The biggest UK data breaches of 2018 so far…

We’re seven months into the year and already there’s been hundreds of cyber attacks reported from all over the world.

From Carphone Warehouse being fined to the huge Ticketmaster breach, this year has shown that no business is safe from the cyber threat.

Let’s get started;

January – Law Firms Breached

Top 500 UK law firms

Type of attack: Data Breach

What happened: A cyber security company studied 620 domains belonging to 500 of the UK’s law firms and found 1.16 million corporate email addresses on various sites that collect previously stolen or leaked credentials. The vast majority of the credentials were taken from third-party breaches where law firm employees had signed up with their work credentials.

Impact: Employees at the law firms whose details were leaked are increasingly vulnerable to spear phishing emails and identity theft or fraud.

Source: https://www.computing.co.uk/ctg/news/3025074/one-million-email-credentials-from-the-top-500-uk-law-firms-found-for-sale-on-the-dark-web

Leicester Council

Type of attack: Accidental insider

What happened: The council accidentally leaked personal details of potentially thousands of children with special needs in an e-mail it sent to 27 travel companies.

Impact: A former employee was prosecuted and fined by the Information Commisioners Office (ICO).

Source: https://www.teiss.co.uk/news/leicester-city-council-data-breach/

Carphone Warehouse

Type of attack: Vulnerability exploit

What happened: Using valid login credentials, intruders were able to access the system via an out-of-date version of WordPress . Unauthorised access led to the names, addresses, phone numbers, dates of birth, marital status of 1,000 employees and more than 18,000 customers, historical payment card details being leaked.

Impact: The ICO fined the company £400,000

Source: https://www.bbc.co.uk/news/business-42637820

February – Crypto Mining Makes Headlines

Snapchat

Type of attack: Phishing

What happened: A government official from Dorset  provided Snapchat with information about an attack on the company’s users that led to the details of 55,851 accounts including usernames and passwords being made publicly available and embedded on a phishing website.

Impact: Highlighted how vulnerable users of the app are to phishing attacks.

Source: https://www.mobilemarketer.com/news/snapchats-phishing-attack-breached-50k-accounts/517377/

ICO, NHS and others

Type of attack: Compromised third-party plug in

What happened: It was discovered that hundreds of websites including the ICO and NHS that used a plugin called Browsealoud had been hijacked to inject Coinhive’s Monero miner and mine crypto currency.

Impact: The vulnerability was quickly detected and fixed but highlighted the increase in crypto jacking.

Source: https://www.bbc.co.uk/news/technology-43025788

March – ‘It could be you’

National Lottery

Type of attack: Credential stuffing

What happened: Around 150 accounts were breached successfully prompting a report to the authorities and warning in the media.

Impact: The National Lottery warned 10 million players with online accounts to change their passwords due to the security breach.

Source: https://www.theinquirer.net/inquirer/news/3028812/national-lottery-out-of-luck-as-it-suffers-another-data-breach

Tesco/Travelex

Type of attack: Data Breach

What happened: 17,000 Tesco Travel Money customers had personal information stolen, including full names and addresses.

Impact: The reputational damage was high due to Tesco Bank also being breached in 2016.

Source: http://www.thisismoney.co.uk/money/holidays/article-5495715/Tesco-Travel-Money-hit-customer-data-leak-partner-Travelex.html

NHS Kent and Medway

Type of attack: Insider threat

What happened: An employee accessed confidential patient records for no legitimate reason.

Impact: Said employee was fired from their position. Reputational damage.

Source: https://www.teiss.co.uk/information-security/kent-medway-nhs-trust-data-breach/

School bomb hoaxes

Type of attack: Hoax emails

What happened: 400 hoax emails were sent to schools all over the UK.

Impact: Besides causing massive disruption and panic amongst parents and emergency services the 19-year old sender of the hoax emails was arrested.

Source: https://www.theguardian.com/education/2018/mar/19/more-than-400-schools-in-england-receive-hoax-bomb-threats

image1

April –Reputational Damage

TSB Bank

Type of attack: Third party breach

What happened: Whilst upgrading its systems online banking data was leaked to customers and there was mass disruption to services.

Impact: Phishing scams aimed at TSB customers and fake websites posing as TSB surged in the following weeks with scammers stealing a significant amount of cash from TSB customer accounts. The reputational damage was high.

Source: https://www.information-age.com/tsb-chaos-online-banking-data-leak-123471613/

May – Paying the price for old vulnerabilities

Greenwich University

Type of attack: Data breach

What happened: The information of 19,500 students was leaked online via an insecure microsite way back in 2004.

Impact: The ICO fined the university £120,000 highlighting that it doesn’t matter how long ago a breach occurred, organisations are still liable. Greenwich is the first university to have been fined under the Data Protection Act 1998.

Source: https://www.bbc.co.uk/news/technology-44197118

Jaguar Land Rover

Type of attack: Data breach

What happened: Hundreds of redundancy-threatened Jaguar Land Rover workers were leaked. The data contained the payroll numbers, names, disciplinary records and sick days taken by employees.

Impact: The ICO launched an investigation and the breach was harmful to the company’s reputation.

