View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
April 8, 2016updated 05 Sep 2016 11:30am

National Childbirth Trust hit by major data breach – When will companies learn that no data is safe from hackers?

Analysis: Hackers do not discriminate. They want data, any data.

By Ellie Burns

15,000 new and expectant parents have become the latest victims of a data breach, following a hack on the National Childbirth Trust (NCT) which left email addresses, usernames and passwords compromised.

The NCT, a London-based charity which supports hundreds of thousands of new and expectant parents, said that no other information had been compromised, bar the email addresses, passwords and usernames of 15,085 users. Confirming the breach to the BBC, the NCT said:

"NCT has suffered a data breach which, regrettably, has caused some users of our website to have their registration details compromised. These details are limited to their email address, username and an encrypted version of the password that they created to register on the site.

"We stress that no financial or personal details are held as part of this data so no financial or personal details have been accessed."

After having discovered the breach on Wednesday 6 April, NCT contacted all users affected and detailed the breach and advised the changing of passwords and usernames.

This is just the latest data breach to go public – this year alone we have seen UK organisations such as Ofcom and University of Greenwich targeted by hackers and, of course, the biggest data leak in history has come to light in the form of the high-profile Panama Papers.

Then of course we have the infamous, and very recent, incidents concerning TalkTalk, VTech, Sony, Ashley Madison, United States Office of Personnel Management, Paysafe, LastPass, AT&T, Anthem, Target – the list, un fortunately, only gets longer.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

As data breaches quickly become the crisis de jour, it might be easier to list companies which haven’t been breached.

NCT data breach

However we can learn something from the long list of data breach victims. All span different industries – charity, telecoms, finance, government – but all have one thing in common. Data. This tells us that all data is fair game for hackers and cyber criminals, as Eduard Meelhuysen, VP EMEA at Netskope, said:

"The recent data breach reported by the National Childbirth Trust (NCT) reveals the extent to which criminals search for any vulnerable information. Although the charity has confirmed that no personal or financial information was accessed, over 15,000 expectant parents have now had their email addresses, usernames and passwords compromised. Just one in a seemingly never-ending chain of incidents."

The question is, how many more data breaches have to happen, how much more personal and sensitive data stolen, in order for companies to wake-up to the fact that passwords and existing security is no longer enough?
We know the minimum cost of a data breach to be upwards of £1.2m, and companies know that they are ethically and legally bound to protect user data. Yet still, businesses are holding their reputation, finances and customer data to ransom by not ensuring top level security.

James Romer, Chief Security Architect at SecureAuth, said: "For too long organisations have relied on passwords as the single form of access control and it is simply not strong enough, nor adequate to protect vital applications and data.

"If organisations haven’t yet learnt this from the many data breaches from the past year, then the news that The National Childbirth Trust has suffered a data breach, compromising email addresses, usernames and passwords should be a hefty reminder that businesses need to stop deploying such a minimal approach to authentication and take note that if they have something valuable, they are at risk from attacks.

"Organisations must strengthen their defences against cyber adversaries by employing cutting edge adaptive authentication. By layering multiple methods such as device recognition, analysis of the physical location of the user, or even by using behavioural biometrics to continually verify the true identity of the end user, not only will the customer maintain a simple user experience, it also makes stolen credentials completely worthless."

I do recognise, however, that cyber security has no simple answers. Insider threats and social engineering, multiple devices, malware, phishing – just some of a long list of threats and hacker tools which need to be considered when any company tackles security.

However, companies must start taking steps to assess the risk, understand the identified risks to their business, and startbuilding and deploying robust plans to minimise the chances of a cyber attack or data breach. I say minimise, not stop, as no organisation is immune from attack – as we now from recent cyber attacks and the NCT data breach, all data is fair game for hackers no matter the consequences for the victims.

"This latest attack against the NCT highlights that today’s IT criminals bear no consideration for the victims who ultimately bear the brunt of their illegal cyber handywork – be that through financial loss, reputational damage or mental distress. Said Richard Beck, Head of Cyber Security at QA.

"The sad truth is that the onslaught of cyber attacks is pretty much unstoppable. That said, organisations can defend themselves by training their staff and ensuring they have robust plans in place to minimise the chances of a cyber attack including an agreed – and rehearsed – plan of action."

 

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU