What can we learn from 2018's biggest data breaches?

Throughout 2018, British firms have faced an increase in both the volume and sophistication of cyber-attacks.

Reflecting on the evolution of threats over the year, three cybersecurity experts convened at a UKFast Webinar in Manchester to discuss the year’s biggest breaches and what UK businesses can learn from them.

The panel included Annabelle Gold-Caution; Associate at European law firm Fieldfisher, Paul Mason; IT Security, Education and Training Specialist at cybersecurity firm Secarma and Noha Amin; Information Security Awareness Manager at TalkTalk.

(Image credit: Image Credit: Morrison's / Wikimedia)


Insider threats are the most prevalent type of attack facing businesses today, experts say.

In November 2018, Morrison’s supermarket chain was ruled vicariously liable for the breach of nearly 100,000 employees’ personal data, leaked three years before by a disgruntled worker.

Annabelle Gold-Caution, said: “The risk of business owners being held responsible for data breaches caused by employees must be considered in security policies, and mitigated by implementing strong data access permissions.”

Experts recommend that business owners implement policies which allow access to company data on a ‘least-privilege’ basis, cutting the number of people with access to critical data and reducing the risk of unauthorised data sharing.

Noha Amin added: “Everyone is paying more attention now to their personal data and people are being very vigilant. This is being emphasised by the Morrison’s employees whose data was leaked.

“Employees are demanding compensation for their distress, and this type of legal case will become increasingly common if businesses do not mitigate all possible risks in order to safeguard employee and consumer data.”

(Image credit: Image Credit: Anthony Spadafora)


Reputational damage is a serious side effect suffered by many organisations following data leaks. Tech giant Facebook reported two major data breaches in 2018 caused by exploited network vulnerabilities.

The first breach alone, involving Cambridge Analytica, affected more than 1 million UK users and nearly 90 million accounts globally.

The firm’s reputation has suffered irreparable damage as a result, with one in 20 Brits, and millions across the world, reported to have deleted their accounts after the second breach was publicised.

Paul Mason said: “When news of the second Facebook data breach came to light the company’s stock price fell 6% in just two hours.

“Although data can be retrieved with good disaster recovery strategies, reputations are not as easily recovered. This is a serious reminder for business owners to keep their networks up to date, patched and regularly tested to stay one step ahead of those willing to take advantage.”

Annabelle Gold-Caution also commented on the lesser known impacts to businesses and their teams.

She said: "An element of reputational damage that's often missed is the impact on a company's own staff – the internal team is often de-prioritised in the rush to manage external PR.”

“Businesses offering employee equity compensation (e.g. stock options) can be particularly concerned about impacts on share price. A lack of transparency can lead to significant dips in internal morale, particularly for organisations with a strong mission statement."

(Image credit: Image Credit: Orangeacid / Wikimedia)


Showing that not all breaches are down to hackers, Mason also reflected on the TSB case from April 2018, where the bank failed to securely migrate data from one system to another.

The transition prevented more than 400 users from accessing their own accounts and many were able to see details of other users’ accounts. As a result, leaked data was exploited by fraudsters posing as TSB investigators, with some customers scammed out of £30,000.

Mason commented: “It’s not just leaked data that breaches GDPR legislation; Lloyds failed to provide their consumers with three basic data rights: availability, integrity and confidentiality. That’s a huge breach of data protection legislation.”

He added: “It’s crucial to test systems before they go live, especially if you’re moving large amounts of data. Even the smallest glitch could have huge consequences if you’ve not considered all possible scenarios, and how these can be resolved quickly to prevent problems that affect your customers.

“TSB could be forced to pay substantial fines by the Information Commissioner’s Office and the Financial Conduct Authority for what was probably an innocent mistake.

“Businesses must ensure they’re protecting the data rights of their consumers at all times or face potential fines and lose the trust of their customers.”

The extent of fines issued to the bank under GDPR legislation is yet to be confirmed.

The Morrison’s, TSB and Facebook cases demonstrate that the impacts of breaching data legislation can be highly damaging and unpredictable in a landscape where data is fast becoming one of the most valued currencies in the world.

We will no doubt see a continued stream of high-profile cyber-attacks and data breaches in 2019. With the New Year around the corner, will businesses learn from the misfortunes of companies in the public eye? Only time will tell.

The comments were made at a recent UKFast Webinar.