Organisations large and small are finding themselves the victims of data breaches, either through malicious attack or employee error.
It has been reported that an SME is successfully hacked every 19 seconds and there are more than 60,000 hacking attempts per day in the UK alone. In this article, we explore the worst data breaches that have happened, what their impact has been and the biggest fines issued under GDPR.
The Biggest Breaches
EasyJet
In May 2020 EasyJet suffered a cyber-attack that affected 9 million customers. The majority had their email address and travel itinerary stolen, while more than 2,000 had their credit card details accessed.
At the time of publishing this article, EasyJet and the ICO are still investigating, however, it is expected that a fine could be significant.
British Airways
In September 2018, hackers were able to access over half a million records from the British Airways systems, almost 200,000 of which included payment details. A large part of the hack was as a result of website users being redirected to a fraudulent website where the data was harvested.
The Information Commissioner’s Office (ICO) has announced plans to fine BA almost £200m.
MySpace
In 2016, a hacker reported that they had access to email addresses, passwords, and usernames for over 360 million MySpace accounts. However, analysis of the data reveals that the hack may have originally taken place in 2008, meaning that MySpace was unaware of the breach for eight years.
The stolen information was put up for sale on the dark web for around $3,000.
In 2012, LinkedIn reported that it had been subject to a cyber security breach. LinkedIn took steps to force affected users to change their passwords, but they did not reveal how many users had been affected.
It wasn’t until 2016 that a hacker claimed to have the stolen information and revealed that the details of 117 million LinkedIn users had been compromised.Just like the MySpace hack, the hacker that claimed to possess the stolen details put them up for sale, this time for around $2,200.
Adobe
In 2013, Adobe reported that hackers stole 3 million encrypted customer credit card records, as well as an uncertain number of logins. That number was quickly revised to 38 million active users. But some security specialists suggested that the number was closer to 150 million.
Adobe had recently transitioned to providing Software as a Service (SaaS) where customers made recurring payments to maintain access to Adobe software, rather than paying once for desktop software.
This move to cloud-based software resulted in a change of infrastructure at Adobe, but it also resulted in the hack, revealing the potential risks of cloud-based software.
Adult Friend Finder
In 2016, the Friend Finder network suffered a breach that saw 412 million accounts compromised. Hackers used a Local File Inclusion vulnerability, which enables someone to run malicious code on an affected server. The hackers used this code to tell the server to reveal login details including passwords, which were either in plain text or poorly encrypted. It seems that the majority of passwords could be cracked. The hack also revealed logins for 15 million “deleted” accounts that had not actually been removed from databases.
Adult Friend Finder had also suffered a separate breach the previous year that revealed the logins, birthdates, and sexual preferences of 3.5 million users.
Canva
In 2019, Canva caught a hacker in the act of trying to access login details for its users. They stopped the unauthorised access, but not before the hacker had made off with encrypted login details for 137 million customers. Although any passwords stolen were still encrypted, the hacker had a much more valuable prize: login tokens.
Canva, like many sites, allows users to register with their Google credentials rather than using an email address and password. While this makes the user’s life easier, it makes things easy for a hacker too; once they have a copy of this token, they can impersonate you online. They can log in to any Google-enabled accounts you might hold until you change your Google password. The problem is that these login tokens are poorly understood. A Canva user hearing of the hack might think they have nothing to worry about when, in fact, they have much more to worry about than the average user: the hacker has access to much more than just their Canva account now!
The Significant Impact of Hacking on a Business
Although the large number of people affected by these breaches is astounding, not all of the worst breaches are the largest. In fact, some of the worst breaches on this list affected only a few people, but affected them in a very serious way. It can even affect a business’ share price.
Crown Prosecution Service (CPS)
This breach affected just 15 people, but is potentially worse than any of the others.
The Crown Prosecution Service (CPS) was fined £325,000 after it lost unencrypted DVDs containing recordings of police interviews with 15 victims of child sex abuse.The interviews were to be used at trial, and contained sensitive information about both the victims and about other parties. The DVDs had been sent by tracked delivery between two CPS offices, but were left in reception and subsequently went missing. What happened to the DVDs remains unknown.
NHS
Brighton and Sussex University Hospitals NHS Foundation Trust was fined £325,000 by the ICO in 2012 for the loss of sensitive personal information about patients and staff.
The Trust hired a contractor to destroy some old hard drives which contained sensitive information. But the contractor instead sold the hard drives on eBay.
Although there was no recognised harm caused by the breach, the ICO refused the Trust’s attempts to reach a settlement. However, by paying the fine early, the Trust enjoyed a 20% reduction on the fine, bringing the total down to £250,000.
Travelex
At the end of 2019, currency exchange firm Travelex found itself the victim of a ransomware attack. Cybercriminals locked Travelex out of its own files, and halted currency transactions across the UK, and demanded almost £5 million in exchange for the return of 5GB of stolen personal data.
The criminals made use of a vulnerability in the company’s Virtual Private Network (VPN) that made it possible to access a vulnerable network without a valid username or password, switch off multi-factor authentication, and view logs and cached passwords in plain text. The VPN provider had patched this vulnerability months before, but Travelex had failed to apply the patch.
Travelex claimed to have reason to believe that customer data was not accessed, but if this is found to be inaccurate then Travelex could face a much larger fine for failing to report a breach; the ICO reported that it had not been informed of a data breach by Travelex.
The impact on Travelex has been devastating – 4 months of significant business impact and it is believed that they eventually paid over $2m in ransom. Now the business has been put up for sale by its owners.
Uber
After hackers stole the personal information of 2.7 million Uber customers, the ridesharing company paid the attackers $100,000 in exchange for a pledge to destroy the data. Uber did not inform anyone of the breach for more than a year. It was this failure to notify customers and regulators, as well as the size of the breach, that resulted in a £385,000 fine.
The attackers gained access to the information by using “credential stuffing”, in which usernames and passwords have already been compromised, and the attacker simply tries them on a multitude of websites until they manage to gain access to an account. Once they had gained access, the attackers downloaded information including names, email addresses, and phone numbers. They also gained access to records of almost 82,000 drivers, the journeys they’d made and the fares they’d been paid.
In addition to the fine imposed by the ICO, the Dutch Data Protection Authority (DPA) also imposed their own fine of €600,000 (£532,000) as 172,000 Dutch customers were amongst those affected.
Protect Your Organisation
To keep your organisation safe from the unpleasant consequences of a data breach, take a look at our full article on data breaches that covers what a data breach is, how one happens, and what should you do next.
We also have designed a specific eLearning course covering a variety of elements for ‘Cyber Security’. During this 45 minute course expect to introduced to topics such as:
- Password management
- Staying safe at work and at home
- Tips and techniques on safeguarding information
It’s designed to be an efficient and effective course that helps the users understand the basics of cyber security.
