Cyber Security Breaches

Cyber Security Breaches in the UK

So, what have we learnt about data breaches in the past year:

• 32% of businesses overall can recall a cyber breach or cyber attack within the last 12 months. This was 59% for medium businesses and 69% for large businesses.

• This is a drop of 18% for businesses compared to last year. This was driven by smaller organisations. Medium and large businesses remained at similar levels.

• The proportion of micro businesses saying cyber security is a high priority has decreased 15% since last year.

• It's estimated that the single most disruptive breach from the last 12 months cost each business, of any size, an average of approximately £1,100. For medium and large businesses, this was approximately £4,960.

Cyber accreditations and following guidance

Relatively few organisations at present are adhering to recognised standards or accreditations, such as Cyber Essentials or ISO 27001.

• 49% of businesses report seeking information or guidance on cyber security from outside their organisation in the past year, most commonly from external cyber security consultants, IT consultants or IT service providers.

• 14% of businesses are aware of the NCSC's 10 Steps guidance. This rises to 32% for medium businesses and 44% for large businesses. 37% of businesses have taken action on 5 or more of the 10 Steps. This is much more common in medium businesses (75%) and large businesses (89%). Only 2% of businesses have enacted all 10 Steps, increasing to 7% for medium businesses and 20% for large businesses.

• 9% of businesses report adhering to ISO 27001. This is again higher among large businesses (27%).

• 14% of businesses are aware of the Cyber Essentials scheme. This rises to 50% for medium businesses and 59% for large businesses.

Risk management and supply chains

• 29% of businesses have undertaken cyber security risk assessments in the last 12 months. This rises to 51% for medium businesses and 63% for large businesses.

• A similar proportion of businesses deployed security monitoring tools (30%). 53% for medium businesses and 72% for large businesses.

• 37% businesses report being insured against cyber security risks. This rises to 63% for medium businesses and 55% for large businesses. Cyber insurance appears more common for medium businesses than large ones.

• 13% of businesses say they review the risks posed by their immediate suppliers. This rises to 27% for medium businesses and 55% for large businesses. The latter result is up 25% from 2022.

Cyber hygiene

The most common forms of cyber hygiene are:

• Updated malware protection

• Cloud back-ups

• Passwords

• Restricted admin rights

• Network firewalls

Some areas of cyber hygiene have seen consistent declines among businesses in the last 2 years.

They include:

• 11% drop in the use of password policies (79% in 2021, vs. 70% in 2023)

• 15% drop in the use of network firewalls (78% in 2021 vs. 66% in 2023)

• 11% drop in restricting admin rights (75% in 2021, vs. 67% in 2023)

• 28% drop in policies to apply software security updates within 14 days (43% in 2021, vs. 31% in 2023).

These trends mainly reflect shifts in the micro business population and, to a lesser extent, small and medium businesses.

Large business results have not changed.

Source: Cyber Security Breaches Survey 2023

Notable Cyber Security breaches of 2023

Let's take a look at the most notable data breaches of 2023:

November data breaches

Samsung data breach

Samsung Electronics, a global leader in appliances and consumer electronics, recently alerted its UK customers to a cyber attack targeting those who shopped at their UK online store between 1 July 2019 and 20 June 2020. The breach, resulting from a vulnerability in a third-party application used by Samsung, potentially compromised personal details such as names, phone numbers, email, and postal addresses, but did not include financial records or passwords. Samsung has confirmed that this incident is limited to UK customers, with customer and employee data in other regions remaining secure.

British Library data breach

The British Library in London, the UK's national library, has experienced a significant cyber attack leading to data loss. Discovered when compromised low-resolution images surfaced on the dark web, the attack on 31st October has caused the library's website to shut down. The ransomware group Rhysida claimed responsibility, threatening to auction stolen data, including passport scans, for 20 bitcoins (around £596k). In response, the British Library advises customers to change their login details, and is working closely with the National Cyber Security Centre to assess and mitigate the attack's impact.

October data breaches

Sony data breach

Sony Interactive Entertainment has issued a formal notification to approximately 6,800 individuals, encompassing both current and former employees as well as their family members, concerning a potential compromise of personal data earlier this year. In October, it was discovered that cyber attack had exploited a zero-day vulnerability in the MOVEit transfer platform, leading to Sony issuing a data breach notification.

The exploited vulnerability, identified as CVE-2023-34362, has been implicated in extensive cyber attacks. Notably, the ransomware group Clop utilised this vulnerability to extract data from Sony. The initial breach incident occurred in June, but Sony delayed releasing a public statement until October.

Prior to this, on 31 May, MOVEit disclosed a vulnerability in its transfer software. This software is utilised by Sony along with numerous other businesses and organisations, several of which have reported data breaches following this disclosure. On 28 May, two days before the official announcement from MOVEit, Sony had already begun issuing notifications to affected parties, indicating that certain SIE files had been downloaded from its MOVEit platform. This vulnerability was reportedly addressed and resolved in early June, subsequent to which the platform was temporarily taken offline.

