Bulletproof’s range of cyber security, data protection and compliance services are your best defence against threats to your business. With nearly a decade of providing trusted security services, we’re continuing our mission of solving the greatest cyber security & compliance challenges through innovation and simplicity. Explore our range of services and find out how Bulletproof can help your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you.
Discover CREST penetration testing & continuous security
Internal & external infrastructure, network & system testing
Manage multiple tests & get external security assurance
Thoroughly assess your web apps & APIs for security flaws
Test your response to a simulated real-world cyber attack
All cloud platforms & services tested, including Azure & AWS
Test your human cyber defences with social engineering
Android, iOS & custom mobile application security testing
Find out more about penetration testing – what it is, when you need it, and why it’s a core component of any business. Discover how pen test helps with compliance, powers best practices, and helps your organisation win new business.
Gap analysis, implementation, audits & more from GDPR experts
On-going support to easily manage your data protection obligations
Consultant-led support to meet all levels of DSPT submission
Flexible & engaging data protection training from certified experts
Get peace of mind that your data protection is being managed by trusted, certified consultants. All Bulletproof data protection services are delivered by our highly trained, experienced and qualified staff.
Gap analysis, implementation, audits & more from dedicated ISO consultants
Find the next step in your strategy with this consultant-led assessment
Get quick & easy CE certification with a range of feature-packed packages
Flexible access to top-tier information security strategy & management
Experienced SOC 2 consultants, AICA audits & compliance automation platform
On-site, remote and video-based security training to boost your resilience
Affordable expertise & support to help you meet & maintain PCI DSS compliance
Go beyond compliance with information security services that are designed to give real operational benefits to your business. All delivered by seasoned, certified Bulletproof security consultants.
24/7 defence against cyber attacks with proactive threat detection
Get help responding & recovering from cyber incidents
Detect, analyse and stop cyber attacks with real-time prevention
Forensic support & data recovery following cyber attacks
Stay on top of new vulnerabilities with powerful, flexible scanning
Evaluate your wireless network for security weaknesses
Discover how your business can identify & manage cyber threats
Comply with regulations, meet certification standards & best practices
Train and test your staff for security resilience, data protection & compliance
No matter what your cyber or compliance challenges, Bulletproof is here to help. We like to work with you as a trusted partner to solve problems, not sell services. No pressure tactics and no false promises.
Learn about our mission to make cyber & compliance accessible to all
Grow your business with high-margin, high-value & partner-ready services
Become part of the Bulletproof team & supercharge your career
Bulletproof’s in-house SOC powers our Managed SIEM & MDR services
We love to talk. Tell us about your cyber & compliance challenges
At Bulletproof we love to solve problems with simplicity & innovation. It’s our mission to make compliance & cyber security services accessible to all. We take pride in building and nurturing teams of exceptional talent, so we’re confident that our cyber security & compliance services are the best way to stay one step ahead of the hackers and protect your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you, no matter what you have to say.
Get the latest news, views & expert insight in the world of cyber security, data protection & compliance
A helpful index of cyber security terms, compliance acronyms and industry terminology to make life easy
Discover what we have to say about the threat landscape & what businesses need to know to get ahead
Find out how we can make companies like yours Bulletproof. Don’t take our word for it, hear direct from our clients
Detailed insights & helpful tips for understanding penetration testing, data protection & more
Interesting data & top tips at a glance, with insightful infographics covering all areas of cyber security & compliance
Watch our experts talk through their thoughts & opinions on a variety of security & compliance topics
See when & where we’re going to be bringing Bulletproof insight to an event near you
Ayisha Bari
Find out what ransomware is, how attacks work & types of attack to help you get started with keeping ransomware out of your business.
Read More
2020 was quite the year for headline-grabbing data breaches thanks to a combination of record-breaking numbers and behind-the-hack tales. Despite huge investments in security tools and awareness, organisations of all sizes struggled to fully protect their data from cyber criminals.
The fact that a significant number of enterprises have yet to meet their GDPR compliance objectives is surely a factor at play here. A 2019 study by Capgemini revealed that 36% of business leaders polled identified the complexity of the GDPR’s requirements as one of the top barriers to achieving full compliance – complexity that a Data Protection Officer (DPO) is intended to manage, whether as an in-house role or as an outsourced managed service. Twelve months and a succession of data breaches later, it seems the situation has not much improved.
Here at Bulletproof, we believe that there are some fairly uncomplex ways in which the DPO function can be applied to reduce the likelihood of a data breach and minimise the aftershocks if one does occur. To this end, our team of GDPR experts looked at five UK data breach cases that occurred in 2020, to see what lessons can be learnt, and how better use of the DPO function might have mitigated the respective outcomes.
Last summer, an investigative team from Safety Detectives found a web-facing database that had no password protection, no data encryption, nor any other apparent security measures. It belonged to cosmetics and fashion retail brand Avon. Closer inspection revealed a range of personal data which included full names, phone numbers, birth dates, email addresses, postal addresses, payment records, and administrator-user emails. The server also contained a wealth of technical information such as 40,000+ security tokens, OAuth tokens, technical logs, account settings, and much more besides, that would be incredibly useful for hackers in committing further cyber attacks.
Safety Detectives alerted Avon to the high risk of an unprotected server and the company’s security teams took remedial actions. It is not known if cyber criminals may have found the exposed data before Safety Detectives did, but to date no data traceable to Avon has appeared on the dark web.
