10 of 2020’s Worst UK Cybersecurity Breaches, Hacks and Attacks

2020 has been an unprecedented year in human history in several different ways, as the COVID-19 pandemic has upended the very fabric of day-to-day life. 

One of the knock-on effects of the pandemic has been a huge uptick in cybercrime and cybersecurity breaches, as rising levels of fear and anxiety have made people more susceptible to things such as malware attacks, while a massive increase in remote working has seen the attack surface and potential for costly security lapses increase exponentially. 

As with the virus itself, the UK hasn’t been immune from such cybersecurity threats. In this piece, we’ll take a closer look at 10 of the most high-profile data breaches and cybersecurity attacks that have impacted UK companies and organisations in 2020. 

1 Easyjet

The airline industry was one of the first and hardest hit victims of COVID-19 this year, as international travel ground to a virtual halt as a result of the pandemic. As if that wasn’t enough, budget-airline EasyJet this year fell victim to a “highly sophisticated cyber-attack” that affected the data of around nine million of its customers. 

The airline first became aware of the attack in January, before confirming in May that customer details including email addresses and travel details had been accessed, while 2,208 of the 9 million impacted customers had their credit card details stolen. 

2 Manchester United

In November, Premier League giant Manchester United suffered a cyber-attack to its computer systems, which saw operations, including its staff email network, put out of action. The club declined to comment on the nature of the attack or who was behind it, but said that it was not aware of any fan data being compromised and that critical systems required to host matches at Old Trafford remained secure. 

However, at the time of writing, the disruption caused by the attack has been ongoing for well over a week, while rumours have begun to circulate that it may have been a ransomware attack and that the club may end up having to pay the attackers. 

3 Virgin Media

While the exterior threat of a cyber-attack is well known, sometimes mistakes made within an organisation can be just as damaging to cyber security and may ultimately prove to be more costly. 

One such incident that showed the potential danger of human error among staff was the Virgin Media data breach that hit the headlines earlier this year. 

In March, the company confirmed that a marketing database which contained the personal information, including phone numbers, email addresses and even home addresses, of around 900,000 people had been left unsecured and accessible online for 10 months.

The breach occurred after the database was “incorrectly configured” by a member of staff who simply failed to follow the correct procedures, the company said. While no passwords or financial details were on the database, the breach could still prove incredibly costly for the company, which is currently in the process of taking compensation claims from people who may have been impacted.

4 Sheffield City Council

In a similar case to Virgin Media, it was revealed this year that a Sheffield City Council database (containing the details of thousands of motorists and 8.6 million journeys on the city’s roads) was openly accessible online. 

The breach meant that the Automatic Number Plate Recognition (ANPR) system could be searched without a password. The database included information which could enable journeys to be reconstructed on a minute-by-minute basis. 

While Sheffield City Council and South Yorkshire Police said in a joint statement that “nobody came to any harm or suffered any detrimental effects” from the breach, it still led to widespread criticism of the council, both for the breach happening and for the fact that the council had harvested the information to begin with. 

5 British Airways

In October of this year, British Airways (BA) was issued with a £20 million fine by the Information Commissioner’s Office (ICO) for a data breach that impacted over 400,000 customers. The breach involved the theft of customer data, including log in information, payment card and travel booking details, and information regarding names and addresses. 

While the breach itself occurred in 2018, it is worth including in this list for two reasons. Firstly, the £20 million fine was a record penalty issued by the ICO. Secondly, the penalty in fact showed the ICO taking a more lenient approach in the light of COVID-19, having originally announced last year that it intended to issue BA with a £183 million fine. 

6 Bitcoin

In July of this year, Singapore-based intelligence company Group IB revealed that a global Bitcoin scam had compromised the data of close to 250,000 people from more than 20 countries, with over half (147,610) of those impacted being from the UK. 

Group IB said that it uncovered 248,926 sets of unique personally identifiable information. The scam involved a Bitcoin investment platform operating under at least six active domains and worked by contacting potential investors via SMS, sometimes utilising phishing messages or the name of a trusted media outlet. 

These messages contained a unique link taking the target to a website which, according to Group IB “already demonstrates their personal data, such as the phone number, first or/and last name, and sometimes an email address, and used for redirects to fake websites masquerading as a local media outlet.”

“The experts believe that the personal information info could have been obtained by fraudsters through a separate fraudulent scheme or simply bought from a third party.”

The scam would use fraudulent news stories, often about celebrities making successful cryptocurrency investments on the platform, to trick users into providing their data and paying a fee to activate a fake account. 

7 Advanced Computer Software

In May 2020, cybersecurity firm TurgenSec revealed that it had detected a data exposure at a database owned by Advanced Computer Software. 

The data exposure affected more than 190 different law firms that utilised Advanced Computer Software products. TurgenSec said the exposed data appeared to be “accessible to anyone with a browser and internet connection”.

Exposed data was said to include staff data, logins and passwords, along with personally identifiable information, including names, addresses and passport numbers.

8 Serco contact tracers

In another instance of a company mistakenly exposing data under its control, outsourcing firm Serco apologised in May after accidentally sharing the email addresses of around 300 staff who were working for the firm as COVID-19 contact tracers. 

Serco made the error when emailing new trainee contact tracers about its training program. The email told trainees not to contact the company help desk for training details. However, the company put the email addresses of recipients in the CC, rather than blind CC (BCC), section of the email, meaning that all email addresses were clearly visible to every recipient.

9 Blackbaud

Many UK charities, universities and other organisations were hit this year by a breach on the cloud platform of developer Blackbaud. The company offers a service used by such organisations to raise donations. In the attack, data including passwords of users and even bank account information was compromised. 

According to the Information Commissioner’s Office, 166 UK organisations were impacted, including National Trust, the University of Birmingham and the Labour Party. The US-based company disclosed the attack in July, saying that it had taken place in May and that the company had paid a ransom to the attackers, who they believe subsequently destroyed the stolen data. 

10 Boots Advantage Card

In March, pharmacy chain Boots suspended payments from its loyalty points scheme Advantage Card, following an attack by hackers.

According to Boots, its own systems weren’t compromised, but attackers had attempted to access customer accounts utilising reused passwords from other sites – a technique known as “password stuffing”. The company said that less than 1 per cent of the Advantage Cards’ 14.4 million people – fewer than 150,000 people – were affected and no credit card information was compromised. 

Jake Moore of internet security firm Eset said that the attack, and an earlier attack on Tesco’s Clubcard system that impacted 600,000 customers, showed the problem of password reuse. 

Moore said: "These lists of passwords can be easily found on the dark web for very little, or even free. It would be a good idea for people to check they have implemented two factor authentication on each of their accounts as this makes the password stuffing attack that much harder.”

“My further advice is to use a password manager to store your uniquely different passwords robustly online so you don't have to remember them all.”