Air Europa data breach

In October 2023, Air Europa, Spain's third-largest airline and a member of the Sky Team Alliance, experienced a significant cyber attack targeting its online payment system. Security analysts have determined that this cyber attack persisted for approximately nine days, impacting roughly 110,000 customers.

During this breach, attackers successfully obtained sensitive customer data, including card numbers, expiration dates, and CVV codes. Air Europa promptly notified affected customers about the data breach and recommended the cancellation of any credit cards used on their system. There is evidence to suggest that the data acquired in this attack has been offered for sale on the dark web. Air Europa has accepted full responsibility for the breach, although the identity of the attackers remains unknown, with no claims of responsibility from any known hacking groups.

Casio data breach

Casio, a renowned Japanese electronics company, has disclosed a data breach affecting customers across 149 countries. The breach, which targeted the servers for Casio’s ClassPad education platform, was first detected on 11 October following an issue with a ClassPad database. By 12 October, it was confirmed that unauthorized access to personal customer information had occurred. This information includes names, email addresses, countries of residence, and purchase details such as payment methods and licence codes.

In total, it has been disclosed that 91,921 Japanese customer credentials were accessed, including those of 1,108 educational institutions. Additionally, records of 35,049 international customers from 148 different countries and regions were compromised in this breach.

September

Ministry of Defence data breach

In August 2023, the LockBit ransomware group, based in Russia, breached the UK’s Ministry of Defence (MoD) through MoD contractor Zaun, a Wolverhampton fencing system manufacturer. The cyber attack led to the release of thousands of sensitive documents online. The compromised data includes information on key military and security sites, such as the Porton Down chemical weapon laboratory, HMNB Clyde nuclear submarine base, and a GCHQ surveillance station. Additionally, detailed blueprints and site maps of crucial military locations, including some British Army and Category A prison facilities, were exposed.

Save the Children data breach

Save the Children fell victim to a cyber attack by the ransomware group BianLian in September, with 6.8TB of data stolen, including personal, HR, and financial records. Despite the breach, the charity, which employs 1,300 staff in 100 countries, assured that their operations remained unaffected. They are currently working with cybersecurity experts to investigate and reinforce their data protection measures.

Airbus data breach

Airbus is investigating a data breach after a hacker, using the alias 'USDoD', claimed to have posted personal information of 3,200 Airbus employees on the dark web. Cybercrime intelligence firm Hudson Rock reported the breach, which apparently originated from a compromised Turkish Airline employee's account. The stolen data includes email addresses, job titles, and contact details of affected employees.

August data breaches

Metropolitan Police Service data breach

The Metropolitan Police Service is investigating a potential data breach involving unauthorised access to their print supplier, Digital IT’s IT system. Sensitive data compromised includes officers' names, ranks, photos, vetting levels, and pay numbers. Digital IT, which also produced ID cards for entities like the BBC, ITV, Mitie, and Royal Mail, noted that the breach did not affect those organisations as they load data in-house.

Duolingo data breach

In January 2023, data from 2.6 million Duolingo users was offered for sale on the now-defunct Breached hacking forum for $1,500. The leaked data includes both public (login and real names) and private (email addresses and internal service data) information. The exposure of email addresses raises concerns about a potential targeted cyber attack on users.

Electoral Commission data breach

The UK Electoral Commission disclosed a breach from August 2021, discovered in October 2022, which exposed data of 40 million voters. The identity of the attackers remains unknown, with speculation ranging from a state actor to cybercriminals. The breach involved access to electoral registers from 2014 to 2022 but is considered unlikely to impact election outcomes due to the UK's paper-based election system.

PSNI (Police Service of Northern Ireland) data breach

In August, the PSNI experienced a data breach where details of all serving members and staff were accidentally published online for about three hours following a Freedom of Information request. This breach included surnames, initials, ranks, work locations, and departments, but did not reveal private addresses. It notably exposed officers in sensitive units, including those stationed at the MI5 HQ in Northern Ireland.

May

Tesla data breach

Cyber Security News reports a significant data leak at Tesla, involving thousands of safety complaints. The leak, originating from a whistle-blower who handed over approximately 100GB of data to the German newspaper Handelsblatt, includes over 2,400 complaints about self-acceleration and 1,500 about brake issues in Tesla's Full Self-Driving features from 2015 to March 2022. The whistle-blower provided 23,000 files, detailing safety concerns, over 1,000 collision accounts, and sensitive customer and employee information such as phone numbers, salaries, and bank details.

Capita data breach

Capita, a key outsourcing and professional services firm, experienced a cyber attack impacting about 90 organisations, including services for local councils, the military, and the NHS, leading to significant IT outages in March 2023. The Pension Regulator (TPR) has contacted over 300 pension funds to assess the impact.

Additionally, The Guardian reported a second breach in May where Capita inadvertently left benefits data in publicly accessible storage. This breach has led to several councils reporting compromised data. The Information Commissioner’s Office (ICO) is advising organisations using Capita’s services to assess the impact of these data breaches.

