WannaCry was a ransomware attack that affected more than 300,000 computers around the world in May 2017. A self-replicating worm, it exploited a vulnerability in the Windows operating system. Although Windows had released a patch, plenty of computers hadn’t updated their systems.
Once infected, a computer would become encrypted, preventing it from being used. To unlock it, the user had to pay a ransom of US$300 in Bitcoin.
Organisations of all types and sizes were affected by the attack, including Spanish telecommunications company Telefonica, the Russian Ministry of Internal Affairs and, in the U.S., FedEx. In the UK, the NHS was a major casualty, with more than a third of England’s NHS trusts affected.13 As a result, more than 6,900 appointments were cancelled and some patients had to travel further for accident and emergency care.
Wannacry’s spread was stopped when a security researcher registered WannaCry’s kill switch domain. This meant that when the ransomware contacted this domain, it effectively turned itself off.
In October 2015, a cyber attack on telecommunications company TalkTalk enabled thieves to exploit vulnerabilities in its webpages to access customers’ personal data including names, addresses, dates of birth and financial information. In total 156,959 customers’ personal details were accessed, including the bank details for 15,656 customers. A problem was first identified when internal reports showed its network was operating more slowly than normal. Further investigation found there had been an attack and TalkTalk replaced its websites with a holding page, reported the data breach to the Information Commissioner’s Office (ICO) and started telling its customers.
The ICO’s investigation found that TalkTalk had failed to take appropriate measures to keep its customers’ personal data secure and issued its largest ever fine at the time - £400,000.
A cyber attack in 2017 exposed the personal details of up to 146 million people. Although the majority of these individuals were in the U.S., it included up to 15 million people in the UK, of which almost 700,000 individuals had information such as names, dates of birth and telephone numbers exposed.
Although the compromised systems were in the U.S., the ICO launched an investigation into the steps Equifax had taken to protect the personal information of UK individuals. This found there were multiple failings at the credit reference agency, which led to personal information being retained for longer than necessary and vulnerable to unauthorised access. In total it contravened five out of eight data protection principles under the Data Protection Act 1998.
The ICO issued Equifax with a £500,000 fine for the breach – the maximum fine allowed at the time under the Data Protection Act 1998.