Software vulnerabilities, lost hard drives and CDs, malicious insiders, poor security – the UK’s most important data breaches reveal just how many ways data can be put at risk.
It’s tempting to believe that important data breaches only happen in the US and the figures tend to bear that out – the US accounts for the overwhelming majority of the really big data breaches that have been made public, some of them absolutely vast. But US laws and regulations force organisations to admit to data breaches involving customer, something which is not true in all countries.
In the UK, the most important piece of legislation organisations must worry about is the Data Protection Act and the possibility of fines by the information commissioner (ICO).
Below we offer what we believe are the ten most significant data breaches to hit the UK, not in all cases because they were particularly large but because of the type of attack or vulnerability involved or the sensitivity of the data compromised.
Globally, the UK currently ranks a distant second behind the US for data breaches, which is no cause for complacency. Many of the breaches mentioned here happened in the last two years. Undoubtedly, larger and more serious breaches lie ahead.
Nationwide Building Society (2006)
The moment date breaches entered consciousness in the UK, the Nationwide incident involved an unencrypted laptop stolen from a company employee that put at risk the personal data of 11 million savers. The UK’s poor disclosure regulations made it difficult for outsiders to get information on what had occurred.
The Financial Services Authority (FSA) eventually fined Nationwide £980,000, still the largest sum ever imposed for data loss in the UK, seen at the time as a warning shot for other firms that might have similar incidents. Not everyone noticed.
HM Revenue & Customs (2007)
Probably the most infamous large data breach ever to occur in the UK, two CDs containing the records of 25 million child benefit claimant in the UK (including every child in the country) went missing in the post. There was never any indication that these password-protected discs had fallen into the wrong hands but the incident underlined how valuable data was being handled by poorly-trained junior employees.
T-Mobile (2009)
Sales staff were caught selling customer records to brokers who used the information to market them as their contracts were coming to an end. It was never clear how many records were involved in this murky insider trade but it was believed to run from half a million to millions. Initially the ICO refused to name the firm but was forced to after rival networks said they were not involved, leaving only one name.
In 2011, the two employees involved were fined £73,000 by the courts.
Brighton and Sussex University Hospitals NHS Trust (2010)
The Information Commissioner (ICO) ended up imposing a fine of £325,000 after sensitive patient data of thousands of people was discovered on hard drives sold on eBay. An investigation found that at least 232 de-commissioned drives that should have been deep cleaned and destroyed by a contractor ended up being sold second hand.
Sony PlayStation Network (2011)
The largest data breach in history at the time, Sony’s disastrous 2011 breach saw hackers make off with the customer records of 77 million people relating to its PlayStation Network, including a small number revealing credit card numbers. Apart from downing the company’s systems for an extraordinary 23 days, the breach crossed national frontiers, affecting people from all over the world, including the UK. Britain’s ICO eventually issued a £250,000 fine for what will go down as the first big data breach to affect people across the globe.
Morrison’s supermarket (2014)
An unusual example of the insider attack, the attacker published details of the firm’s entire workforce database online, 100,000 employees in all. An employee was eventually arrested for the incident and will presumably come to court at some point which could reveal more details of how the firm’s security was bypassed. Inside events are rare but particularly feared because they abuse privileged access that is hard to lock down.
Staffordshire University (2014)
A re-run on the lost laptop theme that people assumed had been consigned to history, this time involving 125,000 students and applicants on a computer stolen from a car. But the files had been password-protected said the University, plaintively. That wouldn’t have been much of a barrier to the name, address, telephone number and email data.
Included this incident as a reminder that just because times have moved on doesn’t mean the old problem go away.
Mumsnet (2014)
A direct victim of the infamous and widespread Heartbleed SSL software flaw, the compromise allowed hackers to access anything up to 1.5 million user accounts on the hugely popular site, its owners revealed. Although the data inside these accounts was less sensitive than for some of the other accounts, the hack revealed both the potency of big but undiscovered software issues affecting multiple sites and that even big brands could be affected.
Think W3 Limited (2014)
A serious attack in which a hacker was able to get his or her hands on 1,163,996 credit and debit card records from online holiday firm Think W3 by using an SQL injection attack to exploit a weakness on its website. The ICO described the incident as a “staggering lapse” and fined it £150,000.
Moonpig (2015)
Another biggie, a software flaw in the firm’s Android app let a researcher access the records of any Moonpig account holder he tried, in theory compromising a total of three million people. As serious, the researcher reported the issue to the firm 18 months before going public in early 2015 after receiving an inadequate response. Significant partly because it involved a mobile app rather than the more common website breach.