While some locations and organizations tend to be more at risk of a cyberattack or other security incidents involving data, it’s critical for all companies to consider the cyber threat landscape. Hackers are increasingly prolific and use increasingly advanced techniques and technology to perpetrate data breaches.
Download our guide on scaling third-party risk management despite the odds
With data breach reporting, everyone can keep up-to-date with cyber risks, learn from errors committed by others, and maintain robust security measures to protect sensitive information, such as personally identifiable information (PII), medical records, or financial details. This post will examine some of the biggest data breaches to affect businesses in the United Kingdom.
The Biggest UK Data Breaches Ranked by Impact
The following list comprises the biggest data breaches in the UK ranked by impact (typically by the number of records or customers affected), including the type of sensitive data compromised, and an examination of how the data breach or cyber incident occurred.
1. Dixons Carphone
Date: July 2017 – April 2018
Impact: 14 million personal records and 5.6 million payment card information
Dixons Carphone (now Currys) is a major British electronics and telecoms retailer and services provider that runs a number of UK outlets, including Currys PC World and Carphone Warehouse. In July 2017, hackers gained unauthorized access to about 10 million personal records and almost 6 million payment cards, affecting almost 14 million customers, by installing malicious software on over 5000 tills across various locations across England.
Personal information that was compromised included:
- Customer names
- Physical addresses and zip codes
- Email addresses
- Failed credit checks
- Credit card numbers
What worried many people most about this breach is that Dixons Carphone took so long to report the extent of the data security failure. In June 2018, almost a year after the data breach started, the company said about 1.2 million personal records had been affected. Then, just a month later, in July 2018, it admitted that almost ten times that number had been compromised.
In the case of the payment cards, the firm claimed that the vast majority were protected by the chip and pin 2FA system. Although nearly 100,000 non-EU cards didn’t have that protection, Dixons Carphone reported finding no confirmed evidence of fraud relating to customers.
The Information Commissioner’s Office (ICO) launched an investigation that found the data of 14 million customers had been compromised between July 2017 and April 2018. The source, it said, was malware installed on 5,390 cash desks at Dixons Travel and Currys PC World stores.
The ICO fined Dixons Carphone £500,000 (about $607,000) for “systemic failures” resulting in inadequate security measures and allowing vulnerabilities such as inadequate security testing and software patching. Carphone Warehouse, a subsidiary of Dixons Carphone, had been fined £400,000 just a year earlier for similar vulnerabilities that the company failed to patch, resulting in the maximum £500,000 fine.
Dixons apologized to its customers but suffered a severe loss of customer trust. Declining profits led to the closure of about 100 Carphone Warehouse stores within a year. The Carphone Warehouse part of the business closed its doors for the last time in 2020 due to this massive data breach and market-related challenges. In 2021, the company was permanently rebranded to Currys following a series of subsequent company-wide missteps and fines.
2. Equifax
Date: 2011–2016
Impact: Around 15.2 million UK customer records.
In 2016, major credit monitoring firm Equifax suffered a breach affecting more than 15 million UK customer records that were accessed over five years, including sensitive data of about 700,000 UK customers. The total impact of the data breach was around 145 million people, affecting customers based mostly in the US.
For UK customers, unauthorized access included:
- Around 10,000 credit card numbers
- About 30,000 driving license details
In addition, hackers compromised almost 15,000 customers’ email addresses, phone numbers, and access credentials, including security questions.
According to Equifax, most of the exposed records did not pose a risk to British consumers. It proposed using proprietary and third-party risk-mitigation solutions to minimize the risk of criminal activity such as identity theft.
The cause of the data breach was traced back to a technician who failed to apply a security framework correctly, leaving the database vulnerable. Equifax was criticized for not responding promptly to evidence of human error and technological failures. In 2019, Equifax agreed to a massive settlement with the FTC for $575 million and the maximum fine under EU law of £500,000.
3. EasyJet
Date: October 2019 – March 2020
Impact: 9 million customers & 2200 credit cards details
In May 2020, EasyJet discovered that a data breach had allowed access to 9 million customer records. The breach affected customers that booked flights with the airline between October 17, 2019, and March 4, 2020.
While EasyJet became aware of the breach in January 2020, the firm did not release information to the public until May, saying only that it had been a highly sophisticated attack and that the hackers were more likely to have been targeting intellectual property than customer data.
The airline’s forensic investigation found that hackers accessed the credit card details of 2208 customers. Aside from this subset of customers, cybercriminals did not access other credit card details or passport numbers. Furthermore, the security team found no evidence of misuse of personal information.
However, by May 2020, Action Fraud, the UK cybercrime reporting agency, had received 51 credit card fraud reports that stemmed from the EasyJet security breach. Currently, the UK ICO is investigating the incident, and EasyJet could face fines of up to 4% of the airline’s 2019 turnover of £6,3 billion.
