A data breach is essentially the compromising of security leading to either accidental or unlawful intentions of leaking or obtaining data.
The access to this protected data, in turn, affects the confidentiality, integrity, and function of this compromised data.
When it comes to assessing the biggest data breaches UK, there has been a wide range of data breaches happening throughout history, in all different industries.
Below is a list of the top 10 biggest data breaches UK that we’ve found in a variety of industries, detailing what took place and how the organisations and their customers have been affected.
Top 10 Biggest UK Data Breaches 2024
#1. Dixons Carphone
This company is a well-known firm that runs popular tech outlets in the UK. These outlets include Currys, PC World, Carphone Warehouse, and more.
The Breach
The data breach took place in July 2017, where hackers obtained data records of these companies, compromising 1.2 million personal records, and 5.9 million payment cards.
105,000 non-EU issues cards were leaked and those without chip and pin protections faced a more serious risk to having their financial information extracted and hacked further from the Cyber attacks.
The Consequences
Shares in the Dixons Carphone company declined by 6% and continued todo so. 100 stores of Carphone Warehouse were closed following the breach over a year. The biggest consequence of the breach is a loss in customer rapport, with declining profits revealing the decline in customers.
#2. Wonga
This UK based payday loans company suffered one of the biggest data breaches UK has seen in the financial sector.
The Breach
In 2017, Wonga suffered a substantial data breach. A total of 270,000 customers were affected, with 245,000 of these residing in the UK, and the rest from the Poland market that Wonga was operating in.
Cyber attackers got ahold of customer records such as sort codes, addresses, phone numbers/ emails and bank account details. How the data breach occurred has never been disclosed by Wonga.
The Consequences
Rapport in the company continued to drop with this breach after already suffered some blows to its professional esteem with other past scandals tainting its name.
In 2014, the company was found by auditors to have given loans to customers who couldn’t afford to pay them, impacting on their business. In 2015, the company experienced a double loss in profit from the previous financial year.
#3. British Airways
British Airways is one of the leading airlines in the world and the largest international carrier in the United Kingdom.
The Breach
Computer hackers stole data in 2018, with British Airways revealing that the website and application of British Airways were compromised, with hackers obtaining the credit card details of close to 380,000 customers.
Traffic to the site and application was diverted to a fraudulent site where customer’s details were obtained, such as log-in, card payment information, as well as names and addresses. Since the airline is so famous, it was shared all over the news outlets as one of the biggest data breaches UK has seen.
The Consequences
The company was fined by the United Kingdom’s Information Commissioner’s Office (ICO) 183.4 million pounds. That was 1.5% of its worldwide turnover in 2017. This was the biggest fine that the ICO has ever handed out.
British Airways promised to give full reimbursement to affected customers of the cyber attack.
#4. Equifax
This is a UK based consumer credit reporting agency.
The Breach
15.2 million data records of customers between the years 2011 and 2016 were accessed. This affected close to 700,000 U.K customers whose data were obtained.
There were close to 10,000 credit card numbers accessed, close to 30,000 driving license information and close to 15,000 customers had their usernames, passwords, security questions, phone numbers, and email addresses hacked.
Suspicious activity was observed in 2017, and the hack was said to have taken place due to human and technological errors after a technician not applying a security framework correctly. Security scanners didn’t detect the vulnerability, leaving the database open to threats. A period of ten weeks was when sensitive information was exposed.
The Consequences
Share values of the company dropped by 14% right after the news of the breach broke out. This is a substantial drop, especially compared with any of the other data breaches UK has experienced.
#5. Lloyds Banking Group
This company is a British financial and banking institution, operating as one of the oldest banking establishments in the U.K.
The Breach
Lloyds blocked a substantial cyber attack in an online security breach that lasted 48 hours in January 2017. Millions of fake requests forced the systems to halt in a denial of service (DOS) hack, where criminals generally demand a large ransom to stop the attack.
Two hackers contacted managing executives of Lloyds banking group demanding a ransom, but nothing was paid as the security team eventually got it under control.
The source of the attack was eventually blocked by Lloyds IT security team. Though, later that year hacks again occurred to two third-party partners, Ticketmaster and British Airways, who experienced issues with using Lloyds online payment system.
The Consequences
The first 48-hour hack didn’t result in many consequences, though the second hacks to British Airways and Ticketmaster, affected Lloyds operations. British Airways experiences 77,000 customers having their personal information, along with payment data, stolen.
Ticketmaster had 40,000 UK customers affected who attempted to purchase tickets in June 2017. The bank has had to reissue debit cards to all customers who purchased on the Ticketmaster website, though it was expressed to be more of a safety measure, without believing any fraud had occurred for customers financial information.
#6. Tesco
Tesco bank is a British retail bank that was formed in a joint venture between Tesco, the largest supermarket in the U.K, and The Royal Bank of Scotland.
The Breach
In 2016, close to 10,000 customer accounts were hacked where money was taken from them, in a total of 2.5 million pounds. The money that was extracted from customers accounts was fully reimbursed by the company.
With not much information shared about how the attack took place, it was shared that it involved gaining access to debit card information of customers, in the online banking area of the company. Some theories suggest it was an internal security breach, though it is largely unknown what exactly took place without Tesco sharing the details of the hack.
The attack was made up of transactions from an outside source, most of which were from Brazil. The fraud security team at Tesco attempted to ban these transactions, but an error was made and the transactions continued to take place until eventually, the team was able to stop the hack, two days after it was noticed.
The Consequences
Losses amounted to 2.5 million pounds that had to be repaid by Tesco to the customers affected. As soon as the news hit, shares in the business dropped by 3% and continued to drop weeks after the attack. Tesco was eventually fined 16.4 million pounds by The Financial Conduct Authority, 2 years after the attack took place.
