The top 10 UK data-breach stories of 2015
The worst data breaches and the biggest security stories of 2015
Data breaches are becoming ever bigger and more commonplace, with companies in the UK being hit every bit as comprehensively as those in the US, such as Target, JPMorgan Chase and OPM.
And organisations are still struggling to come to terms with the risks - how likely they are to be targeted, attacked, and the consequences of those attacks.
Computing has compiled the top-10 data breach stories: identifying some of the biggest breaches this year in the UK, as well as other stories that give a clearer indication of how organisations have been affected this year by data breaches.
Before we start, a special mention has to go to the crafty people who, in a survey, said they would sell their company's valuable intellectual property for between £1,000 and £10,000. Even more shameless - and cheap - is the one per cent who said they'd sell it to persons unknown for just £100. No wonder companies say the biggest security risk is people, rather than technology!
Note: Computing has also had its say on the 10 biggest corporate cyber security blunders ever and the 10 worst ever government data breaches.
The top 10 UK data-breach stories of 2015
The worst data breaches and the biggest security stories of 2015
10. TalkTalk admits it was breached in 2014
In February this year, TalkTalk finally confirmed in an email to customers that their personal details had been compromised in a successful hack perpetrated at the end of 2014.
Personal data stolen from TalkTalk in the attacks included names, addresses, phone numbers and account numbers.
Furthermore, the company admitted that the information had already been used in cases of attempted identity theft, with scammers using the data to try and get bank account, credit card details and other information from customers.
The company claimed that other sensitive details, such as bank account and credit card numbers used to pay for TalkTalk accounts, were not compromised.
It said it only became aware of the attack following complaints from customers about bogus cold calls from scammers, quoting account numbers, claiming to be from the company.
Little did TalkTalk - or indeed its customers - know that this was just a sign of things to come..
The top 10 UK data-breach stories of 2015
The worst data breaches and the biggest security stories of 2015
9. A staggering 4,000 data breaches occurred in local councils in just three years
That's right, more than 4,000 data breaches (4,236 to be precise) occurred in local councils in a three-year period (between April 2011 and April 2014), a damning report by Big Brother Watch revealed.
Its A Breach of Trust report found that there were at least 401 instances of data loss or theft, and 628 instances of incorrect or inappropriate data being shared on emails, letters and faxes and, in one instance in Cheshire East, a CCTV operator watched part of the wedding of a member of the CCTV team.
Meanwhile, research by Iron Mountain found that 40 per cent of IT leaders in the public sector had suffered a data breach, with 61 per cent admitting that their organisation had lost or misplaced important documents.
What will be interesting is whether in 2015 and, indeed, the years to come, we'll see an improvement in this area.
The top 10 UK data-breach stories of 2015
The worst data breaches and the biggest security stories of 2015
8. More than 170 law firms investigated by ICO over data breaches in 2014
Yes, once again, this is about data breaches that have occurred before 2015 - but it wasn't until a Freedom of Information request made by encryption software specialist Egress Software that we found out that so many law firms had been under investigation.
It followed a warning from the ICO back in August 2014 to barristers and solicitors to keep personal information secure, especially paper files (so much for organisations 'going digital'), after a spate of data breaches were reported to the Information Commissioner involving the legal profession.
The top 10 UK data-breach stories of 2015
The worst data breaches and the biggest security stories of 2015
7. ALL of the UK's major banks and lenders have reported data breaches in the past two years
It's not just local authorities and law firms that are suffering from data breaches. In June, we found out that all of the UK's major banks and lenders had reported data breaches to the Information Commisioner's Office in the past two years, with a whopping 585 incidents reported to the ICO during 2014 alone, and 791 since the start of 2013.
This means that Barclays, HSBC, Lloyds Banking Group, NatWest, Nationwide and Santander have all been in touch with the ICO about data breaches within the past couple of years. That won't give consumers - who probably trust banks more than any other organisation with their data - much confidence.
The top 10 UK data-breach stories of 2015
The worst data breaches and the biggest security stories of 2015
6. EU agrees to peg data breach fines at four per cent of global turnover
Of course, there has to be a mention of the impending EU general data protection regulations (GDPR), which at this rate will come into force in around 2050*.
Last week, those plans were given the thumbs up, meaning that large companies could suffer gigantic fines in the years to come. Hopefully, this will mean a greater focus on data protection from the companies and, as a result, a decrease in the number of data breaches.
*GDPR is actually meant to come into force in 2018
The top 10 UK data-breach stories of 2015
The worst data breaches and the biggest security stories of 2015
5. Three-quarters of customers would reconsider using a company in event of data breach
The repercussions of a data breach can have a lasting effect on a business. It isn't just the amount they have to pay to fix the problem, beef up the security and compensate those affected, but the tarnished reputation that may leave customers with no choice but to jump ship to a competitor.
And according to research by professional services firm Deloitte, nearly three-quarters (73 per cent) of consumers say that they would reconsider using a company if it failed to keep their personal data safe from cyber criminals and hackers.