Babylon Health’s GP at Hand app enables private and NHS healthcare patients to have audio and video consultations with physicians via their smartphones, and reportedly has more than 2.3m registered UK users.
On June 9, 2020, a GP at Hand user checked his account and found he had been given access to some 50 videos of other patients’ consultations – clearly not a feature the app should legitimately provide. The user alerted Babylon Health via Twitter, although in an undated website notice the company later said that it had already been told about the glitch by an internal source. The issue was resolved ‘within two hours’, Babylon Health stated on its website: ‘This [issue] was the result of a software error and not a malicious attack’.
As Babylon Health recognised that the error might constitute a data breach within the articles of the GDPR it was referred to the ICO within 72 hours. The ICO’s investigation eventually concluded that the incident did not contravene the GDPR.
The globally-interconnected, interwoven fabric of the web is revealed most acutely when a company like Blackbaud gets hit by a ransomware attack. The US-based cloud software services provider supports a range of CRM, fundraising and financial management applications. Many of its users are charities, universities and third-sector organisations.
Blackbaud has said that it knew a substantial data set was stolen as part of the attack – it did not, however, inform its many user organisations of this until around two months later. In the intervening time the company announced that it had ‘paid the cyber-criminal’s demand with confirmation that the [data] copy they removed had been destroyed’.
After an initial investigation, it advised users that it ‘found that no encrypted information, such as bank account details or passwords, nor credit card or other financial information was access[ed]’. But in October it emerged that Blackbaud had, inadvertently or not, downplayed the extent of the data stolen both in terms of number of clients affected and the data types it included. ‘Further forensic investigation found that for some of the notified customers, the cybercriminal may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames and/or passwords,’ the company admitted in a regulatory filing with the US Securities and Exchange Commission on September 29.
In the US, at least 10 class-action lawsuits have been filed against Blackbaud. In the UK, students, staff and partners at the University of Cumbria who may have had personal details taken are also preparing to take legal action against the firm. More than 160 Blackbaud user organisations in the UK have reported the breach to the ICO, whose investigation is ongoing.
On May 19 2020 easyJet announced that data records for more than 9m of its customers had been purloined by a ‘highly sophisticated attacker’. The company revealed that the stolen data included some 2,208 credit and debit account details that included each account’s three-digit CVV number.
The airline reportedly found out about the breach in January 2020, but although it notified the ICO and NCSC about it ‘promptly’, it did not inform the affected customers until April.
The ICO’s investigation is ongoing. Although some pundits have suggested that the ICO will show leniency given the pressures placed on the airline sector by the Coronavirus pandemic, the regulator will be mindful of the fact that this is the second major breach by a UK airline since the GDPR kicked-in – BA being the first, since fined £20m – and that it expects business sectors to take heed of its power to fine. The fact that cyber attackers exploited vulnerabilities in easyJet’s security that existed before the pandemic took hold could be a factor in its inquiry.
EasyJet has not revealed the specifics of how the ‘highly sophisticated attacker’ was able to access and take the data, but told the media the hacker(s) seemed to be after the ‘company’s intellectual property’, as opposed to its customers’ personal data.
Meanwhile, like BA, easyJet has become the subject of a class action lawsuit, brought by the same law firm, PGMBM. The action is seeking to extract compensation to the value of £18bn.
On New Year’s Eve 2019, the REvil hacker group launched a cyber-attack on foreign exchange specialist Travelex. It used Sodinokibi ransomware to encrypt Travelex’s network, delete backup files, and exfiltrate more than 5Gb of PII data, which (according to unverified reports) included social security numbers, dates-of-birth, and card payment information.
Travelex has a presence in more than 60 countries and operates over 1,000 ATMs worldwide. It provides currency services for banks, supermarkets and travel agencies in 60 countries. Those services were also disrupted due to the attack. Travelex websites across Europe, Asia and the US remained offline for almost two weeks after the attack. A notice to visitors said they were down for ‘planned maintenance’.
It is unclear if Travelex informed its B2B customers of the reason behind the service suspension, but it did not notify the ICO of the data breach within the statutory 72 hours.
REvil initially demanded $6m (£4.6m) ransom from Travelex. Payment would apparently lead to the 5Gb of exfiltrated data being deleted and access to the company’s networks/databases restored. Travelex has not stated whether it has in fact paid this, but according to The Wall Street Journal, a ransom of $2.3m in Bitcoin has been handed over.
Travelex initially stated that it did not believe any of its personal data had been breached, and this might be why it did not notify the ICO. The consequences of not performing adequate analysis on if personal data has been leaked could land Travelex with a substantial fine.
These examples from the UK data breach casebook indicate that many organisations have ground to cover when it comes to really understanding the difference effective compliance can make to cyber resilience. Leveraging the value of the DPO function is key to this.
The DPO should not be deemed a role apart from frontline IT security ops, but as an expert asset with specialist insights and knowledge of the regulatory compliances. Crucially, they:
As Managing Director of Bulletproof, Nicky’s responsible for innovating and evolving Bulletproof’s compliance services. With a varied and interesting career, Nicky shares amazing insight that directly helps businesses overcome their security and compliance challenges.
Our DPOs are certified GDPR practitioners and data privacy experts. Find out more about how we support organisations across a range of industry sectors, successfully guiding them through the complex responsibilities of data protection.
If you are interested in our services, get a free, no obligation quote today by filling out the form below.
I'd like to receive Bulletproof communications about relevant services and events
For more information about how we collect, process and retain your personal data, please see our privacy policy.