#7. Barts Health Trust
A part of the National Health Service of England, Barts Health Trust operates five hospitals throughout London City and East London.
The Breach
In 2017, the Barts Health Trust experienced an attack that affected the five hospitals that it managed. It was a Trojan attack, which usually relies on tricking users into installing malicious software. The attack caused major IT disruptions to the following hospitals: The Royal London. St. Bartholomew’s, Newham, Whipps Cross, and Mile End.
The Consequences
Operations in the hospitals affected experienced blocks and faults in their IT systems used for internal data storage and communications, through there was no damage to computer network files or any issues with patient data being stolen.
There was also no unauthorised access to medical records. The biggest consequence was simply the IT system outages across the hospitals, and later taking some drives offline as a precautionary measure while systems were checked and cleared of the virus.
This is one of the more unique data breaches UK, with hospitals being less common than department store companies or financial institutions.
#8. Debenhams Flowers
This multinational U.K retailer brand that owns close to 200 stores in the United Kingdom, Ireland and Denmark. Areas of retail that it offers include gifts, clothing, beauty, technology and other department store offerings.
It also operates in international locations with more stores worldwide. Debenhams Flowers is an online store that offering fast delivery, as well as gifts and other products for celebrations.
The Breach
In this malware attack, personal details, including card details used for payment, and personal identifying information of Debenhams Flowers’ customers were breached through the e-commerce site, Ecomnova.
The attack affected an estimated 26,000 people for a total of 6-weeks. All customers of Debenhams Flowers were informed that their personal data and records that they have used for payment might have been stolen.
The Consequences
Affected customers were advised to change their online banking passwords and be suspicious of unsolicited mail, phone calls, and email. As soon as the attack was discovered, Debenhams suspended all Ecomnova run websites to begin a full investigation.
In terms of the company experiencing negative consequences, mostly it was the loss in sales that it would have received during the suspension of online operations, as well as a loss in customer base with people not trusting business with Debenhams Flowers in the future.
There were no fines placed on Debenhams company, and no reported substantial loss in overall revenue, as this was just one small sector of the company’s full operations.
#9. Marriott
Marriott International is a worldwide hotel company, which owns many subsidiary hotel brands across the globe.
The Breach
Marriott acquired Starwood properties and disclosed in November 2018 that it’s Starwood Hotel Brands suffered a database hack with five million unencrypted passport numbers, along with eight million credit card numbers. Other personal and financial data was also taken.
A credit card stealing hacker group known as Magecart was said to be the culprit of the breach. Dating right back to 2014, the breach wasn’t discovered until late 2018. Affecting 30 million residents of the European Union, the breach exposed up to 383 million guests globally.
The Consequences
The U.K’s Information Commissioner’s Office that investigated the breach found that Marriott did not take proper security precautions to prevent breaches like this happening. The U.K Data Protection Authority fined Marriott 99 million pounds. The reservation system that was infected was later replaced with a new operating system.
#10. Sony Interactive Entertainment
Formally known as Sony Computer Entertainment Europe, this company is a multinational video game and entertainment provider.
The Breach
The hack took place in 2011, where personal information of close to 80 million customers of Sony’s PlayStation Network, including names, addresses, date of birth and account passwords. Along with payment card, details were exposed.
The Consequences
The Information Commissioner’s Office (ICO) hit the company with a 250,000 pound fine for breaching the Data Protection Act by not having up to date security software.
The ICO stated that it could have been preventable, were Sony to have been operating in lines with the Data Protection Act. With an official apology shared by the company’s officials, users were also offered free games, in an attempt to keep the customers on board.
Final Thoughts
According to UK government figures, close to 46% of businesses in the UK have suffered a digital attack in the past 6 months.
As the UK has an estimated 5.5 million companies, that suggests that about 2.5 million companies are likely to have been hit with a data breach.
The figures point to the alarming situation of how protected, personal records may not be as confidential as we think. There are financial and long-term repercussions for data breaches. If you want to host your data with a secure provider, the you can see my guide on some web hosting comapnies that provide multiple DoDS systems and firewall preventions.
To learn more, you can also see my post on data breach statistics which will be sure to be eye opening and unsettling.
References
- https://www.bbc.com/news/technology-48398607
- https://www.bankinfosecurity.com/uk-fines-sony-over-playstation-breach-a-5448
- https://www.moneysavingexpert.com/news/2017/05/debenhams-flowers-customers-hit-by-cyber-attack/
- https://www.bbc.com/news/business-46075090
- https://www.dataleaklawyers.co.uk/equifax-data-breach-compensation-claims
- https://www.bbc.com/news/business-39544762
- https://www.neowin.net/news/dixons-carphone-admits-data-breach-from-july-2017/
- https://www.policybee.co.uk/blog/uk-biggest-cybersecurity-and-data-breaches-in-2017
- https://www.itgovernance.co.uk/data-breaches
- https://www.dw.com/en/british-airways-receives-record-fine-for-passenger-data-breach/a-49508071
- https://www.theregister.co.uk/2016/04/22/mod_contractor_hacked_831_members_of_defence_community_exposed/
- https://en.wikipedia.org/wiki/Tesco_Bank#Fraud_incident_2016
- https://www.computing.co.uk/ctg/feature/3073761/the-top-10-biggest-security-breaches-of-2019-so-far
- https://www.theregister.co.uk/2015/11/13/mod_nitworks_breached/
- https://www.computerworlduk.com/galleries/data/most-significant-uk-data-breaches-3662915/