What 2018’s biggest breaches have taught us about encryption

Posted by Philip Bindley

Encryption in its modern form has been around for decades, but it’s still something that companies are failing to implement. Encryption is often neglected when it comes to corporate cyber security, despite the fact that it forms the cornerstone of any robust security strategy.

Data has never before been so valuable, or so widely targeted – this isn’t just due to the increasing complexity of attack methods, but also due to the range of ways that we transfer sensitive data every day.

Encrypting data is a basic way to protect sensitive corporate and customer data, and so far this year, many large companies have learned this lesson the hard way.

1. Carphone Warehouse
   The phone retailer started the year in an unpleasant way with a £400,000 fine from the ICO. Not only were attackers able to use login credentials to access the company’s system via out-of-date WordPress software, but they also were able to locate the credentials of more than 3 million customers in plain text, including names, dates of birth, addresses and phone
2. The Crown Prosecution Service
   The Crown Prosecution Service’s £325,000 fine in May serves as a stark reminder of why organisations should take encryption into account with all forms of data. In this instance, unencrypted DVDs holding interviews with victims of crimes, as well as sensitive information about the perpetrator, victims and interviewing officers, were left in an unsecured area of a building for anyone to view.
3. Yahoo
   Yahoo’s UK arm suffered significant reputational damage over a data breach which took place in 2014 – not to mention the £250,000 fine that it was subsequently slapped with from the ICO. The breach saw state-sponsored hackers transfer multiple files from the main Yahoo servers – many of which included names, emails, and unencrypted security questions and answers affecting more than 500 million users.
4. University of Greenwich
   The continuing existence of an unsecured microsite built in 2004 led to the personal data of 19,500 University of Greenwich students being placed online by hackers – including names, addresses, dates of birth, phone numbers, signatures, and, in some cases, details of physical and mental health problems. The breach, which resulted in a £120,000 fine for the University, acts as yet another reminder to organisations to make sure all data that they hold is processed and stored securely in order to avoid significant reputational damage.
5. The Bible Society
   Earlier this year, the charity was hit with a £100,000 fine after its IT network was compromised, and the personal data of its 417,000 of its supporters – including some payment card details – were accessed through an account which was only secured with an easy-to-guess password. In this case, the attackers deployed ransomware and transferred some files out of the network.

From these breaches, and many others, it’s clear that encryption – or the lack of it – is a huge factor in the size of the consequences of a data breach.

Securing data with encryption is not only a simple way to keep data safe, but is also of vital importance under GDPR. If you get it right, you won’t get fined – but get it wrong, and you can face significant reputational and financial damage. And now, with so many clever and easy to adopt solutions, there’s no longer any excuse not to have encryption in place.