HM Revenue & Customs, 2007
Perhaps the most serious data breach involving UK citizens. A junior worker at HM Revenue and Customs copied child benefit data relating to 25 million people in the UK onto two CDs and put them in the post to the National Audit Office (NAO).
The discs were not sent via recorded or registered mail. They didn’t arrive and their whereabouts as never been established. The discs contained name, address and date of birth information, alongside National Insurance numbers and, in some cases, personal bank details, although at the time police said there was no evidence the data had fallen into the wrong hands. The data was password-protected but not encrypted.
Senior HMRC management were only informed of the loss three weeks after the CDs were sent and the then Chancellor and Prime Minister, Alistair Darling and Gordon Brown, were told two days later. An investigation was launched and a full search of HMRC property took place. Darling went public with the news just over a month after the CDs went missing. HMRC boss Paul Gray resigned.
A report into the incident found the loss was "entirely avoidable" and blamed serious flaws in the management of HMRC, poor communication and low staff morale. Another report said staff were not properly trained in data security.
Heartland Payment Systems, 2009
The daddy of all data breaches, with around 130 million credit card records thought to have been exposed. New Jersey-based Heartland Payment Systems, a credit card processing firm, said cyber criminals had broken into its systems in May 2008 and planted malicious software that stole credit card data.
The firm stressed that no merchant data or unencrypted PINs, or cardholders’ addresses or phone numbers had been exposed as a result of the breach, but the data that was compromised could have helped the criminals to produce fake credit cards.
Content from our partners
The company was only made aware of the breach in January 2009, when MasterCard and Visa alerted Heartland of suspicious activity surrounding processed card transactions. Hacker Albert Gonzalez was indicted on charges relating to the Heartland hack in August 2009.
Shell, 2010
Keep your workers happy seems to be the message behind this leak. Energy giant Shell was rocked in early 2010 when a database of 170,000 of its workers was emailed out to human rights groups and environmental activists, including Greenpeace and royaldutchshellplc.com, a website run by anti-Shell campaigners. It was rumoured that the database was emailed out of the company by a disgruntled employee. According to The Times, a covering letter criticising Shell’s activities in Nigeria was sent out with the database, apparently signed by more than 100 workers in the US, Holland and the UK.
The company admitted the list was genuine but pointed out that the data it contained was email details and phone numbers rather than physical addresses, minimizing the risk to staff.
Google Street View, 2010
Google claims its mission is to organise the world’s information and make it universally accessible and useful. Part of that is its Street View project, a photographical map of the world’s cities. To get these images the company simply drove cars with cameras mounted on their roofs around city streets. However, in early 2010 it was revealed that Google’s cars had collected data from unsecured Wi-Fi networks, which at the time the ICO determined contained no significant personal information.
The company soon changed its tune, though, and admitted that it collected emails and passwords; in some cases complete emails were captured, containing highly sensitive personal information. "We are profoundly sorry for mistakenly collecting payload data in the UK from unencrypted wireless networks," the company said once all the data had been deleted.
Sony, 2011
What began as a hack in April 2011 soon developed into a full-blown crisis for the electronic giants. It started with hackers breaking into the Sony Online Entertainment (SOE) network and stealing 25 million users’ personal details, potentially including credit and debit card details.
This was quickly followed by a breach of Sony’s PlayStation Network, which exposed account details of 77 million users. The firm quickly detected this and shut down PSN, but didn’t publicly admit the reason for nearly a week. The SOE intrusion was then discovered by investigators looking at the PSN hack; it too was shut down and the following day Sony came clean. Over the following weeks Sony sites in Thailand, Indonesia, Greece, Japan, Canada, Russia, Belgium and The Netherlands were targeted by a variety of methods and exposing various pieces of sensitive data.
A hacking group called LulzSec also hits Sony Pictures, exposing names, emails and physical addresses, birth dates, phone numbers and passwords.
