Bulletproof’s range of cyber security, data protection and compliance services are your best defence against threats to your business. With nearly a decade of providing trusted security services, we’re continuing our mission of solving the greatest cyber security & compliance challenges through innovation and simplicity. Explore our range of services and find out how Bulletproof can help your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you.
Discover CREST penetration testing & continuous security
Internal & external infrastructure, network & system testing
Manage multiple tests & get external security assurance
Thoroughly assess your web apps & APIs for security flaws
Test your response to a simulated real-world cyber attack
All cloud platforms & services tested, including Azure & AWS
Test your human cyber defences with social engineering
Android, iOS & custom mobile application security testing
Find out more about penetration testing – what it is, when you need it, and why it’s a core component of any business. Discover how pen test helps with compliance, powers best practices, and helps your organisation win new business.
Gap analysis, implementation, audits & more from GDPR experts
On-going support to easily manage your data protection obligations
Consultant-led support to meet all levels of DSPT submission
Flexible & engaging data protection training from certified experts
Get peace of mind that your data protection is being managed by trusted, certified consultants. All Bulletproof data protection services are delivered by our highly trained, experienced and qualified staff.
Gap analysis, implementation, audits & more from dedicated ISO consultants
Find the next step in your strategy with this consultant-led assessment
Get quick & easy CE certification with a range of feature-packed packages
Flexible access to top-tier information security strategy & management
Experienced SOC 2 consultants, AICA audits & compliance automation platform
On-site, remote and video-based security training to boost your resilience
Affordable expertise & support to help you meet & maintain PCI DSS compliance
Go beyond compliance with information security services that are designed to give real operational benefits to your business. All delivered by seasoned, certified Bulletproof security consultants.
24/7 defence against cyber attacks with proactive threat detection
Get help responding & recovering from cyber incidents
Detect, analyse and stop cyber attacks with real-time prevention
Forensic support & data recovery following cyber attacks
Stay on top of new vulnerabilities with powerful, flexible scanning
Evaluate your wireless network for security weaknesses
Discover how your business can identify & manage cyber threats
Comply with regulations, meet certification standards & best practices
Train and test your staff for security resilience, data protection & compliance
No matter what your cyber or compliance challenges, Bulletproof is here to help. We like to work with you as a trusted partner to solve problems, not sell services. No pressure tactics and no false promises.
Learn about our mission to make cyber & compliance accessible to all
Grow your business with high-margin, high-value & partner-ready services
Become part of the Bulletproof team & supercharge your career
Bulletproof’s in-house SOC powers our Managed SIEM & MDR services
We love to talk. Tell us about your cyber & compliance challenges
At Bulletproof we love to solve problems with simplicity & innovation. It’s our mission to make compliance & cyber security services accessible to all. We take pride in building and nurturing teams of exceptional talent, so we’re confident that our cyber security & compliance services are the best way to stay one step ahead of the hackers and protect your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you, no matter what you have to say.
Get the latest news, views & expert insight in the world of cyber security, data protection & compliance
A helpful index of cyber security terms, compliance acronyms and industry terminology to make life easy
Discover what we have to say about the threat landscape & what businesses need to know to get ahead
Find out how we can make companies like yours Bulletproof. Don’t take our word for it, hear direct from our clients
Detailed insights & helpful tips for understanding penetration testing, data protection & more
Interesting data & top tips at a glance, with insightful infographics covering all areas of cyber security & compliance
Watch our experts talk through their thoughts & opinions on a variety of security & compliance topics
See when & where we’re going to be bringing Bulletproof insight to an event near you
Ayisha Bari
Find out what ransomware is, how attacks work & types of attack to help you get started with keeping ransomware out of your business.
Read More
Data breaches are frightening because of our supposed inability to do anything about it – when we hear a large corporation's data has been breached, there is nothing for us to do other than wait for more news and to see if we're in the pool of people affected.
We don't have a choice when it comes to sharing our data – some of our most sensitive information is held under digital lock and key by a variety of corporations and groups – from banks and hospitals to our employers and insurance firms. Sometimes, we might not fully realize that a company has our data until a breach happens.
When our data is exploited, it can take years for us to get back to normal. Social security numbers, personal details, health records, and other sensitive data – this is just the tip of the iceberg. This type of online crime is lucrative because an average record can bring in about $148 on the black market. And if you manage to get your hands on millions of records, then it's like breaking into a bank and taking everything without even leaving your house. It's a risk many people are willing to take.
Here are some of the biggest data breaches in history – the ones that affected millions of user accounts, lives and cost companies billions of dollars. Like any other type of disaster, we can learn from them if we study them. What went wrong? Often, it's human error – systems that weren't as secure as people thought, poorly managed passwords, and not enough attention paid. Things that lead to a cyber-Titanic type of situation: remember that no system is "unhackable". Let's see what led to sensitive data being accessed and breached in these famous instances.
Reason – Poor security, ignoring failed security tests, continued unresponsiveness after the data breach was discovered
Year – 2019
Records Affected – 885 Million
Cost – The cost may be up to $1,000 per violation, setting the tab at $885 billion
Error – Insecure Direct Object Reference (IDOR)
The First American Financial Corp. leaked digitised records of bank account numbers, tax records, Social Security numbers, images of drivers' licenses and IDs, and mortgage records. A truly vast amount of data was affected, going as far back as 2003.
This could not have been a surprise, given that this particular vulnerability was discovered as early as 2018, during security testing. So, what went wrong and why was it allowed to continue until the breach became public, published in industry journals? The case is so recent, that a lot of it is still in courts and responsibility is still to be determined. First American is likely to fight any court decision, as any acceptance of responsibility will cost them dearly.
