The 10 biggest corporate cyber security blunders
Revenge attacks, grudges and a phenomenal amount of lost data feature in this UK-focused list
People may be forgiven for thinking that cyber security blunders only occur in US organisations. After all, some of the biggest data breaches have taken place in the US; in the past few years the likes of retailer Target, affair website Ashley Madison, financial services firm JP Morgan Chase, health insurance firm Anthem, and the Office of Personnel Management (OPM) have all suffered huge data breaches. But the UK is doing its best to keep up with its US counterparts. The public sector in particular has been fraught with data breaches, which Computing documented last month.
But what about the private sector?
Well, there are some statistics that make for grim reading for those within the private sector. For example, more than 170 law firms were investigated by the Information Commissioner's Office (ICO) over potential data breaches during 2014, and all of the UK's major banks and lenders have reported data breaches in the last two years.
Computing has spoken to many chief information security officers (CISOs) who still maintain that human error is the biggest cyber security issue. But worse still, is that according to one survey in the US, a quarter of employees would sell corporate data for just £5k and a staggering three per cent would hand over company data for as little as £100 - so deliberate breaches of data can occur as well as those that have been by mistake.
Those statistics are not reassuring for UK consumers, and they should rightfully feel betrayed when businesses manage to lose their data, whether by attack, or by carelessness.
On that note, here's Computing's list of biggest cyber security blunders.
The 10 biggest corporate cyber security blunders
Revenge attacks, grudges and a phenomenal amount of lost data feature in this UK-focused list
10. 'Unforgivable' stupidity at the Bank of Scotland
The Bank of Scotland managed to send documents featuring customer information such as payslips, bank statements, account details and mortgage applications, along with names, addresses and contact details to the wrong address via fax.
But this wasn't a one-off. The first instance was reported in February 2009 by a third party organisation which had received the fax in error. It then received a further 21 faxes from the Bank of Scotland, while a member of public also received 10 faxes containing sensitive information. The recipients had fax numbers which were only one digit different from the department of the bank they were intended for - so someone had clearly put the numbers in incorrectly.
The bank was hit with a fine for £75,000, for what the head of enforcement for the ICO, Stephen Eckersley said was an "unforgivable" set of actions.
"The Bank of Scotland has continually failed to address the problems raised over its insecure use of fax machines," he said.
"To send a person's financial records to the wrong fax number once is careless. To do so continually over a three year period, despite being aware of the problem, is unforgivable and in clear breach of the Data Protection Act," he added.
The 10 biggest corporate cyber security blunders
Revenge attacks, grudges and a phenomenal amount of lost data feature in this UK-focused list
9. The Money Shop fined £180k for not being able to keep financial details safe
The Money Shop's owners must have been in a boisterous mood when they offered their customers yet another financial service as a bonus; that is making their financial details easily accessible to criminals.
The firm lost its computer servers with thousands of customers' financial details on it in 2014.
One server was stolen from a branch in Lurgan, County Armagh in April last year, and another was lost by a courier firm.
The Money Shop's own rules stipulated that servers should be stored in a separate locked room, but many stores did not have additional rooms available to store them.
The Information Commissioner's Office slapped a £180,000 fine on the organisation, and said that the servers held "large numbers of local and national customer records and employee details".
It found that The Money Shop had a "widespread practice" of moving unencrypted servers between its head office in Nottingham and its branches - and that old customer records had not been deleted.
"There was potential for fraud and financial loss to customers, which is unacceptable, and in both cases had the data been properly encrypted the damage and distress to customers and the monetary penalty could have been avoided," said the ICO's head of enforcement, Steve Eckersley.
The 10 biggest corporate cyber security blunders
Revenge attacks, grudges and a phenomenal amount of lost data feature in this UK-focused list
8. IT director hacks former employees in revenge attack
Not all IT leaders leave their organisations on good terms - just ask John Linwood (formerly of the BBC), but you'd believe that even in the worst circumstances, there would be some decorum.
Not at Esselar, a firm which designs, delivers and manages enterprise wireless solutions. Richard Neale, who had founded the firm with Shane Taylor and Simon Rogan in 2009, had a disagreement with his colleagues in November 2013 and shortly afterwards left the organisation.
But rather than walking away and getting on with life elsewhere, he decided to take revenge on his former co-workers. Aviva, a customer of Esselar, had its system hacked in May 2014, the same night Esselar was giving a security demonstration - an act that wiped data from 900 phones.
Neale admitted being behind the attack, which caused Aviva to end its £80,000-a-year contract with Esselar, and according to prosecutors, Esselar lost £528,000 in other business as a result of the breach.
In fact, the damage was so bad that Esselar had to rebrand itself as ‘Mobiliciti'.
Neale, who claimed in court that he was merely "causing mischief", was sentenced to 18 months in prison.
