The most significant data breaches in the UK

We take a look at the biggest data breaches that have affected people in the UK

data breach security threat lock crime spyware

Boots Advantage Card

High-street pharmacy Boots was forced to suspend loyalty card payments in March 2020 following an attempted cyber attack which aimed to use stolen passwords to compromise customers' accounts.

The firm claimed that its own infrastructure had not been compromised, and the attackers were trying to log in using passwords from other websites. A spokesperson told the BBC that less than one percent of Boots' 14.4 million active Advantage Cards were affected, and although the retailer couldn't provide an exact number, it was fewer than 150,000 people.

The spokesperson said payment information had not been accessed, and the temporary freeze was to ensure that loyalty card points were not spent by the attackers.

intro biggest data breach fines

Virgin Media

Almost a million Virgin Media customers were believed to be impacted by a massive data breach in March 2020– which saw the personal details of 900,000 people accessed after a marketing database was left open for 10 months.

That amounts to roughly 15 percent of the second-biggest broadband provider in Britain's fixed line customer base, however, some Virgin Mobile customers were affected too. Although the leaked data didn't include passwords or financial information, names, email addresses, phone numbers and contract details were all at risk.

This marketing database was left open from April 2019, said the Financial Times, and had been accessed by "at least" one person outside the company. The sources also told the paper that the database had not been configured correctly.

Chief executive of Virgin Media, Lutz Schuler, confirmed the breach, however, he insisted that customer details had not been used illegally – yet, saying that there is "no evidence that the data taken has been used in the wrong way".

Virgin Media has informed the Information Commissioner's Office, it said, but had decided not to notify customers yet.

Speaking with the FT, Schuler added: "We want to avoid any panic. We all have enough on our plate with coronavirus at the moment but we have to be open about it."

Data breach  >  open padlock allowing illicit streaming data collection
Arkadiusz Wargua / Getty Images

Tesco Clubcards reissued

British supermarket Tesco was forced to issue 600,000 new Clubcard loyalty cards in March 2020 following a security breach, and warned customers that fraudsters could have been successful in spending customers' points or vouchers.

The retailer said it believed username-password combinations had been taken from other leaks, and then tried on Tesco's websites.

A spokesperson from the supermarket added: "We are aware of some fraudulent activity around the redemption of a small proportion of our customers' Clubcard vouchers. Our internal systems picked this up quickly and we immediately took steps to protect our customers and restrict access to their accounts."

In addition to issuing new loyalty cards, the firm requested Clubcard users reset their passwords and has apologised for the incident.

las vegas getty images user aldo dz

MGM Resorts

In another blow to visitors to Las Vegas, MGM Resorts recently admitted that the personal details of 10.6 million guests had been compromised during an incident in summer 2019.

ZDNet and Under the Breach found that 10,683,188 former hotel guests had been impacted by the breach, and details included full names, home addresses, phone numbers, emails, and dates of birth. The hotel chain said that it had "discovered unauthorised access to a cloud server" containing a "limited amount of information" for "certain previous guests", a spokesperson said, adding that financial data, passwords, and payment cards were not involved.

Las Vegas is an extremely popular site for international trade conferences, drawing CEOs, executives, and reporters in their thousands every year. MGM is one such business that caters to these conferences, as is the Marriott group, which was forced to concede that hackers stole records of 339 million guests - and subsequently suffered a fine by the ICO to the tune of nearly £100 million.

pound sterling getty user johan10

Financial Conduct Authority

Independent financial regulator the Financial Conduct Authority has admitted publishing "certain underlying confidential information" from complainants on its website.


In a statement posted 25 February 2020, the FCA said that the slip-up was in response to a Freedom of Information Act request that it had published in November 2019. The independent regulator said that as soon as it became aware of the problem, the data was removed from its website, and that since, it has "undertaken a full review to identify the extent of any information that may have been accessible".


In "many" instances, it said, the gaffe revealed just the names of complainants, however there were other cases where addresses, phone numbers, and "other" information was published. No highly sensitive documents related to personal identity like financial, payment card, or passport information was published, it claimed.


The organisation added that it was contacting the individuals who were impacted to apologise and provide advice over next steps, and has also referred itself to the ICO.

social search employee recruitment leader

Hundreds of thousands of CVs exposed by recruitment firms

More than 200,000 CVs were exposed online after two online recruitment firms made their AWS cloud storage buckets public, which automatically made the CVs of job applicants available to download for anyone who knew the URL.

The US-based Authentic Jobs made 221,130 CVs publicly accessible, while UK retail and restaurant jobs app Sonic Jobs exposed 29,202, according to Sky News, which added that the total could still rise higher, as the service used to detect the leaks only refreshes irregularly.

Sergio Loureiro, Cloud Security Director at Outpost24, put the blame squarely on the shoulders of the recruitment firms.

"This is definitively not the responsibility of AWS, but of Authentic Jobs and Sonic Jobs," Loureiro said in a statement.

"There is no excuse for such a misconfiguration, default settings by AWS are good and there are plenty of tools to check for that kind of misconfiguration, such as Cloud Security Posture Management (CSPM) tools (according to the Gartner terminology). Yet another example of enterprises being sloppy with personal data, which they are responsible for!"

mark zuckerberg facebook the future is private

Facebook stores hundreds of millions of phone numbers on unprotected server

Facebook exposed over 419 million phone numbers linked to user accounts on a server without password protection, leaving 18 million British Facebook members' details wide open to whoever found the database.


Other geographies included a massive 133 million US user's phone numbers, and 50 million Vietnamese Facebook members. The records linked the user's unique Facebook ID to the phone number associated with the account, reports TechCrunch, which first published the story after being tipped off by security researcher Sanyam Jain, and some of the data also contained information about the user's name, gender, and country location.


Jaim told TechCrunch that he had discovered phone numbers linked to celebrity Facebook users.


