The number of UK businesses falling victim to cyber crime has started to grow rapidly over the last twenty-four months. Cyber attacks do not discriminate — all types of businesses large or small, rural or urban, and across all types of industry are being targeted.
It is dangerous, yet common belief amongst business owners that cyber attacks can only happen to other businesses or that the fines will be minuscule.
Significant Cyber Risk
In reality, cyber attacks threaten the survival of every business, and the fines can be ruinous. As such, every single business manager or owner needs to be aware of the risks associated with cyber attacks and the strategies for bolstering cyber security. Without adequate Data Breach and Cyber Insurance cover, the very existence of a business can be at risk.
Sometimes the easiest way to understand risk effectively is to learn from the mistakes of others. By examining previous Information Commissioner’s Office (ICO) prosecutions can help to ensure that your business does not suffer the same consequences.
Notable Cyber Security Fines
#1 Charity Fined following Cyber Security Ignorance
- Background: The British Pregnancy Advice Service was fined £200,000 after a hacker gained access to thousands of individuals’ personal information.
- What Went Wrong: The charity was unaware that its official website had been storing the names, addresses, dates of birth and telephone numbers of individuals who requested advice on pregnancy issues. A vulnerability in the site’s code allowed a hacker access to the system and the collected library of personal information.
#2 Insurance Broker Fined After Cyber Criminals Raid Records
- Background: Staysure, a personal lines insurance broker, was fined £175,000 after a hacker gained access to the credit card information and medical records of more than 100,000 of its customers.
- What Went Wrong: The company failed to review and update its IT security systems as well as its database software, which generated security gaps. These gaps, coupled with the company’s non-compliance of the Data Protection Act, allowed the hacker to gain access to the personal financial information of the company’s clients.
#3 London Council Suffer Fine for Releasing Sensitive Details
- Background: Islington Council was fined £70,000 after the personal details of more than 2,000 residents were made available to the public on the Web.
- What Went Wrong: The council had received a freedom of information request from the What Do They Know website, which enables individuals to submit requests for information to public authorities. Complying with the site’s request, council members provided three spreadsheets — which they failed to review for the presence of sensitive private information. The spreadsheets contained information on the housing needs of 2,375 residents, whether they had a history of mental illness or had been victims of domestic abuse. Despite being notified after the first spreadsheet was released, the council failed to take action, which resulted in the other two spreadsheets being released. This breach occurred, in part, due to the council members’ failure to remove the source data of the residents’ private information from the spreadsheets.
#4 Business Fined After Sensitive Hard Drive Stolen
- Background: Jala Transport Limited, a Wembley-based loans company, was fined £70,000 (which was later reduced to £5,000 due to the company’s limited financial resources) after an unencrypted hard drive containing customer data was stolen.
- What Went Wrong: The sole proprietor of the business kept the hard drive, along with several other business materials, stored in a case in his car. The case was later stolen as the car idled at a red light. The hard drive — which contained information on the names, dates of birth, addresses, the identity documents used to support loan applications, and the payment details of the business’ 250 clients — was password protected but not encrypted.
#5 Scottish Council Fined for Lax Laptop Security
- Background: Glasgow City Council was fined £150,000 after two unencrypted laptops, which contained personal information of more than 20,000 individuals, were stolen from its building.
- What Went Wrong: While the city council building was undergoing refurbishment, lax security allowed unknown individual access to the office where the laptops were stored. Despite previous warnings from the ICO, the council failed to provide its faculty with laptops capable of encrypting private and sensitive information.
#6 Travel Firm Fined for Cyber Negligence
- Background: Think W3 Limited, an online travel services company, was fined £150,000 after a hacker gained access to more than 1 million credit and debit card numbers.
- What Went Wrong: The company failed to periodically empty its cache of customer information — which it had been collecting since 2006—as well as to perform security checks of its site, which led to the development of gaps in the site’s code. These gaps provided the hacker with the opportunity to access the company’s library of more than 1 million customer credit and debit card numbers.
#7 Council Fined After Leaving Memory Stick Unattended
- Background: North East Lincolnshire Council was fined £80,000 after an unencrypted memory stick was stolen, which contained sensitive personal information of nearly 300 children.
- What Went Wrong: The memory stick — which contained information on the mental and physical health and special educational requirements of 286 students — was left unattended but connected to a laptop in possession of a special education teacher. After the educator had left the room, an unknown individual stole the device. While the council had introduced a policy of encrypting portable devices, it failed to check that existing devices could be encrypted.
#8 City Council Fined After Publishing Sensitive Information
- Background: Aberdeen City Council was fined £100,000 after private information was inadvertently published.
- What Went Wrong: When a city council employee accessed documents from her personal computer at home, concerning the families of vulnerable children along with the details of alleged criminal offences, a file-sharing programme automatically uploaded them to the Web for public viewing. The breach occurred, in part, due to the council’s lack of a policy concerning accessing documents from off-site personal computers.
FREE Business Insurance Review
Insync specialises in cover for small to medium businesses across the UK. We take the time to understand your specific requirements and can compare Business Insurance cover from the UK’s leading Insurance markets.
Specialist Data Breach & Cyber Insurance quotations are available, not only protecting your legal liabilities, but also associated PR support and regulatory fines – please contact us for more information and a no obligation quotation.