A Look Back at the Biggest Data Breaches in 2023: a Cautionary Tale for All Businesses
No matter the size of your company or institution, you’ll need to be aware of the responsibilities that come with storing and handling data, both from a legal perspective and a reputational and financial position.
Failing to implement adequate data handling protocol, as well as cyber security measures, can lead to data breaches, leaving your business in an incredibly challenging position.
In this article, we will discuss some of the biggest data breaches of 2023, including Capita, Arnold Clarke, the PSNI/UK Police data breach, and the University of Manchester NHS data breaches.
All of these data breaches are notable due to their scale and wide reaching impact, as well as the repercussions that show the level of damage, both financially and otherwise, that a business or institution can endure if they do not have robust cyber security and data protection measures in place.
Capita Data Breach
In March 2023, leading provider of business process services, Capita, became the victim of a significant cyber-attack.
The attack was carried out by notorious ransomware group Black Basta, who exploited Capita’s Office 365 software. The group were able to access the personal data of Capita employees, and approximately 90 of the company’s clients, including Hanson Cement, the Environment Agency, Marks and Spencer and British Coal.
The data that was accessed and stolen included names, dates of births, national insurance numbers, and retirement information.
How much did the Capita cyber-attack 2023 cost?
It has been reported that the cyber-attack has cost Capita around £25 million, though this does not include compensation costs or fines related to the incident.
Unfortunately, even this substantial figure does not paint an accurate picture of the wide reaching damage and impact. According to sources at The Guardian, ‘The company’s shares fell by more than 12%’ once details of the attack had been released.
How did Capita respond to the cyber-attack?
In discussion of the cyber-attack, Capita released a statement explaining that the data had been recovered. A Capita representative explained that the company has, ‘taken further steps to ensure the integrity, safety and security of its IT infrastructure to underpin its ongoing client service commitments.’
In the aftermath of the attack, Capita’s Chief Executive Jon Lewis made the decision to step down from his role, considering the widespread damage, both financially and in a reputational sense.
Arnold Clarke Data Breach
In December 2022, car dealer Arnold Clark experienced a ransomware attack whereby an unauthorised third party accessed the personal data of over 10,000 customers. The data exposed the customers' names, contact details, and dates of birth, as well as identity documents, bank details, national insurance numbers, and vehicle information.
On extracting the data, the ransomware group known as Play posted the stolen customer data on the dark web. In the weeks and months that followed, numerous victims began to report evidence of identity theft attempts, as well as instances of successful fraud.
In a statement on their website, Arnold Clarke explained their efforts to protect those affected, by continuing to offer safeguarding and guidance, supported by their partners at Experian.
How much did the cyber-attack cost Arnold Clarke?
Though it is currently unconfirmed how much the attack has cost Arnold Clarke, recent reports concerning legal action suggest that the company could be left paying millions in damages to customers.
How many people were impacted by the Arnold Clarke Cyber-attack 2023?
According to research from Computer Weekly, ‘more than 10,000 people who had their data stolen have signed up to group legal action after facing elevated amounts of fraud.’ It is believed that the incident may become, ‘one of the largest group action law suits yet seen in the UK.’
How did Arnold Clarke respond to the cyber-attack 2023?
Sources at the BBC indicated that Arnold Clark took steps to improve security measures following the attack. The company have reportedly rebuilt their computer infrastructure, creating, ‘a segregated environment, which prevents hackers who successfully breach one part of the network from being able to access other parts of the company's systems.’
It is evident that, unless businesses put robust cyber security measures in place, they could be left in an incredibly vulnerable position. Circumstances such as these can jeopardise the future of a business, both financially speaking and in terms of company image.
As a result of this cyber-attack, Arnold Clarke have left a large number of individuals incredibly vulnerable to identity theft and fraud, which could have an incredibly damaging impact on their future financial health and personal wellbeing.
PSNI and UK Police Force Data Breach
In August 2023, the Police Service of Northern Ireland experienced a significant data breach. The personal data of approximately 9,500 police officers and PSNI employees was mistakenly posted on a public website. The error was the direct result of a Freedom of Information request.
Information that was leaked included the initials, surnames, work location, departments and grade or rank of police officers and staff.
What caused the PSNI data breach 2023?
In a detailed report on the PSNI data breach, commissioner of the City of London Police Pete O’Docherty explained that the data breach was not caused by a single isolated action by a department, team, or person. He claimed that, ‘it was the consequence of many factors, and fundamentally a result of [the] PSNI not seizing opportunities to better and more proactively secure and protect its data.’
Why was the PSNI data breach 2023 so concerning?
The commissioners’ PSNI report revealed that many police and staff members feared for their safety and that of their family, and that over 4,000 people had contacted the PSNI threat assessment group since the data leak. The information showed that many even felt that it was necessary to relocate from their homes.
It is clear that, unless institutions take steps to implement strong online security protocol, that they could be compromising the personal safety of their staff.
University of Manchester/NHS Data Breach
In June 2023, the University of Manchester’s systems were accessed without authorisation. Hackers managed to steal personal data, threatening to sell this on the black market, unless their demands were met. The stolen data included information such as dates of birth, university ID numbers and contact details.
How many people were affected by the University of Manchester/NHS data breach 2023?
The University stores information on 1.1 million NHS patients, for the purposes of research, and the hackers were also able to access this data. Research from Digital Health suggested that approximately 250 gigabytes were accessed.
The fact that personally identifiable data was stolen is incredibly concerning, particularly where this data includes medical information.
How did the University of Manchester respond to the 2023 cyber-attack?
In the aftermath of the attack, students were advised to be vigilant by resetting passwords, looking out for suspicious activity, and ensuring that software is up to date.
The University planned to improve their data handling and cyber-security processes, ensuring that their data is more robustly protected now and in the future.
The impact of data breaches on businesses and individuals
As we’ve seen from these data breaches, the impact upon a business can be incredibly damaging.
Failing to put robust data and cyber security measures in place can leave companies in financial ruin, as well as facing reputational damages. Incidents such as these can put their customers and individuals at risk of identity theft, fraud, and even physical harm.
As we move into 2024, companies are well advised to review their current data protection and cyber security measures to safeguard themselves, as well as their clients and customers.
Looking to 2024, Hayes Connor Recommends
In 2024, we recommend that companies look to avoid data breaches by implementing and considering the following:
- Detailed security awareness training for all staff
- Identification of Phishing scams
- Protocol to prevent data leaks, as well as robust data leak response plans
- Ensure that all vulnerabilities are identified, including all software
- Continue to invest in robust antivirus and malware software
Most importantly, we recommend that businesses educate themselves regarding the predicted data breach trends in 2024.
Many businesses are currently using AI tools to support their processes and efficiency. Unfortunately, in 2024, we expect that AI will be responsible for a growing number of data breaches. With this in mind, companies should be especially cautious when using AI tools, seeking advice from data and security experts were possible.
How can Hayes Connor help?
If you have been the victim of a data breach, we appreciate that this can be an incredibly stressful situation to be in. If these are your circumstances, you may have the opportunity to seek compensation.
At Hayes Connor, our specialised solicitors have extensive experience in handling data breach claims. We offer clear support and guidance on the steps to take if your data has been compromised.