The most noteworthy data breaches revealed about UK organisations in 2017
Tamlin is online editor at ComputerworldUK and Techworld. He has previously covered a wide range of beats at a variety of publications, from European channel markets, enterprise cloud and privacy to architecture, design, film and music. He is particularly interested in the intersection between technology, the political sphere and the day-to-day.
Seldom does a week go by without a major data breach being reported. As organisations continue to struggle to secure their valuable data against an ever-growing range of threats, the fear of a breach is keeping any CISO worth their salt up at night.
Now, with Europe’s General Data Protection Regulation (GDPR) set to be implemented in May next year, and ever since the prospect became a reality in 2016 businesses have rushed to ensure they’re prepared for one of the most – if not the most – stringent data laws in the world.
While the UK is on course to leave the European Union, Britain will effectively mirror the GDPR to ensure that the free flow of data can continue across borders with as few hitches as possible.
According to recent figures from PwC, the UK is one of the most active regions for data regulation action with enforcement notices rising 155 percent in 2016 compared to 2015.
This year is no exception – with less than a year before GDPR comes into effect, high-profile breaches are still occurring. Here are some of the more significant from UK organisations that came to light in 2017.
Ride-sharing company Uber disclosed on the evening before Thanksgiving in America that it had not only suffered an enormous data breach to the tune of 57 million people – drivers and customers – but that it had also paid an extortion fee of $100,000 (£75,000) to have the hackers delete that data.
Uber said that the attack, which occurred in October 2016, exposed names, email addresses and phone numbers of 50 million people worldwide, plus personal details of 7 million drivers – including roughly 600,000 licence details.
In a statement, new CEO Dara Khosrowshahi said: «I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use. The incident did not breach our corporate systems or infrastructure.
«Our forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded.»
Chief security officer Joe Sullivan has been asked for his resignation and Craig Clark, a senior lawyer who reported to Sullivan, has been fired as a result.
A FAQ for drivers is available here while more information for passengers is available here including advice on possible next steps.
Khosrowshahi said that the company «identified the individuals» and «obtained assurances that the downloaded data had been destroyed».
While mammoth hacks and data breaches have become spectacularly commonplace, what is especially unusual about this incident is that Uber admitted to paying a fee to destroy the information. This practice is usually warned against by both infosec experts and authorities because it is difficult to verify whether that information truly has been made secure again, plus it encourages copycat attacks.
«None of this should have happened, and I will not make excuses for it,» wrote Khosrowshahi, whose promotion to the chief executive role is seen as a salve to smooth over the company’s battered reputation.
«I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.»
Earlier this year, Equifax suffered a major data breach affecting 143 million customers in the US.
Now, the credit agency has revealed that 694,000 customers in the UK had their data stolen in the initial attack, exceeding Equifax’s initial estimate of 400,000.
In September, Equifax said that no UK passwords or financial information were stolen in the breach. However, the firm has since admitted that passwords and partial credit card details of 15,000 UK customers has been compromised.
It’s believed that a further 14 million UK records were stolen, although only names and dates of birth were affected.
Australian pawnbroker Cash Converters has revealed that a data breach could have exposed customer’s personal information via the company’s old UK website, which was replaced in September 2017.
The company — which operates an online store and high street shops — has reported that addresses, usernames and passwords could have been accessed by a third party. Although no credit card information is believed to have been compromised.
The breach is thought to only have affected customers with an account on the old website, prior to its September relaunch.
Cash Converters is said to be taking the breach «extremely seriously», having reported information of the breach to the information commissioner, according to the BBC .
In a recent statement, the company said: «Our customers truly are at the heart of everything we do, and we are disappointed that they may have been affected.
«We apologise for this situation and are taking immediate action to address it.»
Right now, it’s not clear how many people are impacted by the breach.
In October, a group calling itself The Dark Overlord says it has stolen extremely personal data from a London cosmetic clinic with celebrity customers, and the hackers claim that among the cache is pictures of breast enhancement and genital surgery.
The London Bridge Plastic Surgery clinic provides «a complete aesthetic package» with «expertise in surgery, non-surgical treatments and skin health». Model and celebrity Katie Price is a customer of the clinic, while the hacker group said clients extend to ‘royal families’ along with other celebrities or people in the public eye.
A representative of the group released a statement to infosec journalist Joseph Cox at The Daily Beast, sent from an email account registered to the clinic as evidence that it had obtained access. It threatened to release the data to the public. The group said: «We have TBs of this shit. Databases, names, everything. There are some royal families in here.
«We’re going to pitch it all up for everyone to nab. The entire patient list with corresponding photos. The world has never seen a medical dump of a plastic surgeon to such degree.»
The clinic said it is «horrified» that patients were targeted.
In a statement, the LBPS said: «Security and patient confidentiality has always been of the utmost importance to us. We invest in market-leading technology to keep our data secure and our systems are updated daily.
«We are deeply saddened that our security has been breached. We are profoundly sorry for any distress this data breach may cause our patients and our team are available around the clock to speak to anyone who has any concerns by calling 0203 858 0664.»
The Metropolitan Police is now investigating the case.
British financial services business Deloitte – a member of the ‘big four’ auditing services alongside PriceWaterhouseCooper’s, Ernst & Young, and KPMG – was hit with a ‘sophisticated’ hack that may have exposed the confidential plans of many of its blue-chip clients.
According to the Guardian, the hack is likely to have affected clients of Deloitte in all of the main sectors in which it operates, including finance, government and pharmaceutical industries. The British broadsheet claims that the companies «include household names as well as US government departments».
It is believed that a hacker gained access to Deloitte’s email server with an administrator account that had a single password, compromising access to the emails of all of the company’s staff, which were hosted on Microsoft Azure cloud.
In addition to usernames and passwords, the breach could also have provided access to highly sensitive business information including design details. It was believed to have taken place in March this year, and only a small amount of partners and lawyers are said to have been informed.
According to the Guardian, the breach was focused on US companies, and a team of specialists are currently trying to trace the digital fingerprint of the hackers. A Deloitte spokesperson said that a small number of clients were impacted, and that the company instigated an «intensive and thorough review including mobilising a team of cybersecurity and confidentiality experts inside and outside of Deloitte.»
Javvad Malik, security advocate for AlienVault, said the breach is proof that big businesses can overlook fundamental security protocols.
«The unfortunate incident demonstrates that even the largest of organisations can sometimes overlook fundamental security practices such as not enabling two-factor authentication on administrative accounts,» Malik said.