Keeping up with its transformation as the internet expands has become increasingly challenging. The constant need to adapt to technological advances has exposed organisations to data breaches and cyber-attacks where cyber criminals primarily target them for financial gain – and sometimes political reasons – where they aim to extort and ransom their victims for profit.
But when domain and hosting providers Fasthosts released their State of The Web report, which revealed that 11% of Brits don’t use the internet out of fear for their online safety, they were keen to understand why.
Countless data breaches have come to light in 2023, and we’re only halfway through. These have affected hundreds of organisations operating in different sectors across the UK, from small businesses to large corporations and private to public sectors.
But who’s most at risk? Fasthosts has compiled the most notable breaches from 2023 (so far) and the three industries currently most at risk.
In the 2023 cyber security breaches survey released by the British government, it was estimated that across all UK businesses, approximately 2.39 million instances of cybercrime and around 49,000 instances of fraud (due to cybercrime) occurred in the last 12 months.
Starting off the new year the wrong way was Twitter. On January 5th, the email addresses tied to over 235 million accounts – almost half of Twitter’s user base – were posted to an online hacking forum. Described as one of the most significant leaks ever seen, users have been warned that as a result of the hack, they could become victims of hacking, targeted phishing, and doxxing. Not the news you want to hear.
On 8th January, Yum! Brands – the parent company of KFC, Pizza Hut, and Taco Bell – were at the receiving end of a cyber attack. They were forced to close over 300 UK restaurants to contain the incident, which involved a threat actor gaining unauthorised access to Yum! Brands’ network.
Although they proclaimed that there was no evidence of identity theft or fraud, they made everyone involved aware that they could have been subject to the loss of information such as names, driver’s licence numbers, ID numbers, and other personal identifiers.
In January, PayPal was made to send out data breach notifications to just under 35,000 users who had their personal data exposed. The attack involved credential stuffing – using the login credentials collected from a data breach from a separate service provider to attempt to log in to a different service – to access the accounts.
Although PayPal itself wasn’t breached, as an online payment system, the consequences of a breached account could be catastrophic.
At the end of January, sportswear retailer JD Sports became another cyber victim. The company revealed that information such as name, billing and delivery address, phone numbers, order details, and the last four card digits were leaked to approximately 10 million customers. The attack also targeted the purchases from their partner companies, including Size?, Blacks, Scotts, and Millets.
The Zellis data hack involved a chain system affecting multiple parties. Hackers originally found a weakness in MOVEit, a file-sharing system that payroll provider Zellis uses alongside their clients. The information that was stolen related to employees of eight of their largest clients, including BBC, Boots, British Airways, and Aer Lingus.
As cyber-attacks on the educational sector rise, the latest cyber security breaches survey 2023 revealed that all education institutions are more likely to have identified cyber security breaches or attacks in the last 12 months than the average UK business.
In January, it surfaced that 14 UK schools were hit by a cyber attack supposedly revealing 500GB worth of highly confidential data, including SEN information, child passport scans, staff pay scales, and contract details.
The hack was reportedly orchestrated by the Russian hacker group Vice Society, who have been targeting public schools worldwide, and most recently, the UK in late 2022. They’re known to acquire sensitive information for double extortion purposes (a ransomware tactic used to ask for money in exchange for the decryption or deletion of data).
University of Manchester
This time targeting the higher education sector; one of the most recent victims is the University of Manchester, who revealed that they were victims of a cyber attack at the beginning of June. They are still unsure what data has been accessed but believe that data is likely to have been copied, as the orchestrator of the attack accessed their systems and threatened the institution with a ‘last warning’ before releasing the data from their 40,000 students and 12,000 staff.
New research has revealed that nearly eight in 10 providers of frontline healthcare services within the UK have experienced at least one data breach since 2021.
Around 90 separate organisations have reported breaches of personal information held by Capita after the payroll outsourcing group suffered a cyber attack. This caused major IT outages for clients, some of which ran crucial services for the NHS, local councils and the military. Capita employs over 50,000 people in the UK and holds £6.5bn worth of public sector contracts with the British government.
On the back of the University of Manchester data breach, a new report has surfaced suggesting that the data from over one million NHS patients may have been compromised from the NHS data used for research purposes that was leaked in the University’s recent data breach. Some reportedly stolen data includes NHS numbers and the first three letters of patients’ postcodes.
The breaches listed here don’t even begin to scratch the surface of what’s happened in the digital world so far this year. As we increasingly rely on digital technologies, learning to manage potential threats and vulnerabilities is an uphill battle.
Tackling these threats involves a collective effort, combining new risk management frameworks, and educating businesses, staff, and individuals on practising strong internet safety to enhance their defences.