What happened is the Insecure Direct Object Reference (IDOR) error – it's a common error, showing up regularly on penetration test reports, and it means that a link created to be seen by specifically authorised persons is able to be seen by anyone who has it. There is no password and the person trying to access the data has to figure out the pattern for all other sensitive files stored in the system. In the case of First American, there is no way of knowing who saw the data and how many files were compromised. It might take years to learn.
Insecure Direct Object Reference (IDOR) errors are not uncommon, and has to be fixed when found. Otherwise, stockpiles of sensitive data might just be sitting out in the open, waiting to be harvested by bots, hackers, and just about anyone who's loose morals and technical know-how make them take interest in the profit that stolen data might bring.
Reason – Poorly kept passwords, old safety protocols, and algorithms, poor data protection policy
Year – 2016
Records Affected – 412.2 Million
Cost – Unknown
Error – Weak SHA-1 hashtag algorithm password protection (or no protection at all)
FriendFinder Networks Inc. had 6 databases that were breached – to the horror of the adult conglomerate's users who hoped to remain anonymous. As usual, the leak was first publicised not in a private email to users, but by a researcher on Twitter – with screenshots to prove a data breach.
The surprising thing was that a large portion of the data collected from FriendFinder Networks was clearly marked for deletion, with the records having an "rm_" next to them (removal marker) or email addresses clearly meant for deletion, like email.address@address.com@deleted1.com. This means that there was no "clean up" done in these servers, and some files that should have been long gone (and most importantly, users thought long gone) were still sitting in dusty corners of the servers, like overflowing wastebaskets left by a careless housekeeper. Overall, this particular wastebasket had over 15 million deleted accounts as well as logins for sites long sold to other people (Penthouse.com).
The news of this breach was probably extra worrisome for people whose email addresses ended with .gov (5,650) and .mil (78,301).
What sealed their fate was weak password protection. Some user passwords weren't protected at all and stored in plaintext, or hashed using SHA1 which was already known to be very weak.
While some data breaches may come as a surprise, keeping your records clean might prepare for the unexpected. If you're in charge of millions of people's sensitive data, it's also a good idea to use the newest and most secure technology to prevent data breaches. Good record-keeping (including deleting data) is also a core component of GDPR compliance. Organisations should treat users and their data with the respect they deserve – after all, they trust you to keep their information secure, especially in a sensitive niche like dating and adult webcam access!
Reason – User data was too easily accessible on public profiles, leading to the possibility of being collected by bots
Records Affected – 267 million
Error – Security hole in Facebook's API
This is another example of data sitting out for weeks before the data breach is discovered. Meanwhile, the user IDs, phone numbers, and names of hundreds of millions of users were left out in the open. It meant anyone could use it for further attacks, and scams. What's worse, this data was posted on a hacker forum free for the taking. Facebook looked into the matter, and decided that this breach isn't in fact a breach at all – but a mass scraping action of data that was publicly available before security measures were put into place.
While we trust in large companies like Facebook to guard our personal data, we must also remember that data breaches might come as an organised mass attack on data that we make public on such social platforms. Always read the privacy notice and what you're agreeing to share when you sign up for a platform like Facebook, Linked In, or Twitter. Who is going to have access to your data? Who is going to be authorised to use it? While your phone number, name, or email might not be of significance to your uncle Jerry when he's looking at your profile, and you may post it so people can contact you – it can do a whole lot of harm when it falls into the hands of those who know how to use personal information against you.
Let's remember that the election-swaying Cambridge Analytica scandal wasn't caused by a data breach – if it were, it would have been the greatest data breach in history. Instead, it was caused by millions of people unknowingly yet legally giving their personal information to people with malicious intent.
Reason – Marriott International failed to check basic cyber safety after purchasing another hotel brand – and failed to discover an ongoing problem
Records Affected – 339 million
Cost – Fined $23.98 million in the UK
Hotel guest names, contact information, and even passport details might have gotten out – and what's worse – have been out over a period of four years. The first cyber attacks on Marriott happened in 2014 and were only discovered in 2018. The first target was the Starwood Hotels Group, and you can say that Marriott acquired the problem when they acquired Starwood in 2016. That being said, they had plenty of time to do a deep safety audit – and by not doing enough to protect their guests.
The biggest problem was that the cyber attacks were a known problem – but Marriott never checked it out enough. The breach of customer data at Marriott International is one of the largest in the hotel industry. Hotels are especially sensitive businesses to run when it comes to data protection because they often gather large amounts of very personal details about their clients.
These days, when becoming a partner or an owner of an existing business, you have to check out every part of it – and cyber security due diligence is just as important as checking the physical assets, bank accounts, and tax records of your new venture.
In the end, when you look at the biggest data breaches that happened in the last decade, the reasons always seem to revolve around preparedness, ignoring the newest technology, and human error. There are several ways to prevent breaches like this, and lessons we can learn from the past. Some precautions we can take personally are:
We hope that we gave you enough insight into the causes of the biggest breaches in history – and hopefully, you can rest easier knowing that they can be prevented or at least deterred.
Emma is a Marketing Executive who has a keen eye for researching and writing interesting articles about business security.
Don’t let security vulnerabilities linger in your organisation – invest in a thorough penetration test from Bulletproof to fix security flaws before a hacker exploits them.
If you are interested in our services, get a free, no obligation quote today by filling out the form below.
I'd like to receive Bulletproof communications about relevant services and events
For more information about how we collect, process and retain your personal data, please see our privacy policy.