Securing data should be the highest priority for businesses small and large, with data leaks causing significant damage to a company and its customers. A cyber security breach can harm the credibility and trust of even the most popular of enterprises. Incidents where data is lost, stolen or left without protection can result in punishing fines and reputational damage. If your company shares data with Third Parties such as suppliers, you are jointly responsible for the data and held to account in the instance of a breach.
Hacking has been the primary force driving increasing breach counts over the last few years. Whether it was a phishing campaign or mismanaged databases and services leaving sensitive records freely available on the internet, here are the largest breaches of 2020 and an example of the fines that accompany such breaches.
Dixons Carphone Data Breach –January 2020
Hackers harvested data of 14 million customers including postcodes, email addresses and failed credit check information over a nine month period. In January of 2020 Dixons Carphone were fined £500,000 for the data breach, the maximum punishment under the pre-GDPR data protection regime. The absence of a firewall, ineffective software patching and lack of routine security testing were highlighted by the Information Commissioner’s Office, with their Director of Investigations describing the incident as “a complete disregard” for customer data.
Ordnance Survey Data Breach – February 2020
Phishing emails facilitated cyber criminals in stealing the personal data of 1,000 Ordnance Survey employees. Cyber criminals accessed payroll files through the account of the Chief Commercial Officer and were sent to an external email address.
JustPark Data Breach –February 2020
In an isolated incident, details of 4,500 JustPark (Belfast-based parking software) users were published online, including names, contact details and vehicle information. The number of businesses paying for parking and their parking history was also left unsecured. As this was an isolated incident no formal report was filed.
Rail Network and C3UK Data Breach – March 2020
Email addresses and travel details of 10,000 customers accessing station Wi-Fi were exposed online after a database was left without password protection. Software updates and the categories of software being used to access the free Wi-Fi service by customers was also unsecure, resulting in Greater Anglia removing C3UK Wi-Fi services across its network.
Virgin Media Data Breach – March 2020
A Virgin Media database of 900,000 customer’s personal details was left unsecured for 10 months. The breach was due to “incorrect configuration” by a member of staff who did not follow guidelines, causing names, home addresses and email addresses to be accessible online. Those affected were customers with television or fixed-line accounts, although the database also contained details of Virgin Mobile customers.
Tesco Data Breach – March 2020
600,000 Tesco Clubcard account holders were issued new cards after a database of stolen usernames and passwords was used to access online accounts. Everyone effected was emailed and their Clubcard points were restored.
Boots Data Breach – March 2020
In the same week as the Tesco breach, 150,000 Boots Advantage Card accounts were hacked. Cyber criminals using email addresses and passwords from other sites accessed Advantage Card customer accounts in an attempt to steal their loyalty points. Customers affected had their loyalty points restored to new accounts.
Warwick University Data Breach – April 2020
An unknown number of employee and student data was accessed through the Russel Group university’s administrative network. The incident occurred when a member of staff installed remote-viewing software, opening a database of personal information for cyber criminals.
Easy Jet Data Breach – May 2020
EasyJet first became aware of the attack in January, but it was reported in May that 9 million customers had been affected. Email addresses, travel details and credit card information was accessed during the COVID-19 pandemic, a period in which the number of phishing attempts have increased. All affected customers were contacted by May 26th, but it is advised that anyone who has purchased an EasyJet flight or holiday should be vigilant when opening emails.
Sheffield Council & South Yorkshire Police Data Breach – May 2020
An Automatic Number Plate Recognition (ANPR) system left open without password security exposed records of 8.6 million journeys on Sheffield roads. The open database made it possible to access journey details, enabling cyber criminals to reconstruct journeys minute by minute. Both Sheffield Council and South Yorkshire Police shared responsibility for the breach.
Northdoor takes a holistic approach to cyber security, aiming to build defence into every level. A layered approach to security decreases the risk of unauthorised access or data loss. It is important there is an understanding of where data resides, and Northdoor can assist maintaining an established approach to security standards. Protect sensitive data, block transactions that violate policy and manage privileges to ensure your data is safeguarded from cyber criminals.