But spokesperson for Facebook Jay Nancarrow told TechCrunch that the data set was "old" and appeared to "have information obtained before we made changes last year to remove people's ability to find others using their phone numbers".


While the spokesperson said that there was no evidence of any accounts having been compromised, Facebook has removed the data set.


Facebook is currently in the process of appealing a £500,000 fine issued by Britain's Information Commissioner's Office relating to alleged security failings of Facebook surrounding the Cambridge Analytica scandal.

big brother privacy eye data breach security binary valerybrozhinsky getty
ValeryBrozhinsky / Getty

Teletext Holidays exposes half a million sensitive files

The British travel firm that emerged from the Teletext TV news service, Teletext Holidays, has left more than half a million files exposed on an unsecured AWS server - including 212,000 audio files of customer calls.


For three years, personal information including names, email addresses, home addresses, phone numbers, and dates of birth were all available to anyone who cared to look at the AWS server. However, reports Verdict - which broke the story - the 532,000 files have now been removed.


The 212,000 audio files related to calls made between 10 April 2016 and 10 August 2016 to Teletext Holiday's call centre, based in India, and lasted between a couple of minutes and an hour. Customers can be heard discussing the minutiae of their holidays including locations, costs, and flights, as well as partial card details that included the type of card they were using, the name on the card, and expiry dates. However, card and CVV numbers were typed into a keypad and so were protected.


Teletext has said that it is reporting the situation to the ICO, and told Verdict that it is "taking all appropriate steps to ensure that this situation does not occur in the future".


hack security malware

Fingerprints of over 1 million people exposed after biometrics breach

The fingerprints of over 1 million people, as well as facial recognition information, usernames, passwords, and personal information of staff from security company Suprema were discovered on a publicly accessible database in August 2019.

The Suprema database is used by 5,700 organisations in 83 countries, including the Metropolitan police and a range of banks and defence contractors to identify people attempting to enter buildings. It was discovered by Israeli security researchers working with the vpnmentor virtual private network review service, as part of research they were conducting into vulnerabilities in companies' systems.

Jake Moore, a cyber security specialist at ESET, accused Suprema of making a "schoolboy error" by leaving passwords unencrypted.

"Stories like this have resurfaced time and time again whilst companies of all sizes and stature are getting caught out without following simple security check-ups," he said. "It’s worrying to think that our data is out there not fully protected and that there is a chance we are losing control of it."

Cloud security threats  >  theft / breach / fraud / phishing
YoungID / Getty Images

Data breach at Mumsnet leads users to log into other accounts

Mumsnet users were accidentally logged into the accounts of strangers after a botched software change that was part of the company's move to the cloud.

Between 2pm on 5 February and 9am on 7 February 2019, any users logged into the site could have had their account information switched with other people logged in. This would give them access to the other users email address, account details, posting history and personal messages, but not their passwords as these are encrypted.

The parenting site became aware of the incident when a user informed the company that they were able to log into and view the details of someone else's accounts. The total number of accounts affected has since been confirmed by the site as 44.

Mumsnet responded by reversing the software change that likely triggered the incident, and forced a log out to ensure users would no longer be logged in to the wrong account, and has also reported the incident to the Information Commissioner.

"You've every right to expect your Mumsnet account to be secure and private," Mumsnet CEO and founder Justine Roberts told users in a post on the site. "We are working urgently to discover exactly how this breach happened and to learn and improve our processes."

mobile banking / online banking / digital transactions / smartphone
ipopba / Getty Images

EE employee stalks ex-girlfriend after accessing her account

An EE employee accessed his ex-girlfriend's mobile account, switched her number to a new handset and changed her registered address so that all her texts and calls made to her were instead sent to him.

The perpetrator also gained access to her bank details and new address, where he arrived with friends to ask her to withdraw her complaint to police, which he also did repeatedly via calls and texts.

Francesco Bonafede first became aware that something was wrong with her account when her phone suddenly stopped working. She called EE, who five days later told her that someone had visited one of the company's shops to request a new SIM card and switch the account to a new handset. She recognised that the new address on the system was that of her ex-boyfriend, an EE employee.

Bonafede said she informed the police of the incident after EE failed to take the breach seriously. Her ex-boyfriend was eventually arrested and given a harassment warning. EE said that he no longer works for the company.

"I spent countless hours at the police station and missed days at work," Bonafede told the BBC. "He had access to everything: my sort code, my account number, a photocopy of my driver's licence.

"It did put me at risk and I feel all customers should know how poorly something like this will be handled if there is a data breach on their account. It was a complete breach of trust. I don't trust the way they handled my data at all."

Binary stream flowing through the fingers and palm of an upturned hand.
GrandeDuc / Getty Images

Largest data breach ever seen discovered

A cyber security researcher has discovered the largest ever collection of leaked data, an 87GB package of 12,000 files, including more than 772 million email addresses and 21 million passwords.

Troy Hunt, who runs the Have I Been Pwned website, found the trove after he was informed by contacts that it had been dumped on cloud service MEGA - which has since removed the data - and on a popular hacking forum.

He said that the data was a combination of a numerous different data breaches, which had been assembled to use for credential stuffing, a cyber attack that automatically tests combinations of email addresses and passwords to hijack accounts on other services. He dubbed the data dump "Collection #1".

“This particular set of stolen data seems to come from nearly 3,000 different websites from all over the globe," said Dan Pitman, principal security architect at Alert Logic. "In this day and age, everyone needs to make the assumption that their email is in a list that attackers have access to; unless you created it today, probably,"

"Hackers use these lists for many purposes from credential stuffing to identity theft. For the latter, the more data they have the more likely they can match details together from different lists to build up a profile.

"The more cracked passwords in their database, the more likely they are to be able to match those to the hashes from other hacks and find a combination that works to access a system, this is the essentials of credential stuffing."

germany flag

Massive Bundestag, political parties hack in Germany

Major figures from the German political establishment - minus the far-right Alternative für Deutschland - have been victim to a wide-ranging cyber attack that has affected hundreds of Germany politicians as well as stealing personal data from celebrities and journalists.