Judge Stewart said that the act was "plainly borne of your resentment".
The 10 biggest corporate cyber security blunders
Revenge attacks, grudges and a phenomenal amount of lost data feature in this UK-focused list
7. No security checks or reviews since installing a system = being hacked
It's incredible that in this day of age, a company doesn't think it essential to put its systems under security checks or reviews after it has been installed. And yet, that is exactly what Think W3 Limited, an online travel services company did.
What happened as a result? The firm was hacked in December 2012, with the hacker extracting over one million credit and debit card records. When the ICO served the company with a £150,000 monetary penalty for breaching the Data Protection Act, it found that 430,599 were identified as current and 733,397 as expired. The ICO found that cardholder details had not been deleted since 2006.
The hacker used an SQL injection attack to exploit a weakness on the website of a subsidiary business, Essential Travel Ltd, and Stephen Eckersley, head of enforcement at the ICO said it was "a staggering lapse" which left the personal details of more than a million customers details exposed to a malicious hacker.
He added that "ignorance from data controllers is no excuse [when it comes to data protection]".
"They must take active steps to ensure the personal data they are responsible for is kept safe or face enforcement action and the resulting reputational damage," said Eckersley.
The 10 biggest corporate cyber security blunders
Revenge attacks, grudges and a phenomenal amount of lost data feature in this UK-focused list
6. The ‘biggest data breach of its kind' - T-Mobile
Ever received a cold call from someone asking you about something you coincidentally had on your list of things to sort out, and wondered how this magical person found the perfect time to get in touch with you and offer you a deal you couldn't refuse? Well, it's obvious to many of us now (and may have been in 2009 too), and yet this still helped T-Mobile's rival firms six years ago.
You see, in 2009, before the days of EE, T-Mobile had found that personal details of thousands of mobile phone customers had been stolen and sold to rival firms.
A T-Mobile employee sold the customer records - including details of when contracts expired - for "substantial sums", according to the ICO. Rival mobile phone operators and retailers then tried to lure away T-Mobile customers by cold-calling them. A cunning idea, which ultimately fell flat on its face. The information commissioner warned those who had access to thousands of customer details and think that attempts to use it for personal gain will go undetected that there is "always an audit trail".
A court later heard that Darren Hames, 39, stole about 500,000 items of data from T-Mobile, where he worked as an area sales manager, to David Turley, who had set up his own business to cash in on the scam. They both pleaded guilty and were asked to pay back £45,000 and £28,700 respectively, as well as costs towards the case, which was reportedly 'the biggest data breach of its kind'.
The 10 biggest corporate cyber security blunders
Revenge attacks, grudges and a phenomenal amount of lost data feature in this UK-focused list
5. Escaping with £1.3m by using a £10 keyboard video mouse
When you hear about some of the biggest heists in history, you can recognise the complexity that has gone into the plan, and the sophistication of the tools that were used.
And while many will purr over the ‘high-tech' gadgets used by a crime gang who stole £1.3m from Barclays Bank, one of the tools was a keyboard video mouse (KVM) which can be bought online for as little as £10.
Nevertheless, the gang managed to siphon off the cash from customer accounts at Barclays' Swiss Cottage Branch in April 2013 after planting the KVM device which gave them remote control of the bank's computers.
One of the gang had posed as an IT engineer, and deployed the KVM at the branch. But while the audacious cyber-heist may seem well thought out - those who did it did not get away scot-free - they were arrested several months later.
Tony Colston-Hayter, dubbed the ‘Acid House King' was jailed in April for five-and-a-half years last year, the eight other gang members were jailed for more than 18 years in total at Southwark Crown Court.
A similar plan was thwarted at the Santander branch in Surrey Quays shopping centre.
The 10 biggest corporate cyber security blunders
Revenge attacks, grudges and a phenomenal amount of lost data feature in this UK-focused list
4. Morrisons employee leaks data of 100,000 staff because of a grudge
Yes, the story is as stupid as the title. Andrew Skelton, 43, leaked the details of nearly 100,000 Morrisons staff. Why? Because of a grudge he had against the company over an incident where he was accused of dealing in legal highs at work - he was incorrectly disciplined for receiving packages at the company's head office in Bradford. He was merely using the mailroom to buy and sell goods on eBay.
Skelton thought the best way to "get even" with Morrisons would be to publish the database containing employee names, addresses, bank account numbers and national insurance numbers online, as well as sending it to journalists of several newspapers.
That'll show them!
Unfortunately for Skelton, his plan was shortlived as journalists alerted police and the company to the breach, resulting in Skelton's quick arrest.
He has since been sentenced to eight years in jail.
"The potential loss to his victims and the sheer quantity of potentially compromise ddata was very significant and could have resulted in employees' identities being stolen," said David Holderness from the Crown Prosecution Service.
