Skip to main content

2016 Cyber attacks review #Throwback #Lookout2017

2016 has been an interesting year for Cyber Crime with companies like Yahoo, LinkedIn, Lynda.com, TalkTalk (again), Ashley Maddison (being fined $1.6 million for 2015 data breach), KFC, Wells Fargo, MailChimp, AdultFriendFinder, MichaelPage; to name a few. 
It's Christmas time and I don't want to be the bearer of bad news however it will get worse as the months/years go on and as companies we can only be prepared and react at our best ability. But a word to the wise; learn from others mistakes. Communication is the key here with customers and suppliers; that is internally and externally. Many bury their head in the sand but making sure you have a robust and up-to-date Incident response plan, Governance Risk and Compliance, Runbooks, Security awareness training, Solutions are being used, or needed etc. 
EU GDPR will come into force by 2018 which gives another year to get the ducks in a row. Which could lead to fines of up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater. With a 72 hour disclosure deadline.
However I wanted to pick a few UK companies that have hit our media over the last 12 months and give a brief outline of the type of attacks we have seen. Learn - Don't repeat!
Tesco Bank - November
The weekend of 5-6 November Tesco Bank was hit by a data breach which led to them to suspend online transactions to prevent criminal activity.
Tesco Bank confirmed around 9,000 customers (accounts for just under 7% of there Bank customers) were affected by these fraudulent transactions and all customers affected were fully reimbursed by the evening of Tuesday 8 November. The total cost of refunding these customers was estimated to be £2.5 million.
National Lottery - November
Cyber criminals appeared to use passwords and email addresses from previous breaches to gain access to 26,000 online UK National Lottery accounts.
Camelot, the company behind the National Lottery, detected the scam and subsequent attempted frauds and responded by locking down accounts, triggering compulsory password resets and contacting those affected directly. Although 26,500 accounts were compromised, Camelot have recently stated that 43 had some activity take place within the accounts and that this was limited to some of their personal details being changed. - Ongoing investigation.
PayasuGym - December
The company, which sells passes for gyms around the UK, acknowledged that 300,000 email addresses and passwords of its members had been accessed last week.
PayAsUGym alerted its members to the security breach in an email which said "one of the company's IT servers was accessed by an unauthorised person".
It went on: "Although we do not hold any financial or credit card information, the unauthorised person could have accessed the e-mail address and password of our customers.
Three Mobile - November
More than 133,000 customer accounts were breached by fraudsters in an attempt to upgrade and steal phones to sell them on.
Eight customers have been unlawfully upgraded to a new device and in total, 133,827 accounts were breached.
The company said details, including names and addresses, had been accessed by using a login to its database of customers eligible for a phone upgrade.
It said the breach then allowed upgrade devices to be "unlawfully intercepted".
Sage - August 
The details of employees at around 280 UK businesses may have been compromised after software company Sage Group suffered a data breach. They are still ongoing criminal investigations to understand exact figures. 
Two days after news of the hack, a 32-year-old worker from Sage was arrested at Heathrow on suspicion of conspiracy to defraud.
Asked about potential reputational damage, chief executive Stephen Kelly said: “Our first port of call when it happened was to communicate with our customers… and I think they respect us for that.”
NCT charity - April
A childbirth charity has apologised to over 15,000 new and expectant parents after their registration details were accessed in a "data breach".
The National Childbirth Trust (NCT) sent a message saying their email addresses, usernames and passwords had been "compromised".
Ofcom has had the biggest security breach in its history after an ex-employee was caught offering confidential data on TV companies to his new employee, a major broadcaster.
The incident forced the media watchdog to send out dozens of letters explaining the breach to TV companies holding an Ofcom licence. It is believed the former employee managed to download as much as six years’ worth of data, according to the Guardian.
Labels:

Comments

Post a Comment

Popular posts from this blog

HCA International fined 200k for Data loss #ITSecurity #DataSecurity #unencrypted

HCA International Ltd, private health firm are the latest to be fined by the ICO.  They have been fined £200,000 for failing to keep data secure after it was found that conversations had by IVF patients were online. Audio recordings of interviews with patients were being sent to a company unencrypted in India for transcription. The Indian company was unable to maintain secure access due to an unsecure server. By failing to ensure its subcontractor had acted responsibly, HCA International failed to comply with the seventh data protection principle. More details on the monetary penalty notice click here Supplier Risk is a huge concern for most companies - You may have all the bells and whistles when it comes to security your infrastructure but your partners may not. Failing to ensure due diligence in the Supply chain costs - with HCA it was £200,000 - next year it would of been much more!! #EUGDPR
1 comment
Read more

Human Error, a common theme in the ICO data breach findings #UK #ICO

The ICO recently carried out a study of the recent security incidents that have been reported or notified to the ICO. It's no shock that data breaches are on the rise with two-thirds of sectors studied reporting an increase in the first quarter compared with the same time a year ago, according to new ICO figures. The data protection watchdog, ICO have shown findings for the period 1 January – 31 March 2016 and uncovered some worrying statistics. Below are the key data security issues for each sector:  Data security incidents by type: The main data security issues within the health sector were: Data being posted or faxed to an incorrect recipient – 22% of incidents. Loss or theft of paperwork – 20% of incidents. The main issues for local government were: Data being posted or faxed to an incorrect recipient – 23% of incidents. Failure to redact data – 16% of incidents. Loss of theft of paperwork – 14% of incidents. The main issues for education were: Los...
Post a Comment
Read more

Police need more money to fight cyber-crime, finds report

Money is urgently needed from the Government's £860 million National Cyber Security Programme to plug big holes in the police's ability to combat cyber-crime, which is now reaching crisis levels. That's the key finding from an authoritative new  survey   by PA Consulting which finds that only 30 percent of UK police analysts believe they have the skills and tools to effectively combat cyber-crime. “The UK has reached a ‘tipping point' on cyber-crime and tackling the challenges is now urgent,” the report reads. PA Consulting finds that one-third of the 185 analysts questioned from 48 law enforcement organisations have been unable to share information about the cyber-threat, and just five percent believe they have ‘considerable knowledge' of cyber-crime. The respondents predict that the time they will spend analysing cyber-crime will treble over the next three years – yet they already have limited scope to deal with the problem, spending only 10 percent of th...
Post a Comment
Read more