Bild journalist Julian Röpcke, who has combed through the leaked data, said that the scale of the attack is "unprecedented", with details including mobile phone numbers, addresses, private conversations with families, holiday pictures, bills, and communications between politicians.

Röpcke said the data was collected between October 2018 and December 2018 but has only just come to light now - and is still publicly available. Twitter account @_0rbit based in Hamburg, Germany and active since 2015 was believed to be behind the leak and has now been suspended.

Around 40 German television journalists and 10 artists also had their data compromised.

German intelligence was reportedly unaware of the leaks until last night, despite the first signs of the attack appearing publicly on Twitter in December, dressed up as an advent calendar.

gamer winner win victorious hacker hackathon gorodenkoff
Gorodenkoff / Getty

Breach of Town of Salem game exposes data of 7.6 million users

More than 7.6 million players of browser-based gamer Town of Salem had their personal details exposed after a hacker breached the servers of developer BlankMediaGames to access the player database.

The breach was first disclosed on 28 December by DeHashed, a data breach search engine, which was sent a copy of the stolen data by an anonymous emailer.  DeHashed claimed the compromised data included usernames, passwords, payment information, IP addresses, billing information and game and forum activity.

BlankMediaGames finally confirmed the breach on 2 January, blaming the delay on a Christmas holiday absence, admitting the hack but adding that all passwords in the database were hashed and that the company does not store any payment information.

Cybersecurity  >  Skull + crossbones / abstract code / criminal hacker / attack / security threat
CHUYN / Getty Images

Quora hack exposes up to 100 million user accounts

Up to 100 million Quora user accounts have been compromised after hackers breached the systems of the question-and-answer website.

Quora CEO Adam D'Angelo revealed in a blog post that the company discovered "some user data was compromised as a result of unauthorised access to one of our systems by a malicious third party".

The information exposed could include names, email addresses, encrypted passwords, data from linked social networks, and questions, answers, comments and votes on the site.

D'Angelo said that Quora was notifying users whose data has been compromised, logging out all Quora users who may have been affected and invalidating their passwords if used as their authentication method. The company is continuing to investigate the precise causes of the breach and has retained a digital forensics and security firm to assist.

Nominet CTO Simon McCalla gave Quora credit for their rapid response.

‘The data leaked included email addresses, user IDs, direct messages, public forum information and encrypted passwords. And while Quora has recommended that users do change their passwords, the fact they were encrypted means the fallout from this breach could be less impactful than others," he said.

"That said, Quora has shown good practice by reporting the breach and contacting users in timely fashion in the aftermath of the breach. This would suggest their internal security measures are well monitored and well operated. The fact they keep passwords encrypted also helps protect users should the worst happen. Of course, users of Quora should change their password for complete peace of mind but in this case, Quora’s proactive attitude to dealing with the breach will minimise the damage."

Marriott data breach  >  Marriott logo + binary data stream through the fingers of a hacker
GrandeDuc / Getty Images

Half a billion Marriott customers under threat in enormous data breach

As many as 500 million customers of hotel giant Marriott may have had their personal data compromised, and for an undisclosed number that could have include payment card numbers and expiry dates.

The hotel chain said that those card numbers were encrypted with AES-128, but warned that it could not rule out the possibility that the two components needed to decrypt these numbers were also compromised.

For about 327 million of the 500 million guests who had made a reservation, information includes names, mailing addresses, phone numbers, email addresses, passport numbers, the 'Starwood Preferred Guest' account information, date of birth, gender, arrival and departure information, reservation data, and communication preferences.

Guest information dating as far back as 2014 hosted on its Starwood reservation database could be affected. It was not until 8 September this year that the chain received an alert from a security tool about an attempt to access this database.

In a statement posted today Marriott said: "Marriott quickly engaged leading security experts to help determine what occurred. Marriott learned during the investigation that there had been unauthorised access to the Starwood network since 2014. Marriott recently discovered that an unauthorised party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database."

The resort multinational owns hotel brands such as the W, Sheraton, and Westin.

Social engineering / social media security / privacy breach / fraud
Chainarong Prasertthai / Getty Images

Payment data stolen from thousands of Vision Direct customers

As many as 6,600 customers of online contact lens shop Vision Direct are at risk of having their personal details, including financial information, stolen in a November data breach.

A total of 16,300 people were thought to be at risk of the breach, although 9,700 of those did not have any financial data compromised. For the 6,600 others though, information including payment card numbers, expiry dates and CVV codes could all have been accessed.

According to security researcher Troy Mursche the data theft was the result of a fake Google Analytics script. The retailer added that there was no risk of information being stolen from its database, and that the breach only impacted users who logged in to the website between certain dates.

Vision Direct said in a statement that customers who logged into the website or created a new account between 12.11am on 3 November and 12.52pm on 8 November could have been affected, and advised customers to contact their banks and credit card providers. Customers using PayPal were unaffected, but the Visa, Mastercard and Maestro methods were all at risk.

The retailer said that it is currently apologising to customers thought to be affected, and has notified the relevant authorities, as well as taking the "necessary steps" to prevent further data theft.

Closeup of man kicking soccer ball

FIFA hacked again

A series of disclosures about "dirty deals" at FIFA have been published after the computer systems of football's governing body were hacked.

The stories are based on more than 3.4 terabytes of data and more than 70 million leaked documents supplied by the Football Leaks organisation.

German magazine Der Spiegel reports that they contain evidence that top clubs are scheming to form a European "Super League" and that FIFA president Gianni Infantino has helped some of them escape punishment for financial fair play violations.

The Football Leaks founder, named only as "John", claims that he received the information from a variety of sources and that neither him nor his collaborators are hackers.

