Data breaches make the headlines when they affect big brands, but 90% of all large organisations now admit to having been hacked*. While the average cost of a data breach is not pocket change at £2.3m, the biggest damage is reputational – for both the company and the C-Level execs who take the blame and lose their jobs.
With the last 12 months being a bumper year for hacks, we wanted to take a look back at the 10 most disastrous UK data breaches, spanning the last 10 years:
1. Nationwide Building Society (2006)An incident which brought the vulnerability of data to the attention of the UK public. While poor disclosure rules at the time kept much of the information out of the public domain, the data breach resulted from a stolen unencrypted laptop putting at risk the personal data of 11 million savers. Nationwide claimed not to be “seriously” worried about the exposed information. In restitution, they suffered a £980,000 fine, but more than that, their reputation as a trusted UK financial institution suffered a significant setback.
2. HM Revenue & Customs (2007)
In a data breach that affected every parent in the UK, two CDs containing the records of 25 million child benefit claimants went missing in the post. The handling of this data was without a doubt in breach of official guidelines and only serves to demonstrate the far reaching consequences of a weak practices by employees. Technology may have moved on since 2007, but weak practices by employees have not changed.
3. T-Mobile (2009)
Blissfully ignorant or lazy and weak practices by employees is the greatest risk to corporate security, but in 2009 T-Mobile sales staff were caught selling customer records to brokers. The number of leaked records was estimated in the millions. The courts fined the involved employees £73,000, while T-Mobile were forced to ask questions of its own polices that enabled the breach to occur.
4. Brighton & Sussex University Hospital NHS Trust (2010)
Hundreds of de-commissioned hard drives that should have been deep cleaned and destroyed were sold as second hand. The investigation was sparked after sensitive data of thousands of patients was found on a hard drive sold on eBay. A £325,000 fine was issued.
5. Sony PlayStation (2011)
As a household name and global brand the 2011 data breach was the largest data breach in history at the time. 77 million customer records from all over the globe were accessed by hackers in a breach that brought down the Playstation Network for 23 days. Sony were issued with a £250,000 fine, but the main damage was to Sony’s reputation at a time when they were fiercely competing for market share with Microsoft’s Xbox.
6. Morrison’s Supermarket (2014)
In an inside threat attack; a disgruntled employee leaked the records of 100,000 Morrison’s employees to online sharing sites and media outlets. Morrison’s were awarded a sum of £170,000 in compensation from the offending party. However, the incident returned to court as the at risk employees - who’s NI number, bank details and salary information were published - launched a law suit seeking their own compensation from Morrison’s. Breaches as a result of insider threat where the perpetrator leverages privileged access is an attack vector that many companies remain unprotected against.
7. Mumsnet (2014)
As a victim of the Heartbleed SSL software flaw, hackers were able to gain access to 1.5 million user accounts. It's one example of the consequences when a ubiquitous security protocol, which was trusted by millions, is found to be flawed. The heartbleed bug affected 70% of internet websites that transmitted their data over a secure channel using OpenSSL.
8. TalkTalk (2015)
Hackers exploited a weakness in the firm’s website and stole records of 150,000 customers. Financial results showed the company subsequently suffered a £15m loss from trading and additional costs of £40 million in 2015. TalkTalk's own customer stats found that 95,000 of 100,000 customers lost in 2015 were because of the hack.
9. Moonpig (2015)
A tech vulnerability was exposed by a security researcher who was able to access three million customer account details through the company’s website and app. Despite being first made aware of this vulnerability in 2013, it took 17 months for security to be increased. As the breach was revealed by a researcher, no actual records were exposed but lack of motivation to close the gaps in security necessitate its inclusion.
10. Sage (2016)
The FTSE 100 organisation suffered unauthorised access to customer information using an internal login. The data breach is believed to have compromised the personal and bank account information of the employees of as many as 300 UK companies. Shares in the company fell as much as 3.9% in the first hour of trading on the Monday after the news broke.
In most of the above data breaches, employees played a significant role in exposing the organisation, whether unintentionally or maliciously. While organisations invest heavily in intrusion detection, firewalls and anti-virus technology the biggest risk to businesses, according to Verizon, is credential-based attacks with 65% of data breaches being caused by employees’ weak password practices.
To see how My1Login eliminates Insider Threat risk check out the video below: How a 2,000-Employee Business Eliminated Insider Threat by Using My1Login.
* Source: HM Government Information Security Breaches Survey 2015