April data breaches

American Bar Association (ABA) data breach

Bleeping Computer reports that the American Bar Association, the world's largest legal professional association, experienced a data breach affecting 1,466,000 members. This breach, detected on 17 March following unauthorised access on 6 March, potentially exposed outdated member login credentials from a system decommissioned in 2018. Although these credentials were hashed and salted, there's a risk of misuse over time, particularly if members haven't updated their original passwords.

Kodi data breach

In February, an inactive Kodi MyBB forum admin account was compromised, leading to the theft of user records and private messages. According to The Hacker News, the breach affected 400,635 users, exposing forum posts, user messages, and general credentials, including encrypted passwords. The data was later offered for sale on the now-defunct BreachForums. Kodi has taken down its MyBB forum and plans to relaunch with a new server and updated software. A global password reset is underway as a precaution, and users are advised to update their passwords on other sites if they match their Kodi forum credentials. Enhanced security measures, particularly around admin access, are being implemented to prevent similar incidents.

March

PayPal data breach

PayPal experienced a security breach in December 2022, affecting the personal and financial details of nearly 35,000 users. It was reported that the breach, occurring between 6 and 8 December, was fully investigated by 20 December. Affected users were notified on 23 January about potential exposure of sensitive data, including social security and bank account numbers, along with PayPal balances. The method of credentials acquisition remains unspecified by PayPal. In response to user dissatisfaction and ensuing lawsuits, PayPal has offered free credit monitoring and identity theft protection services and advises users to update passwords and monitor for any unusual account activity.

AT&T data breach

AT&T informed BleepingComputer that the Customer Proprietary Network Information (CPNI) of approximately 9 million wireless customers may have been accessed. This data includes names, account and phone numbers, email addresses, and certain details about rate plans and payment history. The exposure reportedly relates to device upgrade eligibility checks and was not due to a compromise of AT&T's systems.

February

TMX Finance data breach

TMX Finance, a Canadian financial company, began notifying 4,822,580 customers of a data breach on 30 March. Bleeping Computer reports that the company detected suspicious activity on 13 February, with customer data, including social security and driver’s licence numbers, financial, and tax information, likely compromised between 3 and 14 February. While TMX believes the situation is now under control, they are enhancing security measures and offering affected customers a free 12-month identity protection service through Experian, including a security freeze.

TruthFinder & Instant Checkmate data breach

BleepingComputer revealed that on 21 January, a 2019 backup database of PeopleConnect’s background check services, TruthFinder and Instant Checkmate, was leaked. This database contained information on 20.22 million users, with customer accounts dating from 2011 to 2019. The data includes personal information and encrypted passwords, along with expired or inactive password reset tokens, but no payment details or user data.

January data breaches

JD Sports data breach

JD Sports informed the Information Commissioner’s Office about a data breach affecting roughly 10 million online customers, including those shopping at Size?, Blacks, and Millets at the end of 2022. The breach compromised limited data, including names, phone numbers, order details, and the last four digits of payment cards. Full payment details were not exposed. JD Sports is currently working with cybersecurity experts to investigate and prevent future incidents.

T-Mobile data breaches

T-Mobile experienced a security breach detected on 5 January, with the company responding within 24 hours to halt the malicious activity. The breach, part of a series of security incidents since 2018, compromised customer data from 37 million accounts dating back to around 25 November 2022. The accessed information included names, birth dates, and phone numbers. However, it was reported that passwords, PINs, bank account, credit card information, social security numbers, and other government IDs were not disclosed.

Zurich Insurance (car insurance) data breach

A data leak at Zurich Insurance affected 757,463 holders of the "Super Automobile Insurance" in Japan. The breach, originating from an external service provider, exposed names, gender, birth dates, email addresses, and policy numbers. The Switzerland Times confirms that customers outside Japan were not impacted, and crucial financial data like credit card and bank account information remained secure.

Final Thoughts

As we reflect on the cyber security landscape of the past year, it's clear that cyber threats remain a persistent and evolving challenge, especially for SMEs.

While larger organisations have maintained their vigilance, the decrease in cyber security prioritisation among smaller businesses is a growing concern. The drop in adherence to cyber hygiene practices, such as password policies and network firewalls, signals a potential vulnerability that could have far-reaching implications for your business's security and reputation.

Notably, the significant financial impact of the most disruptive breaches underscores the economic risks of cyber incidents. This, coupled with the notable breaches of 2023, ranging from major corporations to public sector entities, highlights that no organisation is immune to cyber threats.

Therefore, it's crucial for you to re-evaluate and bolster your cyber security strategies. This includes considering accreditations like Cyber Essentials or ISO 27001, which are currently underutilised. Embracing the NCSC's 10 Steps guidance and undertaking regular cyber security risk assessments should be integral parts of your approach. Additionally, investing in cyber insurance and scrutinising your supply chain's security posture can provide an added layer of protection.

Remember, cyber security is not a one-off task but an ongoing process that evolves with the threat landscape. Let's commit to making cyber security a top priority and ensure the safety and success of our businesses in the ever-changing digital world.