customers' data. The breach was through an e-commerce site, Ecomnova, which just goes to show the potential vulnerabilities of working with third parties. Trust no one, basically.
Wonga: April 2017
Cybercriminals seized 250,000 customer records including – as Wonga is a payday loans company – bank account details, sort codes, addresses, phone numbers, email addresses and more. The company said cyber-attacks are “on the rise” and... “unfortunately becoming increasingly sophisticated”. You don’t say.
Three: March 2017
Mobile phone company Three suffered a major breach when an employee’s password was stolen and 200,000 customers’ data was compromised. The company believes the individuals involved were, in fact, after new handsets rather than anything more insidious. This followed a similar breach in 2015.
Following the, ahem, rule of three, the company suffered another setback whereby customers could see another customer’s account details, call history and data usage. Not a cybercrime as such, but certainly not compliant with current data protection legislation.
Abta: February 2017
Around 43,000 people were affected by a cyber-attack on Abta’s website. The breach was thought to include personal identity information of individuals complaining about Abta-registered travel agents.
Strange data to hack perhaps, but it led to Abta offering a free-of-charge identity theft protection service to those affected – a potentially very costly exercise.
Barts Health Trust: January 2017
Attacking an NHS trust seems rather nonsensical from a cybercriminal’s point of view – they’re not exactly flush with cash. Nevertheless, Barts Health Trust experienced an attack earlier this year that seriously interfered with the smooth running of the five hospitals it manages. The hack was initially thought to be a ransomware attack but was in fact a Trojan and caused major disruption.
A third of NHS trusts have reportedly been infected by ransomware, with one – the Imperial College Healthcare in London – suffering 19 attacks in just 12 months. Northern Lincolnshire and Goole NHS Foundation Trust said a ransomware variant was to blame for cancelling nearly 3,000 appointments. The Trust didn’t pay the ransom but hackers have obviously cottoned on to the fact that patient data held by Trusts could be lucrative.
Lloyds Banking Group: January 2017
Britain’s largest mortgage lender isn’t immune to cyber-attacks as was proven back in January. A denial of service hack, over a period of several days, tried to block access to 20 million accounts. It could be argued that Lloyd’s security system did its job, as a cat-and-mouse chase ensued across the web, with the bank trying to stay one step ahead of hackers.
HSBC, Halifax and Bank of Scotland have all experienced similar cyber-attacks.
And going a little further back...
Tesco Bank: November 2016
Having to reimburse a staggering £2.5m to over 9,000 customers must have left Tesco execs smarting. In a fairly typical attack, hackers found a weakness in the mobile banking app that gave them access to the rest of Tesco’s financial services entity. The retailer was forced to suspend online and contactless transactions, affecting almost all its customers.
Sports Direct: September 2016
In a less well-handled security breach, beleaguered retailer Sports Direct was attacked by cybercriminals who stole personal data from over 30,000 members of staff – possibly including national insurance information. However, the company didn’t report the breach to affected employees until three months after it happened because apparently there was “no evidence that the data had been copied”. Not great.
Yahoo: July/December 2016
This one’s a biggie and worth including. Hapless Yahoo! has experienced a number of data breaches over the years and often takes a while to report them. The one from July last year was exposed in December when a broker was found to be selling the account names and passwords for around 200 million Yahoo! users. This follows two other major data breaches in 2014 and 2013.
While the end game for many cybercriminals is money (either from a ransom payment or the sale of data), sometimes it seems they attack simply because they can.
According to new research from the National Cyber Crime Unit, many cyber criminals are very young (averaging 17 years old, but some are as young as 12) and simply enjoy the challenge of overcoming programming problems. Earning peer respect is a big draw, too.
It’s worth remembering that while some cyber-attacks are extremely well executed and hugely sophisticated, many are simply opportunists seeking short-term gains wherever and whenever they can.
While none of the organisations here got away scot-free, particularly in terms of reputation, they should thank their lucky stars GDPR isn’t up and running yet. It’s designed to protect personal data in exactly these kinds of circumstances and some pretty hefty fines could’ve been handed out.cyber liability insurancemanaging risk