Critics doubt that he could have received such a  trove of data without a cyber attack, and FIFA officials admitted that their computer systems were hacked in March after a suspected phishing campaign.

The revelations come just a year after Russian hacking group Fancy Bear leaked information about failed drug tests by footballers that was stolen from FIFA.

Read next: FIFA hack threatens further embarrassment to football's governing body

train tracks converge / rails switch / paths merge / convergence / directory traversals

Eurostar forces customers to reset passwords after hack attempt

An attempt to hack into Eurostar's systems led the company to force a reset of all customer passwords.

The company emailed customers this week alerting them to the fact that hackers had been attempting to log in to the website between 15 and 19 October. It reported that the attackers had used a degree of automation in testing the credentials.

However, Eurostar insisted that credit card or payment data had not been accessed because it "never" stores that information on the accounts.

The possible breach has been reported to the Information Commissioner's Office.

In the meantime Eurostar is urging customers to be vigilant about unusual activity, plus to update their credentials on any other site where they have used the same username and password.

Regarding the hard reset earlier this week, a spokesperson from Eurostar told the Telegraph: "This email was sent after we identified what we believe to be an unauthorised automated attempt to access customer accounts, so as a precaution, we asked all account holders to reset their password. We deliberately never store any payment details or bank card information, so there is no possibility of those being compromised."

Commenting, chief security architect at SecureAuth James Romer said: "Bad actors can easily purchase stolen credentials on the dark web, which can then be used to attempt to gain access to a secure network. By utilising advanced techniques such as automation, more accounts can be easily targeted increasing their chances of success.

"It is critical that businesses review their approach to authentication, bolstering defences at the login phase and implementing more secure techniques which utilise a layered approach that uses additional factors, such as location analysis and device recognition."

it security lock cybersecurity breach alignment by chakisatelier getty
ChakisAtelier / Getty Images

Over 9m hit in Cathay Pacific breach

Hong Kong airline Cathay Pacific has owned up to an enormous data breach affecting up to 9.4 million passengers including passport numbers, email addresses, some expired credit card details and a handful of active credit card details.

Names, nationalities, date of birth, phone number, email, address, passport number, identity card numbers, frequent flyer membership number, customer service remarks and historical travel information were all affected in the breach.

The airline said that 403 expired credit card numbers were accessed, along with 27 credit card numbers but without the CVV number. The combination of what was accessed varies between affected passengers, however according to chief executive Rupert Hogg the company has seen no evidence that this data has (yet) been misused.

Hogg apologised in a statement, and moved to reassure worried customers: "We are very sorry for any concern this data security event may cause our passengers. We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures.

"We are in the process of contacting affected passengers, using multiple communications channels, and providing them with information on steps they can take to protect themselves. We have no evidence that any personal data has been misused. No one's travel or loyalty profile was accessed in full, and no passwords were compromised.

google logo black

Google shuts down Google+

Earlier this year Google discovered a vulnerability in an API for the company's social network Google+, which made it possible for third-party app developers to access data from the friends of the app users.

According to documents reviewed bythe Wall Street Journal, Google not only exposed this data but then it chose not to disclose it, with an internal memo showing the company feared reputational damage. According to the Journal even chief exec Sundar Pichai had been briefed on the decision not to disclose the potential breach.

As a result Google's parent company Alphabet has decided to shut down Google+ completely and for good.

Investigators reportedly discovered that a bug with the site was providing outside developers with access to Google+ profile data between 2015 and March 2018, when the issues was fixed. That timeframe does mean decisions were made before GDPR came into effect in May 2018, but regulators could still show interest in the breach.

Conservative Party conference app had security flaw

Conservative Party conference app had security flaw

As the Conservative Party conference was about to begin, those in attendance found that there was a glaring security hole in the official conference app - allowing a journalist to access Boris Johnson's mobile number.

Dawn Foster tweeted that the app let her log in as Boris Johnson and "straight up given me all the details used for his registration". The company behind the app, Crowd Comms, issued an apology, but Foster said that details in it were incorrect.

A Conservative Party spokesperson apologised for "any concern caused".

This was the first time that the Tories had created an official app, but the blunder led to criticisms that it was "deeply embarrassing" for the party, which has tried to position itself as modern and technologically progressive.

All it took to access the personal details of any MP in attendance was entering their email address - which, of course, is publicly available - while pressing on the attendee's corresponding button in the app.

After an embarrassing start, the Tories did plug the hole with app developer Crowd Comms, however the Information Commissioner's Office has confirmed it will be investigating.

Data protection consultant Pat Walshe tweeted that along with the glaring issues of the conference app, the Conservative campaigners app - developed by a company that has also created apps for America's NRA gun lobby and various anti-abortion apps - might not be compliant with GDPR due to an unclear cookie policy.

cockpit airline airplane control pilot by southerlycourse getty
SoutherlyCourse / Getty

British Airways: 380,000 payment cards affected

British Airways has suffered a sophisticated data breach affecting around 380,000 customers using its website and mobile app.

The attack - which was discovered on Wednesday 5 September 2018 - took place between 22:58 BST on 21 August and 21:45 BST on 5 September and should only impact customers who bought flights in between those dates.

According to the airline, customer's payment card details were breached and the police were contacted as soon as it was aware of the stolen data. Compromised data did not include travel or passport details.

In a statement BA said: “British Airways is communicating with affected customers and we advise any customers who believe they may have been affected by this incident to contact their banks or credit card providers and follow their recommended advice. We have notified the police and relevant authorities.”

Following this, British Airways has confirmed that the breach has been resolved and the website is working normally. However, as one of the most serious data breaches to hit a UK company, the attack stands as yet another blow to the airline’s reputation following a number of IT issues since May 2017.

Speaking about the breach, Mark Adams, Regional Vice President of UK & Ireland at Veeam said: “While many will focus on the negative consequences of this data breach, the fact British Airways reported it so quickly is a positive. While it is unclear who is fully responsible for the detection of this security incident, the subsequent communications have been positive; many could learn from the handling of this.

