2020 data breaches: lessons from our DPOs

Last summer, an investigative team from Safety Detectives found a web-facing database that had no password protection, no data encryption, nor any other apparent security measures. It belonged to cosmetics and fashion retail brand Avon. Closer inspection revealed a range of personal data which included full names, phone numbers, birth dates, email addresses, postal addresses, payment records, and administrator-user emails. The server also contained a wealth of technical information such as 40,000+ security tokens, OAuth tokens, technical logs, account settings, and much more besides, that would be incredibly useful for hackers in committing further cyber attacks.

Safety Detectives alerted Avon to the high risk of an unprotected server and the company’s security teams took remedial actions. It is not known if cyber criminals may have found the exposed data before Safety Detectives did, but to date no data traceable to Avon has appeared on the dark web.

Babylon Health’s GP at Hand app enables private and NHS healthcare patients to have audio and video consultations with physicians via their smartphones, and reportedly has more than 2.3m registered UK users.

On June 9, 2020, a GP at Hand user checked his account and found he had been given access to some 50 videos of other patients’ consultations – clearly not a feature the app should legitimately provide. The user alerted Babylon Health via Twitter, although in an undated website notice the company later said that it had already been told about the glitch by an internal source. The issue was resolved ‘within two hours’, Babylon Health stated on its website: ‘This [issue] was the result of a software error and not a malicious attack’.

As Babylon Health recognised that the error might constitute a data breach within the articles of the GDPR it was referred to the ICO within 72 hours. The ICO’s investigation eventually concluded that the incident did not contravene the GDPR.

The globally-interconnected, interwoven fabric of the web is revealed most acutely when a company like Blackbaud gets hit by a ransomware attack. The US-based cloud software services provider supports a range of CRM, fundraising and financial management applications. Many of its users are charities, universities and third-sector organisations.

Blackbaud has said that it knew a substantial data set was stolen as part of the attack – it did not, however, inform its many user organisations of this until around two months later. In the intervening time the company announced that it had ‘paid the cyber-criminal’s demand with confirmation that the [data] copy they removed had been destroyed’.

After an initial investigation, it advised users that it ‘found that no encrypted information, such as bank account details or passwords, nor credit card or other financial information was access[ed]’. But in October it emerged that Blackbaud had, inadvertently or not, downplayed the extent of the data stolen both in terms of number of clients affected and the data types it included. ‘Further forensic investigation found that for some of the notified customers, the cybercriminal may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames and/or passwords,’ the company admitted in a regulatory filing with the US Securities and Exchange Commission on September 29.

In the US, at least 10 class-action lawsuits have been filed against Blackbaud. In the UK, students, staff and partners at the University of Cumbria who may have had personal details taken are also preparing to take legal action against the firm. More than 160 Blackbaud user organisations in the UK have reported the breach to the ICO, whose investigation is ongoing.

On May 19 2020 easyJet announced that data records for more than 9m of its customers had been purloined by a ‘highly sophisticated attacker’. The company revealed that the stolen data included some 2,208 credit and debit account details that included each account’s three-digit CVV number.

The airline reportedly found out about the breach in January 2020, but although it notified the ICO and NCSC about it ‘promptly’, it did not inform the affected customers until April.

The ICO’s investigation is ongoing. Although some pundits have suggested that the ICO will show leniency given the pressures placed on the airline sector by the Coronavirus pandemic, the regulator will be mindful of the fact that this is the second major breach by a UK airline since the GDPR kicked-in – BA being the first, since fined £20m – and that it expects business sectors to take heed of its power to fine. The fact that cyber attackers exploited vulnerabilities in easyJet’s security that existed before the pandemic took hold could be a factor in its inquiry.

EasyJet has not revealed the specifics of how the ‘highly sophisticated attacker’ was able to access and take the data, but told the media the hacker(s) seemed to be after the ‘company’s intellectual property’, as opposed to its customers’ personal data.

Meanwhile, like BA, easyJet has become the subject of a class action lawsuit, brought by the same law firm, PGMBM. The action is seeking to extract compensation to the value of £18bn.

On New Year’s Eve 2019, the REvil hacker group launched a cyber-attack on foreign exchange specialist Travelex. It used Sodinokibi ransomware to encrypt Travelex’s network, delete backup files, and exfiltrate more than 5Gb of PII data, which (according to unverified reports) included social security numbers, dates-of-birth, and card payment information.

Travelex has a presence in more than 60 countries and operates over 1,000 ATMs worldwide. It provides currency services for banks, supermarkets and travel agencies in 60 countries. Those services were also disrupted due to the attack. Travelex websites across Europe, Asia and the US remained offline for almost two weeks after the attack. A notice to visitors said they were down for ‘planned maintenance’.

It is unclear if Travelex informed its B2B customers of the reason behind the service suspension, but it did not notify the ICO of the data breach within the statutory 72 hours.

REvil initially demanded $6m (£4.6m) ransom from Travelex. Payment would apparently lead to the 5Gb of exfiltrated data being deleted and access to the company’s networks/databases restored. Travelex has not stated whether it has in fact paid this, but according to The Wall Street Journal, a ransom of $2.3m in Bitcoin has been handed over.

Travelex initially stated that it did not believe any of its personal data had been breached, and this might be why it did not notify the ICO. The consequences of not performing adequate analysis on if personal data has been leaked could land Travelex with a substantial fine.