The amount of UK organisations that have fallen victim to cyber attacks has steadily grown over the past several years, and unfortunately we’ve seen this spike due to COVID-19.
Cyber attacks do not discriminate—businesses of all sizes and industries have been targeted. It is dangerous to believe that cyber attacks can only happen to other businesses or that the consequences will be minor. Especially in an era of evolving cyber threats and strict regulatory requirements such as the General Data Protection Regulation, cyber attacks threaten the survival of every organisation. Between hefty non-compliance fines, lost or stolen data, business interruption, reputational damage and financial downfall, the ramifications of a cyber attack can be devastating.
The consequences of a cyber attack are long-lasting and potentially ruinous. Don’t let your organisation become a cautionary tale.
Learn from the mistakes in the following Information Commissioner’s Office (ICO) prosecutions to ensure that your organisation does not suffer the same consequences.
Notable Cyber Security Fines
Company Fined for Lacking Website Security
- Background: British Airways, a major UK airline, was fined over £183 million after hackers stole the personal data of almost half a million customers.
- What went wrong: Cyber criminals hacked into the company’s website to direct user traffic to a fraudulent website. By diverting users to this malicious website, the hackers were able to harvest the personal data—including names, addresses, logins, payment card information and travel booking details—of nearly 500,000 customers. The ICO’s investigation of the incident found that the company’s website was compromised due to poor security arrangements.
Business Fined for Multiple Data Protection Failings
- Background: Uber, an international ride-sharing business, was fined £385,000 after a series of avoidable cyber security flaws led to attackers gaining access to the personal data of nearly 2.7 million UK customers and over 80,000 UK drivers.
- What went wrong: The company’s cloud-based data storage system was hacked when cyber criminals used a process known as ‘credential stuffing’ to inject compromised username and password pairs into the app until they matched an existing account. From there, the hackers accessed and downloaded sensitive personal information—including full names, email addresses, phone numbers, payment information and driving routes—of both UK customers and drivers.
What’s more, the company did not inform the customers and drivers affected by this incident until more than a year later. Rather, the business paid the hackers responsible to destroy the data they had downloaded. Further investigation by the ICO discovered that the company had breached multiple data protection principles due to failed data security, paying the attackers and keeping quiet about the incident rather than informing the proper authorities or those affected.
Company Fined for Internal Cyber Security Flaws
- Background: Bupa Insurance Services Limited, a London-based private health care not-for-profit company, was fined £175,000 after an employee extracted the personal information of over half a million customers and sold it on the dark web.
- What went wrong: An employee gained access to the company’s customer relationship management system, which holds customer records relating to 1.5 million people. The employee then sent bulk data reports from the system to his personal email account. The compromised information included 547,000 customers’ names, birthdates, email addresses and nationalities, which were offered for sale on the dark web. The company discovered the breach when an external partner found evidence of customer data for sale. An ICO investigation revealed that the company did not routinely monitor the customer relationship management system’s activity log, leaving customer records vulnerable to attack.
Business Fined After Sensitive Hard Drive Stolen
- Background: Jala Transport Limited, a Wembley-based loans company, was fined £70,000 after an unencrypted hard drive containing customer data was stolen.
- What went wrong: The sole proprietor of the business kept the hard drive, along with several other business materials, stored in a case in his car. The case was later stolen as the car idled at a red light. The hard drive—which contained names, birthdates and addresses of loan applicants and the payment details of the business’ 250 clients—was password protected but not encrypted.
Council Fined for Lax Laptop Security
- Background: The Glasgow City Council was fined £150,000 after two unencrypted laptops, which contained personal information of more than 20,000 individuals, were stolen from its building.
- What went wrong: While the city council building was undergoing refurbishment, lax security allowed an unknown individual access to the office where the laptops were stored. Despite previous warnings from the ICO, the council failed to provide its faculty with laptops capable of encrypting private and sensitive information.
Company Fined Following Malware Disaster
- Background: Dixons Carphone, a multinational telecommunications retailer, was fined £500,000 after a ‘point of sale’ computer system was compromised as a result of a cyber attack.
- What went wrong: Cyber criminals hacked into the retailer’s computer system, installing malware on over 5,000 tills at various company store locations. In doing so, the hackers gained access to 5.6 million payment card details used in transactions and the personal information of approximately 14 million people, including full names, postcodes, email addresses and failed credit checks from internal servers. An ICO investigation revealed that the company had a variety of poor software security arrangements in place, which ultimately led to the breach. This included inadequate software patching, absence of a local firewall, and lack of network segregation or routine security testing.
Why You Need Cyber Insurance
Clearly, no organisation is immune to the costly damages that accompany a cyber attack. Although implementing cyber security measures can help keep your business safe from a breach, you can ensure ultimate peace of mind against cyber attacks by purchasing robust cyber cover. For Cyber Insurance solutions, contact us today.