“Unfortunately breaches can happen to any business and while BA remains on the backfoot to ensure this doesn’t happen again, it’s important to highlight why all businesses need to be far more proactive in managing data and systems and getting security and monitoring of data right up front.                                           

Butlin\'s: 34,000 holidaymakers at risk
© Butlins

Butlin's: 34,000 holidaymakers at risk

As many as 34,000 guests at British holiday resort Butlin's have had their personal details accessed by hackers in a major data breach.

No payment details were accessed according to the company however names, addresses, phone numbers and email addresses were all compromised.

A spokesperson confirmed to Sky News that the incident occurred in the last 72 hours, and was the result of a phishing email.

Butlin's has reported the breach to the Information Commissioner's Office, presumably in time to protect the business against potential fines as a result of the Europe-wide GDPR, which came into effect in May 2018.

Guests who might have been affected have been contacted by Butlin's, the business said, along with what next steps they should take.

Massive Dixons Carphone hack ten times worse than originally thought
Image: Wikipedia/Mtaylor848

Massive Dixons Carphone hack ten times worse than originally thought

The data breach discovered by Dixons Carphone in June 2018 was much more severe than it had originally thought, putting the compromised accounts number at 10 million compared to the earlier estimate of 1.2 million.

It maintains that there has been no evidence of fraud, but the original breach was notable in that in addition to personal information being stolen, attackers also made off with payment card details - as many as 5.9 million. Most of these were protected by chip and pin but some were not.

The BBC quotes the retailer's chief executive Alex Baldock as saying that the company has been working "around the clock to put it right".

"That's included closing off the unauthorised access, adding new security measures and launching an immediate investigation, which has allowed us to build a fuller understanding of the incident that we're updating on today.

"As a precaution, we're now also contacting all our customers to apologise and advise on the steps they can take to protect themselves."

Mega-retailer Dixons Carphone has admitted an enormous data breach that put millions of customer credit card details at risk, including more than 100,000 non-EU cards without any chip-and-pin protection.

The firm said that there had been no signs of fraud “yet”.

In a statement posted to its website titled ‘Investigation Into Unauthorised Data Access’, the retailer said: “As part of a review of our systems and data, we have determined that there has been unauthorised access to certain data held by the company.

It said there was “an attempt to compromise 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel stores”.

“However, 5.8 million of these cards have chip-and-pin protection. The data accessed in respect of these cards contains neither pin codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made.

Chief executive Alex Baldock said that he and the company are “extremely disappointed and sorry for any upset this may cause”. He went on to say that data protection has to be “at the heart of our business” and that “we’ve fallen short here”.

More than 1 million personal details were also accessed including names and email addresses. The retailer did not say how the attack had happened, but that it has reported the incident to the ICO, the FCA and the police. It also said it had been consulting cybersecurity experts and adding additional layers of protection to its systems.

But the fact that so many card details were accessed is extraordinarily worrying. The retailer owns a handful of brands throughout the UK and Europe including Currys, PC World, and Dixons Travel.

Although details are currently scarce, the scale of the breach either suggests a highly sophisticated attack, poor defences, simple human error, or a combination of the three.

It is the first breach of its scale since the General Data Protection Regulation came into effect 25 May 2018.

UK | United Kingdom  >  England  >  London  >  streetscape / Tower Bridge, traffic, pedestrians

British government exposed secret files through Trello

The British government is under fire for potentially exposing official papers and reports through files uploaded to public Trello boards used by departments, according to a report from the Sunday Telegraph.

Sensitive files including communications with spy agency MI5 and counter-terrorism officers could have been accessed via boards on the Trello project management tool that had been accidentally left public.

The incidents appear to have occurred when civil servants used Trello in place of secure government file-hosting and communication tools, the Sunday Telegraph reported. The paper noted that 10 government Trello pages that were previously public had been made private during its investigation, but that the contents of the pages had not been "fully removed" with some parts still visible through Google searches.

A government spokesperson has said: "We take data protection very seriously, and impress upon all government departments to exercise best practice and implement suitable measures to ensure data is secure when using platforms such as Trello boards.

"The Government Digital Service and Trello are working with government departments to ensure any data breached is made secure. Trello has offered to make all government accounts private, to ensure data is better protected in the future."

The Daily Recordreports that Liberal Democrat MP Tom Brake, who is also a member of the Commons Home Affairs Committee, is calling for a formal inquiry to be launched "immediately".

Passenger view of an airplane wing above the clouds. / travel / journey / transportation

Thomas Cook

Travel business Thomas Cook could have put customer information at risk due to a security flaw in a duty free website, Airshoppen.

Security researcher Roy Solberg was booking his holiday through Thomas Cook subsidiary Ving, then received an email from Thomas Cook Airlines to, a portal that lets customers upgrade their flights or check in online.

He blogged: “I got a bit curious when I saw that the links from the email did an auto login of my user based on only very little data.”

Solberg found that he could extract sensitive information from Thomas Cooks' systems, including the full names of travellers, email addresses of the person booking, full departure details and full return details. He could view travel info from customers between 2013 and 2019, and through tinkering with the parameters and copying the call to the FOSS command line tool Curl, could shorten the request significantly.

He found that by using booking numbers from friends and family, and even from Google searches, he could retrieve data from Ving Norway, Ving Sweden, Spies Denmark, and Apollo Norway.

Solberg also struggled to gain an adequate response from Ving, but he did notice that the issue was fixed the fourteenth day after he had reported it.

Thomas Cook told Sky News that the loophole had been closed and then actions were taken “in line with the law”.

“Based upon the evidence we have, and the limited volume and nature of the data that was accessed, our assessment is that this was not an incident which is required to be reported to the authorities. For the same reasons we have not contacted the customers affected.”

