Hardly a week goes by without massive data breaches or failed IT projects hitting the headlines. While we might admit to a tinge of schadenfreude – mixed with relief that it didn’t happen to anyone we know – there are often lessons to be learned. We take a look at some of the worst disasters in recent history and explore the key takeaways for each of them.
Post Office Horizon Scandal
Stress. Marital breakdown. Debt. Criminal conviction. Prison. Suicide. These are just a few of the consequences of one of the biggest failed IT projects in British history – the Post Office Horizon scandal.
Horizon, software developed for the Post Office by Japanese company Fujitsu, was a program designed to automate benefits payments and reduce errors in accounting. From the get-go, it was riddled with bugs and regularly reported erroneous accounting shortfalls, often of thousands of pounds. Despite many sub-postmasters reporting that the software was faulty, the Post Office refused to believe it. There were reports of some sub-postmasters re-mortgaging their homes to try to plug the financial gap reported by the software. Between 2000 and 2014, over 700 sub-postmasters and sub-postmistresses were prosecuted for fraud or theft, many of whom were imprisoned. Several convictions were overturned in April 2021, and the Post Office has also settled with hundreds of other affected people.
Lessons Learned
Computers are not infallible
Blind faith in technology is no better than no faith in technology. Even robust systems with 99.99% accuracy will make mistakes 0.01% of the time. The Post Office should have realised that hundreds of individual small-business owners reporting the same issue with the software warranted investigating. Instead, they appear to have preferred to believe that hundreds of sub-postmasters were criminals.
NHS WannaCry
WannaCry is a type of ransomware — malware that spreads across networks, infecting desktops, laptops, and mobile devices.
In 2017, the NHS became one of the most high-profile victims of the global cyberattack known as ‘WannaCry’. WannaCry is a type of ransomware — malware that spreads across networks, infecting desktops, laptops, and mobile devices. Once on the network, it encrypts all the data it finds and sends a ransom note to the owner demanding hundreds or thousands of pounds, usually in a cryptocurrency such as Bitcoin, before it will decrypt the data. If the ransom isn’t paid, the data is destroyed.
WannaCry brought the NHS to a standstill for several days. Thousands of operations and GP appointments were cancelled, and staff were forced to revert to using pen and paper. The exact cost is not known, but the attack is estimated to have cost the NHS approximately £92 million.
Although not specifically targeted by WannaCry, the NHS was particularly badly affected by the ransomware as many of its hospitals and GP surgeries were running a vulnerable, unpatched version of Windows 7. (A small percentage were still running Windows XP, which had been unsupported since 2014.) Those NHS trusts that had installed the patch that protected against the vulnerabilities in Windows 7 were unaffected by WannaCry.
Sir Amyas Morse, comptroller and auditor-general of the National Audit Office, said of the attack, “It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice.”
Lessons Learned
Software must be kept up-to-date
Using outdated, unsupported software, or failing to patch known vulnerabilities in supported software, is like leaving the door to your business wide open. All organisations should regularly update software, install patches as soon as they become available, and replace unsupported software in a timely fashion.
Have a disaster recovery plan and test it
Once the attack was underway, it was clear that the NHS had not rehearsed for a cyber attack. The Department of Health did have a plan, but that plan had not been sufficiently communicated or tested. Having a cyber incident response plan is a good first step, but ensuring that everyone is familiar with the plan is essential, as is testing it out.
British Airways Data Breach 2018
Approximately 500,000 customers had their data stolen, including their names, addresses, travel details, email addresses, and full credit card details.
In 2018, British Airways became the victim of a huge data breach when hackers managed to divert users of the BA website to a fraudulent site. Approximately 500,000 customers had their data stolen, including their names, addresses, travel details, email addresses, and full credit card details including the three-digit CVV code found on the back of the card. It was two months before the attack came to light when a security researcher discovered the breach and alerted BA.
The attack led to an investigation by the Information Commissioner’s Office (ICO). Although BA tried to defend itself by claiming that it had been the victim of a “sophisticated, malicious criminal attack”, the ICO found that sufficient security measures – such as multi-factor authentication — were not in place, and slapped the airline with a £183 million fine (downgraded to £20 million in 2021 due to the impact of Covid-19 on the airline industry).
The size of the penalty is notable considering that the second-highest charge issued by the ICO was the £500,000 fine it served on Facebook for its part in the Cambridge Analytica data scandal. The reason for the sudden jump in penalties? The BA data breach took place after the General Data Protection Regulation (GDPR) came into force. Elizabeth Denham, the Information Commissioner, said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
Lessons Learned
Any organisation or business that collects or stores people’s personal data must ensure that it is robustly protected. The ICO has clearly indicated that it will not accept excuses and is prepared to hand out stiff penalties to those who do not protect personal data adequately. For smaller businesses, the combination of reputational damage, a hefty fine, and the cost of recovering from a data breach, could be enough to bankrupt them.
Test your systems
As well as ensuring they have appropriate security measures in place to ensure personal data is secure, organisations should rigorously test their system (through pen testing). For many organisations, this is best outsourced to a security operations centre.
TSB IT Migration Failure
In 2018 a computer systems failure left 1.9 million TSB customers unable to bank online, many for several weeks.
In 2018 a computer systems failure left 1.9 million TSB customers unable to bank online, some for several weeks. The failure cost the bank £330 million in compensation, as well as the loss of 80,000 customers.
What broke the bank? A little history: in 1995 Lloyds Bank and the TSB merged to form Lloyds TSB. However, the 2008 banking crisis led to a government rescue package that gave them a major stake in the company. This counted as state aid, so the EU required the bank to sell off a portion of its assets. TSB was sold off and bought by the Spanish bank, Sabadell. At first, TSB continued to use Lloyds’ IT system, but Sabadell was keen for that arrangement to end as soon as possible, so plans were made for TSB to migrate to Sabadell’s Proteo platform.
As failed IT projects go, this was a biggie: it went dramatically wrong. Almost two million customers were locked out of their online banking for at least a week – many for several weeks – and some users reported being able to see detailed account information for accounts belonging to other customers.
An independent report found that TSB had rushed the migration, deciding on an arbitrary migration date that did not allow for adequate ‘live’ testing. Furthermore, they only ran tests on one of the two data centres they would be using, even though the two data centres were not built to the same specifications.
Lessons Learned
Complex procedures should not be rushed
Migrating to a new IT system is complex and risky and needs time. In fact, a compressed timetable is one of the leading causes of IT project failures. Furthermore, it is particularly risky to perform a wholesale migration – moving all customers in one go – as TSB did. A more staggered migration allows for flaws to be identified before customers are affected.
Virgin Media Data Breach — Unencrypted Database
The Virgin unencrypted database scandal wasn’t due to a malicious hacker, but the company itself.
Back in 2020, Virgin Media disclosed a data breach that left the personal details — including names, addresses, and phone numbers — of 900,000 of its customers exposed. The data was not only unencrypted but was not password protected, leaving it open to anyone. Even worse, it had been like this for ten months! Virgin believed the data had been accessed at least once and contacted its affected customers to warn them they might become victims of identity theft or phishing.
This time it wasn’t a malicious hacker at fault, but the company itself. The database had been ‘incorrectly configured’ leaving the data unencrypted and accessible to anyone.
Lessons Learned
Educate your staff
This particular blunder appeared to have been the result of human error. Developing a ‘security culture’, where you educate your staff on security issues is essential.
Intersys offers a range of IT consulting services, as well as a Managed IT Support Service and a Security Operations Centre. Contact us any time for a free, no-obligation chat to find out how we can help you.