Top 10 Infamous Data Breaches

In light of the recent disclosures from Yahoo, Three and Tesco Bank that they have been victims of Data Breaches, we’ve put together a list of the top 10 most (in)famous breaches. Some were caused by criminal attacks, whilst some were down to poor processes and controls within the affected organisations.

Yahoo (2016)

The Internet service company Yahoo! reported two major data breaches of user account data to hackers during the second half of 2016. The first announced breach, reported in September 2016, had occurred sometime in late 2014, and affected over 500 million Yahoo! user accounts.

A separate data breach, occurring earlier around August 2013, was reported in December 2016, and affected over 1 billion user accounts.

Both breaches are considered the largest discovered in the history of the Internet. Specific details of material taken include names, email addresses, telephone numbers, encrypted or unencrypted security questions and answers, dates of birth, and encrypted passwords.

Further, Yahoo! reported that the late 2014 breach likely used manufactured web cookies to falsify login credentials, allowing hackers to gain access to any account without a password.

Yahoo! has been criticised for their late disclosure of the breaches and their security measures, and is currently facing several lawsuits as well as investigation by members of the United States Congress. The breaches impacted Verizon Communications’s July 2016 plans to acquire Yahoo! for about $4.8 billion, which resulted in a drop of $350 million in the final price when the deal closed in June 2017.

Three Mobile (2016)

Three, one of Britain’s largest mobile operators has revealed it’s had a major data breach that could put millions of its customers at risk. According to The Telegraph, hackers accessed Three’s customer upgrade database via using an employee login.

Three said that the data accessed did not include any financial information but did say that names, phone numbers, addresses and dates of birth of its customers were obtained.

Since the announcement of the breach (17th November), police have arrested three men in connection with the breach.

Tesco Bank (2016)
In November, Tesco Bank, the consumer finance wing of the British supermarket giant, froze its online operations – after as many as 20,000 customers had money stolen from their accounts.

Chief executive Benny Higgins said in a statement published on the Tesco Bank website that 40,000 accounts had been compromised – and half of those had money stolen from them. Customers will be able to use their cards for cash withdrawals, direct debit and chip and pin, but will not be able to make online transactions until the situation is under control.

The bank only confirmed that it was subject to criminal activity, and did not describe the attack.

Tesco Bank, which has over seven million customer accounts, has said it will cover any financial costs of the breach.

Adrian Davis, Managing director for EMEA (ISC)2, the independent body for infosec professionals, said the breach is evidence of Tesco Bank losing control of operational risk.

“I believe we are at a point where, despite growing awareness of the issues, business leaders are losing control and visibility of core business risk,” Davis said. “They have not realised just how much their organisations have changed in the digital age and how this is leaving them vulnerable. They have not treated cyber risk as anything more than an IT problem, and now they, and we, are paying the price.”

Kiddicare (2016)

Peterborough based online child products retailer Kiddicare was forced to admit it had exposed real customer data when testing a new website in 2015.

In this case, the mistake was only noticed when customers started receiving suspicious SMS text messages asking them to take an online survey and an investigation eventually uncovered to error.

As with many UK breaches, the company played down the fact it had let names, addresses and contact details of up to 800,000 people fall into malevolent hands with the excuse that no credit card data had been compromised (which would have been its liability had it done so).

TalkTalk (2015)

Publicised in October 2015, TalkTalk initially struggled to confirm how many of its four million customers were affected after hackers exploited a reported weakness in the firm’s website.

TalkTalk CEO Baroness Dido Harding sounded disquietingly vague about the attack’s scale when interviewed on TV, and it later transpired that a ‘mere’ 157,000 personal records had been compromised.

Shockingly, the incident was the second (and possibly third) data breach affecting the company in under a year, which could mark it as the moment when dissatisfaction over the rising number of breaches becomes both political and mainstream in the UK. The share price of TalkTalk dropped by 20% overnight following the disclosure of the Data Breach.