More than one-fifth (21 per cent) of UK consumers said they had been financially affected by cybercrime, while 39 per cent said they had personal data stolen or deleted after becoming compromised by malware.
The top 10 UK data-breach stories of 2015
The worst data breaches and the biggest security stories of 2015
4. ICO investigating 56 Dean Street clinic for disclosing details of 780 HIV patients in data breach
While the sheer number of data breaches in certain industries may have an element of shock, nothing administers a shock to the system quite like a case in which sensitive patient health data is exposed.
In September, it was found that London sexual health clinic, 56 Dean Street, revealed the names and contact details of almost 800 HIV positive patients.
Many of us have been unfortunate enough to click ‘reply all' on an e-mail in which we were only meant to reply to the sender. This is similar, but only a million times worse.
The clinic accidentally disclosed the information when an email newsletter for the clinic's Option-E online service was sent out en masse, rather than to individual recipients.
Dr Alan McOwen, Chelsea and Westminster Hospital NHS Trust's director for sexual health, apologised in an email to patients, explaining that the organisation "recalled/deleted the email as soon as we realised what had happened".
"If it is still in your inbox please delete it immediately," he added.
McOwen was definitely right when he said that the incident was "completely unacceptable". He added that the clinic was urgently investigating how the breach happened, and promised it would take steps to ensure it never happened again.
The top 10 UK data-breach stories of 2015
The worst data breaches and the biggest security stories of 2015
3. 'Poisonous' online pharmacy Pharmacy2U fined by ICO for illegally selling NHS patient data
What's worse than accidentally breaching the Data Protection Act (DPA)? Oh yeah, breaching it on purpose.
In October, the ICO fined the UK's largest online pharmacy, Pharmacy2U, a total of £130,000 for illegally selling customer details and flagrantly breaching the DPA.
The firm had offered information, such as customer names and addresses for sale, through an online marketing-list company. The details were purchased by a number of organisations with questionable track records, including an Australian lottery company subject to investigation by Trading Standards. Pharmacy2U hadn't given customers any indication that it intended to sell their private details and customers hadn't provided permission for the information to be sold.
"Patient confidentiality is drummed into pharmacists. It is inconceivable that a business in this sector could believe these actions were acceptable," said ICO Deputy Commissioner David Smith.
Phil Booth, co-ordinator of privacy campaigners medConfidential, suggested that six-figure fines alone weren't enough to stamp out what he deemed a ‘poisonous trade'.
"Those who profiteer from patients' data are predators and should face prison when they are caught," he suggested.
He may have a point.
The top 10 UK data-breach stories of 2015
The worst data breaches and the biggest security stories of 2015
2. Who's to blame for a data breach?
It's a question that everyone has a different answer to. While some, such as Reckitt Benckiser CIO Darrell Stein, are willing to take full accountability for a data breach others, such as Johnson Matthey CIO Patrick Seeber, suggest that the CISO or CFO ought to be held accountable instead.
Of course, much depends on the organisation at hand. At Computing's Enterprise Security & Risk Management Summit, Neil Thacker, information security and strategy officer EMEA at Websense, suggested that everyone in an organisation should "own" a data breach, so that the blame isn't pinned on any one person.
The question was brought to light further as a result of the TalkTalk hack. At an inquiry at the House of Commons earlier this week, TalkTalk CEO Dido Harding admitted that she was responsible for security at the time of the attack.
However, the Culture, Media and Sport Select Committee weren't happy with that answer and questioned how Harding could be responsible for security when she was supposed to be running the company. Harding refused to bow to their pressure and insisted that despite several other line managers having responsibility for different aspects of security, it was her that was ultimately accountable. A brave way to go about it - and I'm sure at least internally, that will be a decision that has gone down well.
The top 10 UK data-breach stories of 2015
The worst data breaches and the biggest security stories of 2015
1. The TalkTalk hack
At an estimated cost of £35m, the TalkTalk hack is of course the biggest data breach story of the year. How the company could be caught out by a DDoS and a SQL injection attack at the same time is yet to be confirmed.
Due to a criminal investigation that is underway, Dido Harding said she couldn't get into the nitty gritty of it, and refused to be drawn on whether the attack was indeed as simple as has been reported.
What we do know is that 156,959 of its customers had their details accessed, with 15,656 having their bank account numbers and sort codes accessed. In addition a further 28,000 ‘obscured' credit card and debit card numbers were accessed, although the company claimed that this information couldn't be used by cyber criminals. We also know that five young men have been arrested for the hack - all from different parts of the UK.
In an inquiry led by the Culture, Media and Sport Select Committee, Harding said all of the right things when it came to the company's security strategy. ie: That cyber security was a board issue, that security was not a separate function, but was spread across the organisation, and that the board does meet to discuss cyber security on a regular basis.
But, as one select committee member asked: how on earth did this cyber attack happen if you were doing everything right? Harding replied: "I'm not going to sit here and pretend we were perfect". She added that she wished, in hindsight, that the company had done more.
Well, that's what they all say after a data breach, isn't it?