4. The National Health Service (NHS)
Date: July 2011 – July 2012
Impact: Over 1.8 million health and employee records
The NHS is a publicly-funded healthcare system in England, one of four major systems in the UK. Quantifying the impact of data breaches on the NHS is complex because it comprises so many healthcare organizations. However, the series of breaches was one of the largest to affect the healthcare industry in the UK.
The NHS data breach was the result of 16 major breaches and data leaks from NHS healthcare entities during the year leading up to July 2012. The security breaches took place across multiple units of the National Health Service, including:
- Central London Community Healthcare NHS Trust
- Belfast Health and Social Care Trust
- Torbay Care Trust
- NHS Surrey
- Brighton and Sussex University Hospitals NHS Trust
Central London Community Healthcare NHS Trust
The ICO fined Central London Community Healthcare NHS Trust £90,000 for violating the Data Protection Act. The Pembridge Palliative Care Unit repeatedly faxed patient lists to an incorrect recipient during three months in 2011, sending 45 faxes in total and compromising the sensitive information of 59 individuals, including:
- Medical diagnoses
- Domestic situations
- Resuscitation instructions
Belfast Health and Social Care Trust
This data breach was caused by sensitive patient information left accessible at Belvoir Park Hospital. The mistake happened when six local trusts were merged, and BHSC became responsible for over 50 sites.
When criminals physically broke into Belvoir Park Hospital in 2010, they photographed and uploaded patient and staff records, some dating back to the 1950s. Despite the hospital enhancing physical security, another physical data breach occurred in April 2011.
The compromised data comprised thousands of patient and staff records, including:
- Medical records
- Scans of lab results
- X-rays
- Staff information, including unopened payslips
The ICO’s investigation determined that the Trust did not take adequate steps to secure information and fined the hospital £225,000. Furthermore, the Trust implemented a policy of destroying unneeded records.
Torbay Care Trust
Torbay Care Trust was fined £175,000 when it accidentally published a spreadsheet containing the personal information of over 1000 NHS employees online, including:
- Names
- Birth dates
- Salaries
- National insurance ID numbers
Although no patient data was directly compromised, the ICO viewed the incident as a major failure of security policies due to a lack of guidance for staff and no system of checks to identify data leakage.
NHS Surrey
NHS Surrey was fined by the ICO £200,000 when it was found that over 3000 patient records had been discovered online. The security breach was the result of secondhand NHS computers that had been auctioned off on eBay, ones that the data and hardware destruction company had failed to destroy properly. The ICO also found three additional NHS computers containing sensitive patient information, all of which had been sold online.
The responsibility was still under NHS Surrey for failing to monitor and check with their third-party service provider that records had been properly destroyed. The service provider offered free destruction services in exchange for salvaged parts but had failed to destroy the hard drives containing the sensitive information.
Brighton and Sussex University Hospitals NHS Trust
Brighton and Sussex University Hospitals NHS Trust suffered the largest fine from the ICO in the NHS data breaches of £325,000 when it was discovered that hard drives containing tens of thousands of patient records had been sold online. Sometime between October and November 2010, 252 hard drives were auctioned off and sold on eBay, containing information including:
- Patient medical conditions
- Disability records
- Disability living allowances
- Children’s patient reports
In a similar situation as NHS Surrey, Brighton and Sussex University Hospitals NHS Trust had contracted a hardware destruction company to dispose of the hard drives, which they had failed to do so. The hospital claimed it could not afford the fine and appealed the ICO’s decision. However, they lost the appeal and settled to pay a reduced fine of £260,000.
5. Virgin Media
Date: March 2020
Impact: 900,000 customers
Following a data breach of broadband provider Virgin Media, the personal data of 900,000 customers were accessed without authorization and remained compromised for around ten months. While customer passwords were not compromised, data that was used for marketing purposes was exposed, which included:
- Customer names
- Home addresses
- Email addresses
- Phone numbers
- Device type
- Subscription type
The data leak occurred through a database misconfiguration by an employee who failed to follow proper procedures. Virgin Media quickly discovered the breach and shut down all related databases containing the leaked information.
Following the incident, Virgin Media reportedly faced a class-action lawsuit of nearly £4,5 billion or around £5,000 for each of the 900,000 affected customers.
6. JD Wetherspoon
Date: June 2015
Impact: Over 650,000 customers
High-street pub chain JD Wetherspoon found that there had been a data breach in December 2015, about six months after the breach took place. It is believed that a Russian group was behind the attack, hacking the chain’s old website for payment card details.