The data breach is said to have cost Morrisons more than £2m to rectify. Ouch.
The 10 biggest corporate cyber security blunders
Revenge attacks, grudges and a phenomenal amount of lost data feature in this UK-focused list
3. 2.4 million customers' personal details exposed
A staggering 2.4 million Carphone Warehouse customers' personal details may have been accessed in a cyber-attack, the mobile phone retailer revealed in August. And up to 90,000 customers may have had their encrypted credit card details accessed.
The cyber-attack affected a part of Dixons Carphone which operates the OneStopPhoneShop.com, e2save.com and Mobiles.co.uk websites - it also provides services to iD Mobile, TalkTalk Mobile, Talk Mobile and some Carphone Warehouse customers.
What irked Carphone customers is that the firm first became aware of the problem on 5 August, but took 72 hours to tell those customer affected to cancel their credit cards. The firm also reportedly had been under attack for a while (potentially up to two weeks) before Carphone had discovered the assault on the 5th of August. This shows not only a worrying lack of urgency from the firm to keep consumers in the loop, but evidence that the firm doesn't have the right tools in place to notice the attack quickly enough.
What's worse is that the firm was hacked at the end of 2014 and reassured customers that it would constantly tests its systems and processes using external security consultants.
"Please rest assured that your sensitive information of date of birth, bank, or credit card details have not been illegally accessed," the warning email added. Yet, six months later, systems run by Carphone Warehouse for its demerged communications arm TalkTalk were also hacked - this time with a release of customer data that, the company admits, included unencrypted personal information. Computing questioned why, if the organisations really did employ external security consultants that customers' passwords were apparently stored in plain text - as TalkTalk's own customer care team admitted last month on Twitter, after the attack.
The 10 biggest corporate cyber security blunders
Revenge attacks, grudges and a phenomenal amount of lost data feature in this UK-focused list
2. The Sony hack
Which one, you may ask? Well as this is UK-specific, we're going to go for the PlayStation Network security breach of April 2011 which affected UK users*. The PSN attack saw hackers expose personal details about millions of customers, including names, email addresses, home addresses and dates of birth. At the time, Sony said it couldn't guarantee that some credit card information hadn't been stolen and advised PlayStation users to take precautions with their accounts.
The firm took a staggering seven days to alert PSN users of the attack, and claimed that this was down to carrying out forensic analysis, and as it hadn't yet understood the extent of the intrusion. The ICO found that the breach could have been prevented if the information of up to 70 million users had been more securely stored and its software was more up-to-date.
After labelling the breach as one of the most serious there had ever been, the ICO handed out a £250,000 fine to the Japanese firm. The ICO's deputy commissioner and director of data protection, David Smith said that there was no disguising the fact that this was a business that should have known better.
At the time, Sony said it "strongly disagreed" with the verdict and would appeal against the fine. But several months later it said it would drop the appeal - with the (nonsensical) claim that continuing to fight against the £250,000 fine could risk exposing sensitive information about its own networks.
A Sony spokesperson said:
"This decision reflects our commitment to protect the confidentiality of our network security from disclosures in the course of the proceeding," the spokesperson said.
*yeah, we know Sony isn't a UK business
The 10 biggest corporate cyber security blunders
Revenge attacks, grudges and a phenomenal amount of lost data feature in this UK-focused list
1. Banks paying the penalty for data breaches
We mentioned earlier that all of UK's major banks and lenders have reported data breaches in the last two years, and it's no surprise given that some of the biggest fines handed out for data protection breaches have been in the financial services industry.
Back in 2007, the Financial Services Authority (FSA), fined Nationwide Building Society a whopping £980,000 for failing to have effective systems and controls to manage its information security risks, following the theft of a laptop from a Nationwide employee's home in 2006. The FSA also discovered that Nationwide was not aware that the laptop contained confidential information on 11 million account holders, and did not start an investigation until three weeks after the theft - unbelievable.
Bizarrely, as Nationwide agreed to settle the fine at an early stage it was given a 30 per cent discount - without the discount the fine would have been £1.4m. Meanwhile, Norwich Union was fined £1.26m after its systems failures allowed fraudsters to access information on 3.3 million customers and to impersonate them in order to obtain sensitive information from call centres.
Then in 2009, HSBC was fined an eye-watering total of £3m after several issues including: a floppy disk and a CD containing unencrypted customer data being sent by post or courier to third parties, hard copies with confidential data were not locked away, and staff weren't sufficiently trained. The figures from a Freedom of Information request made by Egress Software, revealed a staggering 585 incidents reported to the ICO during 2014 alone from the UK financial services industry, and 791 since the start of 2013.
So the industry with the information many consumers find most important is doing its best to (not) keep your data secure - a massive congratulations goes out to all of them!