It’s tempting to believe that important data breaches only happen in the US and the figures tend to bear that out – the US accounts for the overwhelming majority of the really big data breaches that have been made public, some of them absolutely vast. But US laws and regulations force organisations to admit to data breaches involving customer, something which is not true in all countries.
In the UK, the most important piece of legislation organisations must worry about is the Data Protection Act and the possibility of fines by the information commissioner (ICO). Below we offer what we believe are the ten most significant data breaches to hit the UK, not in all cases because they were particularly large but because of the type of attack or vulnerability involved or the sensitivity of the data compromised.
Globally, the UK currently ranks a distant second behind the US for data breaches, which is no cause for complacency. Many of the breaches mentioned here happened in the last two years. Undoubtedly, larger and more serious breaches lie ahead.
The UK’s 11 most infamous data breaches 2015 – Nationwide Building Society (2006)
The moment date breaches entered consciousness in the UK, the Nationwide incident involved an unencrypted laptop stolen from a company employee that put at risk the personal data of 11 million savers. The UK’s poor disclosure regulations made it difficult for outsiders to get information on what had occurred.
The Financial Services Authority (FSA) eventually fined Nationwide £980,000, still the largest sum ever imposed for data loss in the UK, seen at the time as a warning shot for other firms that might have similar incidents. Not everyone noticed.
The UK’s 11 most infamous data breaches 2015 – HM Revenue Customs (2007)
Probably the most infamous large data breach ever to occur in the UK, two CDs containing the records of 25 million child benefit claimant in the UK (including every child in the country) went missing in the post. There was never any indication that these password-protected discs had fallen into the wrong hands but the incident underlined how valuable data was being handled by poorly-trained junior employees.
The UK’s 11 most infamous data breaches 2015 – T-Mobile (2009)
Sales staff were caught selling customer records to brokers who used the information to market them as their contracts were coming to an end. It was never clear how many records were involved in this murky insider trade but it was believed to run from half a million to millions. Initially the ICO refused to name the firm but was forced to after rival networks said they were not involved, leaving only one name.
In 2011, the two employees involved were fined £73,000 by the courts.
Next: Brighton and Sussex University Hospital