The stolen data included the following:
- Dates of birth
- Email addresses
- Phone numbers
- Last four digitals of payment cards
The cybercriminals uploaded the customer details to the dark web, intending to sell them. However, luckily, the business said the limited card payment details compromised could not be used to commit fraud. JD Wetherspoon officials said that they had taken so long to detect the data breach only because a third-party company hosted the website.
JD Wetherspoon ultimately was not fined by the ICO, and CEO, John Hutson, reiterated that adequate steps had been taken to secure data on their main domain and no customers had been compromised.
7. British Airways
Date: June 2018 - September 2018
Impact: 500,000 payment card details
In 2018, British Airways suffered a data breach that compromised the payment card information of almost 500,000 customers. The attack originated from the British Airways website, leading to the theft of customer data through a third-party payment service. Cybercriminals diverted user traffic from the official British Airways website to a fraudulent site where they harvested data, compromising about 500,000 customers.
The regulator’s investigation uncovered weak security measures that left sensitive data inadequately unprotected, including:
- Access credentials
- Name and address information
- Payment card information
- Travel booking details
The ICO intended to fine British Airways £183.4 million, the equivalent of 1.5% of its global turnover in 2017. Many considered this lenient considering the General Data Protection Regulation (GDPR) authorizes regulators to fine violators as much as 4% of their annual global turnover. However, after considering the company’s testimony and the economic damage of COVID-19, the ICO agreed to reduce the fine to £20 million.
This is still the largest fine ever issued by the ICO for a GDPR violation. Additionally, many customers had to cancel their credit cards after the incident, in which British Airways offered to compensate those financially affected by the data breach.
8. Wonga
Date: April 2017
Impact: Up to 270,000 customer records
UK’s largest payday loan company, Wonga, suffered a data breach in 2017 that compromised the data of up to 270,000 of the firm’s millions of customers. This is one of the UK’s biggest data breaches involving financial information. The breached data of past and present customers included:
- Customer names
- Bank account numbers
- Sort codes
- The last four digits of bank cards
Wonga officials said the data breach affected about 245,000 UK customers and 25,000 from Poland. In addition to a series of poor business practices, Wonga ultimately fell into administration, indicating the shutdown and closure of the company.
9. Three Mobile UK
Date: November 2016
Impact: 130,000 customer records
Telecom and internet service provider Three suffered a data breach in 2016 when cybercriminals gained unauthorized access to the firm’s upgrade database using an employee’s access credentials. The goal was to falsely approve phone upgrades for customers and attempt to steal the device upgrades before they reached their destination.
According to a company spokesman, cybercriminals accessed over 130,000 customers’ personal details to make fake smartphone upgrades. The fraudsters are believed to have ordered phone upgrades for over 400 customers and intercepted the phones before they arrived.
Financial details remained uncompromised during the hack, but the cybercriminals were able to access the following personal data:
- Customer names
- Phone numbers
- Dates of birth
- Home addresses
Ultimately, three individuals were arrested in connection with the security breach and device fraud.
10. TalkTalk
Date: October 2015
Impact: 157,000 records
The TalkTalk data breach was an attack that occurred in 2015, resulting in over 157,00 records being exposed, including financial data from over 15,000 bank accounts. In addition, hackers acquired:
- Customer names
- Addresses
- Dates of birth
- Email addresses
- Phone numbers
- Credit card information
- Bank details
Fortunately, the card numbers were obscured, making them unusable in that form.
The attack occurred when TalkTalk acquired Tiscali’s UK operations, which gave the opportunity for hackers to access the database by exploiting known SQL injection vulnerabilities.
The ICO investigated TalkTalk’s compliance with the Data Protection Act and issued a massive £400,000 ($510,000) fine out of a maximum of £500,000. It concluded that the firm had failed to implement basic security measures that could have prevented the data breach and properly protected customers’ personal data. Additionally, TalkTalk revealed that the cyber attack had cost the company more than 100,000 customers and £60 million ($76 million) spent on mitigating the data breach.
11. Interserve
Date: May 2020
Impact: 113,000 staff records
Interserve is a Berkshire-based construction company that suffered a data breach that exposed the personal data of 113,000 staff members. Cybercriminals gained unauthorized access through a phishing email when one employee forwarded an email to another who unwittingly downloaded malware. While the firm’s antivirus software quarantined the malware and raised the alarm, the company failed to investigate closely enough, allowing attackers to gain access to the company’s computer systems.
The attack led to 16 compromised accounts and 283 systems. They also uninstalled the firm’s antivirus solution. They encrypted the personal data of 113,000 staff members, including:
- Contact details
- Bank account details
- National insurance numbers
- Religion
- Ethnic origin
- Religion
- Sexual orientation
- Disability information
- Health information
UK Information Commissioner John Edwards said in response to the incident, “The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn't regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn't update software and fails to provide training to staff, you can expect a similar fine from my office.”