Moonpig (2015)

Another biggie, a software flaw in the firm’s Android app let a researcher access the records of any Moonpig account holder he tried, in theory compromising a total of three million people.

The researcher reported the issue to the firm 18 months before going public in early 2015 after receiving an inadequate response. Significant partly because it involved a mobile app rather than the more common website breach.

Think W3 Limited (2014)

A serious attack in which a hacker was able to get his or her hands on 1,163,996 credit and debit card records from online holiday firm Think W3 by using a well known database attack to exploit a weakness on its website.

The ICO (Information Commissioners Office) described the incident as a “staggering lapse” and fined it £150,000.

Mumsnet (2014)

A direct victim of the infamous and widespread Heartbleed software flaw, the compromise allowed hackers to access anything up to 1.5 million user accounts on the hugely popular site, its owners revealed.

Although the data inside these accounts was less sensitive than for some of the other accounts, the hack revealed both the potency of big but undiscovered software issues affecting multiple sites and that even big brands could be affected.

Staffordshire University (2014)

A re-run on the lost laptop theme that people assumed had been consigned to history, this time involving 125,000 students and applicants on a computer stolen from a car.

The files had been password-protected said the University, plaintively. That wouldn’t have been much of a barrier to the name, address, telephone number and email data.

This incident acted as a reminder that just because times have moved on doesn’t mean the old problems go away.

Morrison’s supermarket (2014)

An unusual example of the insider attack, the attacker published details of the firm’s entire workforce database online, 100,000 employees in all.

An employee was eventually arrested for the incident and will presumably come to court at some point which could reveal more details of how the firm’s security was bypassed.

Inside events are rare but particularly feared because they abuse privileged access that is hard to lock down. Some employees later launched legal action against Morrison’s.

Sony PlayStation Network (2011)

The largest data breach in history at the time, Sony’s disastrous 2011 breach saw hackers make off with the customer records of 77 million people relating to its PlayStation Network, including a small number revealing credit card numbers.

Apart from downing the company’s systems for an extraordinary 23 days, the breach crossed national frontiers, affecting people from all over the world, including the UK. Britain’s ICO eventually issued a £250,000 fine for what will go down as the first big data breach to affect people across the globe.

Brighton and Sussex University Hospitals NHS Trust (2010)

The Information Commissioner (ICO) ended up imposing a fine of £325,000 after sensitive patient data of thousands of people was discovered on hard drives sold on eBay.

An investigation found that at least 232 de-commissioned drives that should have been deep cleaned and destroyed by a contractor ended up being sold second hand.

If you ever consider disposing of an old computer, remember to take the hard drive out and take a very big hammer to it !

T-Mobile (2009)

Sales staff were caught selling customer records to brokers who used the information to market them as their contracts were coming to an end. It was never clear how many records were involved in this murky insider trade but it was believed to run from half a million to millions.

Initially the ICO refused to name the firm but was forced to after rival networks said they were not involved, leaving only one name.

In 2011, the two employees involved were fined £73,000 by the courts.

HM Revenue & Customs (2007)

Probably the most infamous large data breach ever to occur in the UK, two CDs containing the records of 25 million child benefit claimant in the UK (including every child in the country) went missing in the post.

There was never any indication that these password-protected discs had fallen into the wrong hands but the incident underlined how valuable data was being handled by poorly-trained junior employees.

Nationwide Building Society (2006)

The moment data breaches entered consciousness in the UK, the Nationwide incident involved an unencrypted laptop stolen from a company employee that put at risk the personal data of 11 million savers. The UK’s poor disclosure rules made it difficult for outsiders to get information on what had occurred.

The Financial Services Authority (FSA) eventually fined Nationwide £980,000, still the largest sum ever imposed for data loss in the UK, seen at the time as a warning shot for other firms that might have similar incidents. Not everyone noticed.

Comment (20)