Notable Cyber Security Fines and Prosecutions

The amount of UK organisations that have fallen victim to cyber attacks has steadily grown over the past several years, and unfortunately we’ve seen this spike due to COVID-19.

Cyber attacks do not discriminate—businesses of all sizes and industries have been targeted. It is dangerous to believe that cyber attacks can only happen to other businesses or that the consequences will be minor. Especially in an era of evolving cyber threats and strict regulatory requirements such as the General Data Protection Regulation, cyber attacks threaten the survival of every organisation. Between hefty non-compliance fines, lost or stolen data, business interruption, reputational damage and financial downfall, the ramifications of a cyber attack can be devastating.

The consequences of a cyber attack are long-lasting and potentially ruinous. Don’t let your organisation become a cautionary tale.

Learn from the mistakes in the following Information Commissioner’s Office (ICO) prosecutions to ensure that your organisation does not suffer the same consequences.

Notable Cyber Security Fines

 Company Fined for Lacking Website Security

  • Background: British Airways, a major UK airline, was fined over £183 million after hackers stole the personal data of almost half a million customers.
  • What went wrong: Cyber criminals hacked into the company’s website to direct user traffic to a fraudulent website. By diverting users to this malicious website, the hackers were able to harvest the personal data—including names, addresses, logins, payment card information and travel booking details—of nearly 500,000 customers. The ICO’s investigation of the incident found that the company’s website was compromised due to poor security arrangements.

Business Fined for Multiple Data Protection Failings

  • Background: Uber, an international ride-sharing business, was fined £385,000 after a series of avoidable cyber security flaws led to attackers gaining access to the personal data of nearly 2.7 million UK customers and over 80,000 UK drivers.
  • What went wrong: The company’s cloud-based data storage system was hacked when cyber criminals used a process known as ‘credential stuffing’ to inject compromised username and password pairs into the app until they matched an existing account. From there, the hackers accessed and downloaded sensitive personal information—including full names, email addresses, phone numbers, payment information and driving routes—of both UK customers and drivers.

What’s more, the company did not inform the customers and drivers affected by this incident until more than a year later. Rather, the business paid the hackers responsible to destroy the data they had downloaded. Further investigation by the ICO discovered that the company had breached multiple data protection principles due to failed data security, paying the attackers and keeping quiet about the incident rather than informing the proper authorities or those affected.

Company Fined for Internal Cyber Security Flaws

  • Background: Bupa Insurance Services Limited, a London-based private health care not-for-profit company, was fined £175,000 after an employee extracted the personal information of over half a million customers and sold it on the dark web.
  • What went wrong: An employee gained access to the company’s customer relationship management system, which holds customer records relating to 1.5 million people. The employee then sent bulk data reports from the system to his personal email account. The compromised information included 547,000 customers’ names, birthdates, email addresses and nationalities, which were offered for sale on the dark web. The company discovered the breach when an external partner found evidence of customer data for sale. An ICO investigation revealed that the company did not routinely monitor the customer relationship management system’s activity log, leaving customer records vulnerable to attack.

Business Fined After Sensitive Hard Drive Stolen

  • Background: Jala Transport Limited, a Wembley-based loans company, was fined £70,000 after an unencrypted hard drive containing customer data was stolen.
  • What went wrong: The sole proprietor of the business kept the hard drive, along with several other business materials, stored in a case in his car. The case was later stolen as the car idled at a red light. The hard drive—which contained names, birthdates and addresses of loan applicants and the payment details of the business’ 250 clients—was password protected but not encrypted.

Council Fined for Lax Laptop Security

  • Background: The Glasgow City Council was fined £150,000 after two unencrypted laptops, which contained personal information of more than 20,000 individuals, were stolen from its building.
  • What went wrong: While the city council building was undergoing refurbishment, lax security allowed an unknown individual access to the office where the laptops were stored. Despite previous warnings from the ICO, the council failed to provide its faculty with laptops capable of encrypting private and sensitive information.

Company Fined Following Malware Disaster

  • Background: Dixons Carphone, a multinational telecommunications retailer, was fined £500,000 after a ‘point of sale’ computer system was compromised as a result of a cyber attack.
  • What went wrong: Cyber criminals hacked into the retailer’s computer system, installing malware on over 5,000 tills at various company store locations. In doing so, the hackers gained access to 5.6 million payment card details used in transactions and the personal information of approximately 14 million people, including full names, postcodes, email addresses and failed credit checks from internal servers. An ICO investigation revealed that the company had a variety of poor software security arrangements in place, which ultimately led to the breach. This included inadequate software patching, absence of a local firewall, and lack of network segregation or routine security testing.

Why You Need Cyber Insurance

Clearly, no organisation is immune to the costly damages that accompany a cyber attack. Although implementing cyber security measures can help keep your business safe from a breach, you can ensure ultimate peace of mind against cyber attacks by purchasing robust cyber cover. For Cyber Insurance solutions, contact us today.

Read our other posts

Ensuring Cyber-security by Managing Access and Privileges for Users

Ensuring Cyber-security by Managing Access and Privileges for Users

Your organisation’s data and intellectual property are invaluable resources, but they also present a tempting target for cyber-attacks. If your systems are compromised, there may be irreparable harm done to your organisation’s finances, reputation and future. One of the most important steps in addressing cyber-risks is regulating what information is accessible, and by whom. Many […]

Managing Employees Who Struggle to Work Remotely

Managing Employees Who Struggle to Work Remotely

As many organisations are adapting to newly remote teams, leaders are challenged with addressing the challenges of the remote environment. Remote work remains a relevant topic for employers, and it will continue post-coronavirus. Many managers find themselves tasked with effectively leading remote employees and helping their teams adapt to the virtual workplace. While many employees […]

Preparing for a Second  Wave of COVID-19 Cases

Preparing for a Second Wave of COVID-19 Cases

Even as the UK continues to ease lockdown measures, daily operations won’t be business-as-usual for many across the country. The coronavirus (COVID-19) pandemic is still going on, despite businesses reopening. Moreover, public health officials and experts are warning of a potential second wave of COVID-19 cases. Of course, no one knows if or when a […]

Protecting Your Privacy While Using Video Conference Software

Protecting Your Privacy While Using Video Conference Software

During the COVID-19 pandemic, technology has proven to be invaluable in allowing organisations to stay as connected as possible. Video chat software and apps have been particularly useful, as employees have been able to continue to attend virtual meetings and feel a sense of connection to their co-workers while working remotely. But, while video conferences […]

Managing the Return of Clients, Customers and Employees

Managing the Return of Clients, Customers and Employees

The UK has started the process of easing lockdown measures. This means that many businesses have either already reopened, or are in the process of doing so. Despite recent optimism, there are still significant risks related to the coronavirus pandemic that organisations should be taking seriously. As employees return and your business begins to welcome […]