The amount of UK organisations that have fallen victim to cyber-attacks has steadily grown over the past several years. And cyber-attacks do not discriminate—businesses of all sizes and industries have been targeted. In fact, recent government data revealed that over 30 per cent of businesses experienced a data breach within the past year.
It is dangerous to believe that cyber-attacks can only happen to other businesses or that the consequences will be minor. Especially in an era of evolving cyber-threats and strict regulatory requirements such as the General Data Protection Regulation, cyber-attacks threaten the survival of every organisation. Between hefty non-compliance fines, lost or stolen data, business interruption, reputational damage and financial downfall, the ramifications of a cyber-attack can be devastating.
Learn from the mistakes in the following Information Commissioner’s Office (ICO) prosecutions to ensure that your organisation does not suffer the same consequences.
Notable Cyber-security Fines
Company Fined for Lacking Website Security
- Background: British Airways, a major UK airline, was fined over £183 million after hackers stole the personal data of almost half a million customers.
- What went wrong: Cyber-criminals hacked into the company’s website to direct user traffic to a fraudulent website. By diverting users to this malicious website, the hackers were able to harvest the personal data—including names, addresses, logins, payment card information and travel booking details—of nearly 500,000 customers. The ICO’s investigation of the incident found that the company’s website was compromised due to poor security arrangements.
Business Fined for Multiple Data Protection Failings
- Background: Uber, an international ride-sharing business, was fined £385,000 after a series of avoidable cyber-security flaws led to attackers gaining access to the personal data of nearly 2.7 million UK customers and over 80,000 UK drivers.
- What went wrong: The company’s cloud-based data storage system was hacked when cyber-criminals used a process known as ‘credential stuffing’ to inject compromised username and password pairs into the app until they matched an existing account. From there, the hackers accessed and downloaded sensitive personal information—including full names, email addresses, phone numbers, payment information and driving routes—of both UK customers and drivers.
What’s more, the company did not inform the customers and drivers affected by this incident until more than a year later. Rather, the business paid the hackers responsible to destroy the data they had downloaded. Further investigation by the ICO discovered that the company had breached multiple data protection principles due to failed data security, paying the attackers and keeping quiet about the incident rather than informing the proper authorities or those affected.
Company Fined for Internal Cyber-security Flaws
- Background: Bupa Insurance Services Limited, a London-based private health care not-for-profit company, was fined £175,000 after an employee extracted the personal information of over half a million customers and sold it on the dark web.
- What went wrong: An employee gained access to the company’s customer relationship management system, which holds customer records relating to 1.5 million people. The employee then sent bulk data reports from the system to his personal email account. The compromised information included 547,000 customers’ names, birthdates, email addresses and nationalities, which were offered for sale on the dark web. The company discovered the breach when an external partner found evidence of customer data for sale. An ICO investigation revealed that the company did not routinely monitor to the customer relationship management system’s activity log, leaving customer records vulnerable to attack.
Business Fined After Sensitive Hard Drive Stolen
- Background: Jala Transport Limited, a Wembley-based loans company, was fined £70,000 after an unencrypted hard drive containing customer data was stolen.
- What went wrong: The sole proprietor of the business kept the hard drive, along with several other business materials, stored in a case in his car. The case was later stolen as the car idled at a red light. The hard drive—which contained names, birthdates and addresses of loan applicants and the payment details of the business’ 250 clients—was password protected but not encrypted.
Council Fined for Lax Laptop Security
- Background: The Glasgow City Council was fined £150,000 after two unencrypted laptops, which contained personal information of more than 20,000 individuals, were stolen from its building.
- What went wrong: While the city council building was undergoing refurbishment, lax security allowed an unknown individual access to the office where the laptops were stored. Despite previous warnings from the ICO, the council failed to provide its faculty with laptops capable of encrypting private and sensitive information.
Company Fined Following Malware Disaster
- Background: Dixons Carphone, a multinational telecommunications retailer, was fined £500,000 after a ‘point of sale’ computer system was compromised as a result of a cyber-attack.
- What went wrong: Cyber-criminals hacked into the retailer’s computer system, installing malware on over 5,000 tills at various company store locations. In doing so, the hackers gained access to 5.6 million payment card details used in transactions and the personal information of approximately 14 million people, including full names, postcodes, email addresses and failed credit checks from internal servers. An ICO investigation revealed that the company had a variety of poor software security arrangements in place, which ultimately led to the breach. This included inadequate software patching, absence of a local firewall, and lack of network segregation or routine security testing.
Why You Need Cyber-insurance
Clearly, no organisation is immune to the costly damages that accompany a cyber-attack. Although implementing cyber-security measures can help keep your business safe from a breach, you can ensure ultimate peace of mind against cyber-attacks by purchasing robust cyber-cover. For insurance solutions, contact us today.
Contains public sector information published by the ICO and licensed under the Open Government Licence.
The content of this Risk Insights is of general interest and is not intended to apply to specific circumstances. It does not purport to be a comprehensive analysis of all matters relevant to its subject matter. The content should not, therefore, be regarded as constituting legal advice and not be relied upon as such. In relation to any particular problem which they may have, readers are advised to seek specific advice. Further, the law may have changed since first publication and the reader is cautioned accordingly. Design © 2020 Zywave, Inc. All rights reserved.