Stealing, stalking, and security breaches

Five companies that paid the price for data theft

The next event in our business security series focuses on data security and how to prevent breaches within your organisation. This is a topic that gets a lot of publicity even outside of technological circles, with companies making national news headlines for any breaks in their data protection systems. In this case all publicity is not good publicity, in this blog we’ll take a look at some of the most infamous data breaches that occurred in recent years.

Under the Data Protection Act and GDPR it is ‘illegal for individuals to access personal data without authorisation’, this applies to employees working within a business who may try to access or steal data to use or sell outside of the organisation. There is also an obligation for companies to ensure data is managed securely, and protect ‘against unauthorised or unlawful processing and against accidental loss, destruction or damage.’ These are important points to bear in mind, as all too often data breaches occur from within, so companies need to assess the way data is handled by staff and ensure policies are in place to protect that data while still allowing employees to work efficiently.

Here are five major cases that have caught the headlines recently:

Five companies that paid the price for data theft

  1. EE data breach leads to stalking – 2018

An EE customer was stalked by an ex-partner who worked at the company, after he accessed her personal data without permission. The customer had moved to a new address and the employee accessed the database to find out the details before turning up on her doorstep. He also switched her information on the system to enable him to apply for official documents in her name. EE admitted that its own internal security policies had not been followed and the customer had to involve the police. The employee was eventually arrested for harassment and no longer works for EE.

 

  1. Marriott hacking exposes data of 383 million guests – 2018

The biggest embarrassment for Marriott in this case was that the intrusion to their data management systems had gone unnoticed for four years, until a security tool gave an alert which prompted Marriott to work with outside security experts who discovered it began in 2014. The scale of the breach was enormous, with personal data including names, credit cards and passport numbers of 383 million guests. This is a larger amount of information than would be expected in a ‘normal’ hack, and the fact that none of the information has yet appeared for sale on the dark web suggests the information is being used for state intelligence purposes.

 

  1. Vision Direct credit card details stolen – 2018

In an attack that lasted five days, personal information such as full names, address, phone number, email address and password, as well as customers’ financial details including the CVV security code was stolen, totalling 100,000 records. Questions have been raised about whether the firm had been storing CVV codes against PCI standards, or intercepted as customers made transactions.

 

  1. Cathay Pacific Airlines data breach affects 9.4 million passengers – 2018, fined in 2020

The airline was forced to admit that information including names, nationalities, birth dates, phone numbers, passport and identity card numbers was stolen. This breach caused Hong-Kong’s privacy commissioner, Stephen Kai-yi Wong, to urge companies to improve protection of personal data, and his office began a compliance check of the airline. He also urged people to enable two-factor authentication to protect their data. In March 2020 it was revealed that the ICO had uncovered ‘a catalogue of errors’ including back up files that were not password protected, unpatched internet-facing servers and inadequate antivirus protection. They were fined £500,000.

 

  1. Texas Voter Records of 14million people found on an unprotected server – 2018

A massive file containing 14.8 million records was left on an unsecured server without a password. Although unclear about where the data originated from it’s the latest in a string of security incidents that have cast doubt on political parties’ abilities to keep voter data safe at a time where nation states are actively trying to influence elections. The data included names, addresses and several years’ worth of voting history.

How can businesses avoid the consequences of data theft?

Join us at our next event where we’ll be discussing data security (and what you can do to protect your organisation) in more detail. Guest speakers include police and legal experts with frontline knowledge of data thefts and their consequences. Sign up here.

Enabling specialist UK businesses to unleash their true potential.

Get in touch