From malicious hackers to employee errors, cyber attacks and data breaches were never far from the headlines in 2015. Hiscox’s Stephen Ridley – Senior Development Underwriter, picks out some of 2015’s most significant cyber moments.
January – a not so happy new year for Sony
The fallout from a Christmas hack of Sony’s Playstation by a group called the Lizard Squad, putting internet platforms out of use, continues to reverberate into the New Year; completing a bad year for Sony following a loss of confidential data – including emails and film scripts – from Sony Pictures in November 2014.
February – hacking can be bad for your health
A fine of £175,000, one of the biggest of the year in the UK, is imposed by the Information Commissioner’s Office (ICO) after a hack targeted online holiday insurance company staysure.co.uk, resulting in fraudsters accessing 5,000 customers’ credit card details.
This month sees one of the biggest data breaches in history for the US’s second largest health insurer Anthem. Hackers gain access to a potential 80 million records including social security numbers and other personal information.
March – manage and mitigate the risk
The UK government and insurance industry publish – ‘UK cyber security: the role of insurance in managing and mitigating the risk’ – highlighting how insurance can help businesses better manage their cyber risks, and help drive the adoption of cyber security best practice, including through the use of Cyber Essentials.
The ICO also publishes new research that finds 77% of people are concerned about organisations not keeping their personal details secure.
May – what’s the average cost of a data breach?
The Ponemon Institute releases its annual Cost of Data Breach Study: Global Analysis, which finds that the average consolidated total cost of a data breach in the UK is £2.37 million (a 7% increase on 2013). The study also finds that the average cost incurred for each lost or stolen record increased from £95 to £104.
July – leaking employee data
A Morrisons employee is jailed for eight years for releasing payroll data including salaries, bank details and National Insurance numbers for nearly 100,000 staff to newspapers and file sharing websites. The supermarket chain estimated that this breach cost more than £2m to put right, and saw them facing legal action from a number of the affected employees.
August – a troublesome affair
Up to 90,000 customers may have had their credit card data accessed by hackers reveals Carphone Warehouse. The total breach may have affected up to 2.4 million customers.
The website of the extramarital affair website Ashley Madison is hacked with email details of its 32m customers released by the hacking group. The ‘affair’ costs Ashley Madison’s CEO his job as well as significant reputational damage and speculation that the eventual cost to the business could exceed £1.2bn.
October – hack attack
Talk Talk admits to falling victim to a sustained hacking attack on its website with the personal details of four million customers potentially vulnerable. With its share price initially hit by 10%, the business estimated the eventual cost of the attack would be around £35m.
December – confidentiality issues
An HIV clinic is fined by the ICO for accidentally revealing the names of patients in the ‘To’ field of an email bulletin. The fine is relatively modest at £250 because of the clinic’s unincorporated status, but the ICO emphasises that fines for such an offence would normally be far higher.
Welcome 2016 and hello to the EU’s GDPR
This month (January 2016), the EU General Data Protection Regulation (GDPR) is due to be ratified. Although it will take two years to be fully implemented across Europe’s member states, the new legislation will introduce fines of up to 4% of turnover or $20 million for data breaches, whichever is higher. A two percent figure will apply for more minor breaches. SMEs will however benefit from a number of opt out clauses including not having to appoint a data protection officer or undertake a Data Protection Impact Assessment and some existing red tape will be removed.
A new year’s resolution
While 2015 was an eventful year for cyber crime, 2016 is likely to be just as busy. Businesses of any size can expect to be under increased pressure from their customers and regulators alike to ensure adequate safeguards are in place to protect any personal customer records they hold.
For more tips on how to protect your business from cyber crime, visit our cyber crime hub.