Upon investigation, the ICO found that Interserve had violated a number of policies, including:
- Continued use of obsolete server operating systems
- Lack of information security training for employees
- Use of obsolete network protocols
- Poor privileged account management
- Poor incident response
Two years later, Interserve was fined £4.4 million for failure to enact adequate security policies and breaching the data protection law. Additionally, the company went into administration due to a series of financial issues and bad business practices and was sold off and broken apart to foreign companies. The Tilbury Douglas branch of the business formally broke off from Interserve and became its own construction company, with Interserve expected to fully shut down but 2024.
12. Camelot Group
Date: November 2016
Impact: 26,500 customer records
Camelot Group’s National Lottery website was targeted by cybercriminals in late 2016, accessing 26,500 out of 9.5 million customer records. In fewer than 50 cases, the hackers stole the same access credentials that customers used on other online services.
Compromised data included:
- Customer names
- Dates of birth
- Transaction histories
- Account preferences
- Last four digits and the expiry date of payment cards
Camelot was able to quickly suspend all affected accounts and worked closely with the NCSC to catch the criminals. The ICO assessed no fines after the incident.
13. Debenhams Flowers
Date: February 2017 – April 2017
Impact: 26,000 customers
Retailer Debenhams reported a data breach in April 2017 that 26,000 of its customers had their personal data compromised through a third-party e-commerce company. Only the Debenhams Flowers customers were affected and not Debenhams.com customers. The data that was compromised included:
- Names
- Addresses
- Payment details
The malware attack targeted third-party e-commerce company, Ecomnova and affected 26,000 customers for six weeks, an incident that could have been avoided with proper Third-Party Risk Management. Debenhams immediately shut down the Debenhams Flowers website and promptly contacted affected customers by email. It told them what had been done to mitigate the breach and advised them what they should do to protect themselves, intending to follow these emails with letters in the post.
Debenhams Flowers has not been fined and has worked quickly with Ecomnova to prevent fraudulent charges. In addition, it does not seem like data had been misused in the aftermath of the attack.
14. Travelex
Date: December 2019
Impact: 17,000 customers
On New Year’s Eve 2019, currency exchange firm Travelex suffered a data breach in the form of a ransomware attack — specifically, Sodinokibi — with cybercriminals locking employees out of their system and stopping currency transactions across the UK. In response, the firm shut down websites across 30 countries.
The hackers demanded around £5 million for the safe return of 5GB of stolen sensitive user data, including:
- Dates of birth
- National insurance numbers (social security numbers)
- Credit card information
The cybercriminals achieved the data breach by exploiting a vulnerability in the firm’s virtual private network (VPN), allowing them to achieve unauthorized access without valid access credentials. They could also disable multi-factor authentication, as well as view logs and cached passwords.
Although the VPN had addressed this vulnerability months before the attack, Travelex failed to apply the patch. They also failed to notify the ICO within 72 hours that there had been a breach that posed a risk to people’s rights and freedoms, which comes with a penalty of 4% of the company’s global turnover.
The Peterborough-based firm paid more than £2 million in bitcoin of a demanded £4.6 million to the ransomware gang. Furthermore, it suffered four months of business interruption with the company taking down its site, affecting private customers and large business partners, including HSBC and Royal Bank of Scotland.
It was estimated that Travelex and its parent company, Finablr, lost roughly £25 million in the following quarter in Q1 of 2020 due to the cyber attack. Soon after, Travelex went into administration and underwent a complete company restructuring to reduce its debt.
15. Tesco Bank
Date: November 2016
Impact: 8,261 customers, £2.26 million stolen
British retail bank Tesco Bank was hit by cybercriminals in 2016, resulting in almost £2.26 million stolen from customer bank accounts. The bank's attempts to limit the damage by acting quickly and freezing its online systems successfully thwarted over 80% of the attacks, but the hackers had already taken money out of over 8000 accounts. It took the Tesco bank fraud security team two days from the time the breach was noted to stop the attack.
Because there were thousands of attempts to make false transactions, the speculation is that the hackers generated authentic debit card numbers and attempted to make transactions that took money from customer accounts.
The Financial Conduct Authority (FCA) cited that Tesco Bank’s method of distributing debit card numbers was at fault — they issued debit card numbers in sequential order, which allowed the hackers to quickly generate new false debit cards based on the next number in the sequence.
The FCA also fined Tesco Bank £23.5 million for the incident, citing failure to respond quickly to the attack, using a faulty card distribution system, only blocking fraudulent credit card transactions and not debit cards, and utilizing a weak authorization system. Because Tesco Bank cooperated fully with the FCA and compensated customers fully, the fine was ultimately reduced to £16.4 million.