Source: https://www.huffingtonpost.co.uk/entry/information-commissioner-will-probe-data-breach-at-jaguar-land-rover-plant_uk_5b07f35ae4b0802d69ca49c5

June – Third party dangers

Ticketmaster

Type of attack: Breached via a third-party

What happened: Ticketmaster itself wasn’t breached but rather a third-party subcontractor in the form of Inbenta Technologies who operate a chatbot on the Ticketmaster website. A line of Javascript code was used for the chatbot and was used on the Ticketmaster payments page that when discovered by hackers was modified to extract payment information and harvest user information.

Impact: 40,000 Ticketmaster customers details were stolen resulting in some being scammed. The company’s reputation took a hit after it was revealed that it had been warned of the breach several months before it went public.

Source: https://www.bbc.co.uk/news/technology-44628874

Yahoo!

Type of attack: Spear phishing email

What happened: The ICO fined Yahoo! for the 2014 data breach that resulted in the data of more than 500 million users worldwide. 8 million were from the UK. The attackers gained access via an employee clicking on a malicious link in a phishing email. The ICO concluded that -"The failings our investigation identified are not what we expect or will accept from a company processing significant volumes of personal data. Yahoo! UK Services Ltd had ample opportunity to implement appropriate measures, and potentially stop UK citizens' data being compromised.”

Impact: The ICO fined Yahoo! £250,000

Source: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/06/yahoo-fined-250-000-after-systemic-failures-put-customer-data-at-risk/

UK Bible Society

Type of attack: Cracked password/ransomware

What happened: An easy to crack password was used by a hacker to gain access to the details of 400,000 users. The attacker also deployed ransomware that encrypted a million files held by the Society.

Impact: The ICO fined the group £100,000 for computer security failings.

Source: https://www.telegraph.co.uk/news/2018/06/08/bible-society-fined-100k-cyber-hack-417000-christian-backers/

 

July – Even Facebook isn't safe

Typeform -

Type of attack: Vulnerability exploit

What happened: The survey-as-a-service used by a multitude of companies discovered that an intruder had accessed files from a "partial backup" containing what it termed as "partial information". From the Electoral Commission to Travel Lodge and the Liberal Democrats, many organisations from across the world were affected by the breach.

Impact: No payment data was exposed and the vulnerability was quickly fixed. The main impact was to Typeform’s reputation and the increased awareness of the potential risks posed by using third party apps.

Source: https://thehackernews.com/2018/06/typeform-survey-software.html

Facebook –

Type of attack: Data harvesting

What happened: A big scandal in the media. Facebook failed to ensure another company - Cambridge Analytica - had deleted users' data.

Impact: The ICO aims to fine Facebook the maximum amount of £500,000. The social media websites reputation took a short-term hit. Cambridge Analytica was forced to close due to negative media attention.

Source - https://www.computerweekly.com/opinion/What-the-ICOs-Facebook-fine-teaches-us

Timehop

Type of attack: Data breach

What happened: A hacker used an admin’s credentials to log into the Timehop cloud servers and created a new admin account. The breached account was not protected by two-factor authentication. As a result, the attacker was able to steal data that included names and/or usernames along with email addresses for around 21 million Timehop users. 4.7 million phone numbers were compromised.

Impact: Aside from the cost of calling in a cyber security company and a damaged reputation the full impact remains to be seen. Phishing attacks and other scams targeted at those whose data was stolen could increase over the coming months.

Source: https://techcrunch.com/2018/07/09/timehop-discloses-july-4-data-breach-affecting-21-million/

As you can see it’s been a very busy year in terms of cybersecurity breaches. If we included every reported incident from around the globe this post would probably become a 10-parter!

Don’t be the next TalkTalk- The Basics Work!

Many of the incidents demonstrate how not doing the security basics can lead to a breach. Poor passwords, unpatched software and accidental insider actions remain the most common forms of breach (even after all of the awareness that’s out there!).

Third-Party Breaches – Secure Your Supply Chain

Many of the cyber-attacks and incidents listed above can be traced back to a third-party app or partner being the initial point of the breach. As some organisations become better at defending themselves its clear that criminals are seeking out other ways to attack them. Going in through a weaker defended member of a supply chain or third-party provider is on the rise as attacker adopt their tactics.

How can CyberScore™ help protect your organisation

CyberScore™ is a fully automated, rapid, scalable, cyber security testing and rating service that aims to help organisations of all sizes and sectors assess their current cybersecurity posture and bolster their defences – at scale, and for a fraction of the time and cost of traditional penetration testing.

CyberScore™ also allows you to:

  • Continuously understand your cybersecurity posture
  • Track your progress and watch your cyber health improve as mitigation measures are implemented
  • Track cyber risks across supply chains and third parties without the need for consultants or questionnaires
  • Set minimum standards, hold suppliers and service providers to account
  • Dispense with impenetrable reports. Instead, receive a clear and concise Get-Well Plan that can be shared with staff and service providers
  • Dramatically reduce the cost and improve the quality of compliance penetration testing

Want to learn more about how CyberScore™ can help secure your business? Visit our website at www.xqcyber.com and if you want to give yourself the very best protection against cybersecurity threats try our CyberScore™  software for free now.

Follow us on FacebookTwitter and LinkedIn