At that start of 2018, the hottest business topic was the General Data Protection Regulations (GDPR). At the time, it was perceived as a holy grail of data protection legislation and that it would avert many future data security breaches.
Having worked with over 200 businesses this year, we can heartily say that the focus on Information and Cyber Security has increased. However, there is still plenty of work to be done, and security isn’t a one time set and forget. 2018 has marked the full awakening from the boardroom to shop floor and having the combination of appropriate technology and policy endorsed and supported by management is delivering results.
Having said that, we’ve heard of some of the most significant data breaches and security incidents of our time during this year. From important customer data and rogue employees leaking swathes of confidential information, to the integrity and availability of data, here’s a rundown of the top incidents this year.
Facebook & Cambridge Analytica
The largest and most complex personal data breach of the year with ramifications that are still being understood in both the business and political world. This is going to rumble on over the next few years as more information continues to come to light with both the ICO (Information Commissioners Office) and Parliament taking a very close interest. Fundamentally, personal data on Facebook was exploited by Cambridge Analytica via developer platforms. In early July 2018, the ICO announced it intended to fine Facebook £500,000 over the data breach on the grounds that Facebook "contravened the law by failing to safeguard people's information".
Starwood Group - The largest data breach in history?
Could the 500 million customer records that were leaked between 2014 and September 2018 by the Starwood Group of hotels be the biggest and widest data breach in history? With important customer information such as passport details and credit card numbers stolen from their systems, trust in 30+ of the worlds’ most famous hotel brands has taken a huge dent. I’m sure more details will come out in 2019 of how a prolonged and sustained breach carried out over four years managed to continue without being noticed.
British Airways - Customer data leak and grounded flights
BA have had a particularly challenging couple of years with two significant incidents. If we think of the information security principles of CIA (Confidentiality, Integrity, and Availability), BA’s data centre outage in May last year had a massive impact on the availability of their systems. The real world impact of this was borne by passengers with 726 cancelled flights over three days and left more than 75,000 passengers stranded. Further down the line, an issue with their supplier IT system in July this year inflicted frustration on even more customers travelling via the airline.
In September, BA experienced a further incident with a ‘malicious security breach’ in which key customer information including name, email address and credit card data was taken. From the details released publicly, this seems to have been an intercept attack (also referred to as a Man In The Middle (MITM)) where data was being collected as it was being submitted on the British Airways website. For the 380,000 customers affected between 21st August 2018 and 5th September 2018, this has potentially huge consequences with regard to credit card fraud due to the inclusion of the CVV, the 3 or 4 digits on the card which verifies the card and should not be stored by a credit card processor.
Morrisons - Company liable for a data breach by an employee
While a high number of threats come from outside the business, the internal risks from disgruntled employees can also pose a massive risk as was experienced by Morrisons supermarket in 2014. The salary and bank details of nearly 100,000 employees were illegally leaked by a senior internal auditor at the company’s head office. However, in 2018, the case went to the High Court to determine whether the company was liable for the former employee’s actions. In a landmark case, Morrisons were found liable for the impact of the leaked information on the employees; leaving the door open for similar claims to be pursued in the future.
TSB - IT transition gone wrong
Lloyds undertook one of the most complex and challenging transitions of any IT team in the financial sector this year. In 2015, Lloyds sold TSB to Sabadell, a Spanish banking group but continued to host TSB customer accounts on Lloyds’ system until April 2018 when the process of transferring the TSB customer accounts to Sabadell’s own IT systems was put in motion. As the transition of 5.2 million bank accounts began on Friday 20th April, customers soon knew that all was not well with this complex and challenging migration. There were widespread reports of customers not being able to access their accounts or withdraw money. By Monday morning, Lloyds TSB were trying to play down the issues experienced by customers, however the regulators and Parliamentary Select Committee were not impressed. After three weeks of problems and additional costs of more than £175 million, this might be one of the most costly breaches both financially and to their reputation in the banking industry this year.
Ticketmaster UK - Credit cards galore
Ticketmaster is the most prolific ticket sales site online, however, even that hasn’t prevented them from impacting on the security of 40,000 customers’ details. With an attack that began in April 2018 through to June 2018, customer details including names, addresses and payment card information were stolen. While it wasn’t directly a system of Ticketmaster’s that experienced the breach, the use of a third party chatbot on their website was targeted with malicious code. That was then able to interact with customers’ details being submitted on the website.
One interesting twist on this story was that the challenger bank, Monzo, was the first to detect unusual activity and advised Ticketmaster to investigate, however, this warning went unheeded. Monzo proactively protected its customers by cancelling and re-issuing all customers who had made purchases via the Ticketmaster website automatically.
2019 will hopefully be a better year for cyber security, especially as companies get fully to grips with data protection policies such as GDPR. Our one piece of advice would be to continually review internal data protection policies and keep an eye out for news articles from online publications like this and cyber blog posts companies like ours.
Steve Wright, Head of IT Server Administration and Head of Network Infrastructure, 4D Data Centres
Image Credit: Den Rise / Shutterstock