Networking cables viewed through a magnifying lens reveal a data breach.
AndreyPopov / Getty Images

Ticketmaster suffers potentially massive breach

Ticketing and events business Ticketmaster UK has said that up to five percent of its global customer base, outside of the USA, might have had their personal details and payment details compromised as part of an attack on a third party the company used.

Their Twitter account appears to confirm the breach.

In a statement, the company said that Ticketmaster UK “identified malicious software on a customer support product hosted by Ibenta Technologies, an external third-party supplier to Ticketmaster.”

“Less than 5% of our global customer base has been affected by this incident. Customers in North America have not been affected.”

The firm said that because AI service Ibenta had been running on Ticketmaster International websites, “some of our customers’ personal or payment information may have been accessed by an unknown third-party.”

It added that customers who might have been affected by the incident had been contacted, and that UK customers who bought or attempted to buy tickets between February and June 2018 might have been affected.

International customers between September 2017 and 23 June 2018 might have been affected.

The company has contacted the information commissioner. It said that “forensic teams and security experts are working around the clock to understand how the data was compromised”.

“We are working with relevant authorities, as well as credit card companies and banks.”

It did not state precisely how many customers it thought were affected, nor did it state that the incident was isolated, or if it expects more customers had been compromised. It warned customers to change their passwords, and is offering identity management software as compensation to compromised customers.


Ticketmaster UK has issued an official statemen to the media. It reads:

On Saturday, June 23, 2018, Ticketmaster UK identified malicious software on a customer support product hosted by Inbenta Technologies, an external third-party supplier to Ticketmaster.

Less than 5% of our global customer base has been affected by this incident.

As soon as we discovered the malicious software, we disabled the Inbenta product across all Ticketmaster websites.


As a result of Inbenta’s product running on the Ticketmaster UK website, some of our customers’ personal or payment information may have been accessed by an unknown third-party.


We have contacted all potentially impacted UK customers who purchased, or attempted to purchase, tickets between February and June, 23 2018. Out of an abundance of caution, we have also contacted all potentially impacted international customers who purchased, or attempted to purchase, tickets between September 2017 and June 23, 2018. No customers in North America have been affected.

Forensic teams and security experts are working around the clock to understand how the data was compromised.

We are working with the Information Commissioner’s Office (ICO), as well as credit card companies, banks and relevant authorities.

What we are doing for affected customers:

  • We have established a dedicated website to answer customers’ questions about the incident
  • As a precautionary measure, all notified customers will need to reset their passwords when they next log into their accounts
  • We are offering impacted customers a free 12 month identity monitoring service with a leading provider
Greenwich University fined for 2013 data breach

Greenwich University fined for 2013 data breach

The University of Greenwich has been fined £120,000 for its 2013 data breach which exposed the personal data of 19,500 students.

The breach - which is the first university fined by the Information Commissioner's Office - exposed the names, addresses, dates of birth and phone numbers of students, as well as information on some students' mental health problems.

The breached information was initially uploaded onto a microsite in 2004, which was inevitably never secured or closed down.

Staff at the University of Greenwich discovered the breach in 2016 and since has carried out "an unprecedented overhaul" of its data security systems.

The University of Greenwich secretary Peter Garrod said: "We acknowledge the ICO's findings and apologise again to all those who may have been affected.

"No organisation can say it will be immune to unauthorised access in the future, but we can say with confidence to our students, staff, alumni and other stakeholders, that our systems are far more robust than they were two years ago as a result of the changes we have made.

"We take these matters extremely seriously and keep our procedures under constant review to ensure they reflect best practice."

metal whistle on green background

Cambridge Analytica whistleblower alleges millions of compromised accounts

Millions of Facebook users have had their personal information compromised without their consent according to a whistleblower who helped found the election data company, Cambridge Analytica, which informed the Trump presidential campaign and has worked for Leave.EU.

Whistleblower Christopher Wylie told the Guardian how British data science firm Cambridge Analytica, the privately held business with the financial backing of Republican donor Robert Mercer, had scraped the Facebook profiles of over 50 million users without their consent.

When Wylie met former Breitbart editor, right winger and Trump campaign right-hand man Steve Bannon, Bannon introduced Wylie to Robert Mercer. According to Wylie’s account to the Guardian, there is evidence of a commercial arrangement between parent company to Cambridge Analytica, SCL, and a business called Global Science Research, owned by Cambridge academic Aleksandr Kogan.

In short, this data was acquired through a personality quiz app Kogan created called thisismydigitallife which requested access to the Facebook profiles of people who took the quiz. It would have access to those people’s friends as well, and each of the quiz-takers, roughly 320,000 people, also gave access to at least 160 other people’s profiles.

It was mirroring techniques from an earlier study by Cambridge University’s Psychometrics Centre that ran an app called 'myPersonality'. Facebook said that Kogan claimed to be collecting the data for academic reasons.

Ultimately this data was used, Wylie said, to target voters including in the Trump campaign.

Facebook responded by suspending Cambridge Analytica and SCL from advertising on the social network.

VP and deputy general counsel for Facebook Paul Grewal said that the claim this is a data breach is "completely false".

"Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent," Grewal wrote. "People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked."

Britain’s Information Commissioner’s Office is investigating.

"A full understanding of the facts, data flows and data uses is imperative for my ongoing investigation," Information Commissioner Elizabeth Denham said. "This includes any new information, statements or evidence that have come to light in recent days.

"Our investigation into the use of personal data for political campaigns includes the acquisition and use of Facebook data by SCL, Doctor Kogan and Cambridge Analytica.

"This is a complex and far reach investigation for my office and any criminal or civil enforcement actions arising from it will be pursued vigorously."

drafting military for cyber security cybersecurity govenment
gorodenkoff / Getty Images

APT15 target UK military contractor

NCC Group discovered that a group suspected to have ties to China was caught in the act of stealing sensitive data from one of the company’s clients, a UK government military contractor.

The company made the attacks public in March 2018, but they were first noticed by the Incident Response team in May 2017. At the time, the group was identified to be using new backdoors that "appear to be a part of" APT15's toolset.

APT15 returned weeks after it was booted from the network, gaining access with a corporate VPN with a stolen VPN certificate. Once on the network again, the group deployed a DNS-based backdoor, RoyalDNS. For a full run down of the incident see NCC’s blog here.

Magdalena Petrova

Leaky bucket leaves old FedEx subsidiary data public

In February 2018, Kromtech researchers found more than 100,000 scanned documents containing highly personal information and including passports, driving licences and security IDs in an unsecured Amazon S3 bucket – completely accessible to the public.

The problem seemed to stem from a company called Bongo International LLC, which was sold to FedEx in 2014 and then rebranded as FedEx Cross-Border International. But this was shut down in 2017.

However, the inherited document data was still online in the S3 bucket, and contained information gathered from 2009 to 2012.

Kromtech’s Bob Diachenko said: “Technically, anybody who used Bongo International services back in 2009-2012 is at risk of having his or her documents scanned and available for many years.”

FedEx said there was no indication the data had been misappropriated.

57 million Uber users compromised

57 million Uber users compromised

Ride-sharing company Uber disclosed on the evening before 2017's Thanksgiving that it had not only suffered an enormous data breach to the tune of 57 million people – drivers and customers – but that it had also paid an extortion fee of $100,000 (£75,000) to have the hackers delete that data.

Uber said that the attack, which occurred in October 2016, exposed names, email addresses and phone numbers of 50 million people worldwide, plus personal details of 7 million drivers – including roughly 600,000 licence details.

In a statement, new CEO Dara Khosrowshahi said: "I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use. The incident did not breach our corporate systems or infrastructure.

"Our forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded."

Chief security officer Joe Sullivan has been asked for his resignation and Craig Clark, a senior lawyer who reported to Sullivan, has been fired as a result.

A FAQ for drivers is available here while more information for passengers is available here including advice on possible next steps.

Khosrowshahi said that the company "identified the individuals" and "obtained assurances that the downloaded data had been destroyed".

While mammoth hacks and data breaches have become spectacularly commonplace, what is especially unusual about this incident is that Uber admitted to paying a fee to destroy the information. This practice is usually warned against by both infosec experts and authorities because it is difficult to verify whether that information truly has been made secure again, plus it encourages copycat attacks.

"None of this should have happened, and I will not make excuses for it," wrote Khosrowshahi, whose promotion to the chief executive role is seen as a salve to smooth over the company’s battered reputation.

"I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers."

Uber was charged £133m in September 2018 to cover the legal action over the data breach that affected 57 million customers and drivers in 2016.

According to BBC, the payment will settle the action by the US government and 50 states due to Uber's failure to disclose the details of the data loss.

Equifax breach  >  Equifax logo amid broken, disrupted binary code
Equifax / Valery Brozhinsky / Getty Images


In 2017, Equifax suffered a major data breach affecting 143 million customers in the US.

The credit agency later revealed that 694,000 customers in the UK had their data stolen in the initial attack, exceeding Equifax's initial estimate of 400,000.

In September 2017, Equifax said that no UK passwords or financial information were stolen in the breach. However, the firm has since admitted that passwords and partial credit card details of 15,000 UK customers has been compromised.

It's believed that a further 14 million UK records were stolen, although only names and dates of birth were affected.

Cash Converters

Cash Converters

Australian pawnbroker Cash Converters has revealed that a data breach could have exposed customer's personal information via the company's old UK website, which was replaced in September 2017.

The company - which operates an online store and high street shops - has reported that addresses, usernames and passwords could have been accessed by a third party. Although no credit card information is believed to have been compromised.

The breach is thought to only have affected customers with an account on the old website, prior to its September relaunch.

Cash Converters is said to be taking the breach "extremely seriously", having reported information of the breach to the information commissioner, according to the BBC.

In a recent statement, the company said: "Our customers truly are at the heart of everything we do, and we are disappointed that they may have been affected.

"We apologise for this situation and are taking immediate action to address it."

Right now, it's not clear how many people are impacted by the breach.

doctor with tablet nurse scrubs mobile device medical technology
Getty Images

London Bridge Plastic Surgery clinic

In October 2017, a group calling itself The Dark Overlord says it has stolen extremely personal data from a London cosmetic clinic with celebrity customers, and the hackers claim that among the cache is pictures of breast enhancement and genital surgery.

The London Bridge Plastic Surgery clinic provides "a complete aesthetic package" with "expertise in surgery, non-surgical treatments and skin health". Model and celebrity Katie Price is a customer of the clinic, while the hacker group said clients extend to 'royal families' along with other celebrities or people in the public eye.

A representative of the group released a statement to infosec journalist Joseph Cox at The Daily Beast, sent from an email account registered to the clinic as evidence that it had obtained access. It threatened to release the data to the public. The group said: "We have TBs of this shit. Databases, names, everything. There are some royal families in here.

"We're going to pitch it all up for everyone to nab. The entire patient list with corresponding photos. The world has never seen a medical dump of a plastic surgeon to such degree."

The clinic said it is "horrified" that patients were targeted.

In a statement, the LBPS said: "Security and patient confidentiality has always been of the utmost importance to us. We invest in market-leading technology to keep our data secure and our systems are updated daily.

"We are deeply saddened that our security has been breached. We are profoundly sorry for any distress this data breach may cause our patients and our team are available around the clock to speak to anyone who has any concerns by calling 0203 858 0664."

The Metropolitan Police is now investigating the case.

© Deloitte


British financial services business Deloitte – a member of the 'big four' auditing services alongside PriceWaterhouseCooper's, Ernst & Young, and KPMG – was hit with a 'sophisticated' hack that may have exposed the confidential plans of many of its blue-chip clients.

According to the Guardian, the 2017 hack is likely to have affected clients of Deloitte in all of the main sectors in which it operates, including finance, government and pharmaceutical industries. The British broadsheet claims that the companies "include household names as well as US government departments".

It is believed that a hacker gained access to Deloitte's email server with an administrator account that had a single password, compromising access to the emails of all of the company's staff, which were hosted on Microsoft Azure cloud.

In addition to usernames and passwords, the breach could also have provided access to highly sensitive business information including design details. It was believed to have taken place in March this year, and only a small amount of partners and lawyers are said to have been informed.

According to the Guardian, the breach was focused on US companies, and a team of specialists are currently trying to trace the digital fingerprint of the hackers. A Deloitte spokesperson said that a small number of clients were impacted, and that the company instigated an "intensive and thorough review including mobilising a team of cybersecurity and confidentiality experts inside and outside of Deloitte."

Javvad Malik, security advocate for AlienVault, said the breach is proof that big businesses can overlook fundamental security protocols.

"The unfortunate incident demonstrates that even the largest of organisations can sometimes overlook fundamental security practices such as not enabling two-factor authentication on administrative accounts," Malik said. "It also highlights the importance of ongoing monitoring and threat detection, so malicious activity can be detected and responded to in a timely manner."

© YouTube


Second-hand electronics retailer CEX has suffered a potentially enormous data breach and notified 2 million registered customers that their information might have been compromised.

Personal information including names, addresses, email addresses and phone numbers are all at risk in the breach, and the British company noted that expired credit and debit cards might have been compromised too. The company said that this only applies to customers who were notified.

A statement from the company posted on 29 August 2017 reads: "We would like to make it clear that any payment card information that may have been taken has long since expired as we stopped storing financial data in 2009."

The statement continues: "We are aware that an unauthorised third party has accessed this data. We are working closely with the relevant authorities, including the police, with their investigation."

The company, which was first founded in Tottenham Court Road, London, operates the website and recommends users change their password – as well as any other online accounts with a shared password – as a precautionary measure.

The company did not specify any further details of the hack except that it was "sophisticated" and that it would do better:

"We take the protection of customer data extremely seriously and have always had a robust security programme in place which we continually renewed and updated to meet the latest online threats.

"Clearly however, additional measures were required to prevent such a sophisticated breach occurring and we have therefore employed a cyber security specialist to review our processes.

"Together we have implemented additional advanced measures were required to prevent such a sophisticated breach occurring and we have therefore employed a cyber security specialist to review our processes. Together we have implemented additional advanced measures of security to prevent this from happening again."

The breach comes less than a month after the British government announced its intention to effectively mirror Europe’s General Data Protection Regulation, which will allow regulators to fine businesses that have not adequately protected themselves against data breaches.



Payday loans company Wonga admitted it suffered a massive data breach that could have affected as many as 250,000 customers. Compromised information included names, email addresses, phone numbers, the last four card digits, and bank account numbers and sort codes. In a statement, Wonga said that it didn't believe passwords were leaked but recommended that concerned users change them.

healthcare - doctor and patient hands

GP surgeries and SystmOne

It emerged in March 2017 that a clinical computer system used by GP practices across the UK called SystmOne could have exposed the confidential medical details of as many as 26 million patients.

Roughly one in three surgeries in the UK use the system, developed by TPP. But if an option in the system called enhanced data sharing was permitted, doctors might have inadvertently shared details to other organisations that are registered with TPP – including care homes and prisons.

Although the ICO was investigating the system, it advised GPs not to turn the feature off. "Given the possible impact to patient care, the ICO is not advocating that users switch off data sharing at this stage," a statement read.



In November 2016, mobile network Three disclosed a breach of its upgrade database which was accessed using an employee login. The company insisted financial information was safe, but sensitive details including names, numbers, addresses and dates of birth were believed to have been accessed.

At the time Three reported that 133,827 of its customers were affected. But in March this year Three discovered that 76,373 further customers had had their information accessed.

To top it off, some Three customers found that when logging in to their Three account, they had been given access to other customer information – including personal calling history.



Private health company Bupa discovered one of its employees from the international health insurance division - Bupa Global - made off with the details of roughly 108,000 customers.

The business stressed in July 2017 that the information was not financial or medical, but did contain names, date of birth, nationalities, contact details, Bupa insurance membership numbers and "administrative details".

Bupa said it sacked the person responsible for the data theft, introduced additional security measures, and was working with the Financial Conduct Authority and other relevant regulators in the UK.

Debenhams Flowers
© Debenhams

Debenhams Flowers

Up to 26,000 customers for Debenhams' Flowers website had their data compromised when attackers targeted ecommerce service provider Ecomnova starting in February. The data, Debenhams said, included customer payment details, names and addresses.

Customers for the separate website were not affected.



Travel trade group ABTA – Britain’s largest travel association – was hit in February 2017 with a cyber attack that threatened to expose the details of up to 43,000 holidaymakers, with 1,000 of these compromised files potentially containing identifying information.

Chief exec Mark Tanzer apologised for any "anxiety and concern" caused in the wake of the attack.

The organisation said that a system vulnerability in a server managed for ABTA by a third party was to blame for the breach, and that it immediately approached security consultants following the discovery. It also said that it approached the police and reported it to the Information Commissioner.

The AA shop

The AA shop

Emergency road services organisation the AA had a tranche of information that was publicly available through its online shop, discovered in April 2017.

Security researcher Troy Hunt of Have I Been Pwned alerted the BBC to the leak, which was said to have been accessed through an open server, where 117,000 unique email addresses plus credit card types, the last four digits of each card, and expiry dates were all being stored.

The AA at first said the exposed data was related to orders through the shop and contained no sensitive data.

But Motherboard added that password hashes, an expired certificate and private encryption key also appeared to have been exposed.

Copyright © 2020 IDG Communications, Inc.

Related Slideshows