Blog
Arrow back
SHARE THIS ARTICLE
Blog

This month in data breaches: October edition

03 November, 2023

This October, major corporations were hit with cyber tricks rather than treats!


Air Europa, 23andme, Sony, and Lyca Mobile faced the scary reality of data breaches.


Join us as we uncover how these companies were impacted and discover essential insights on how to protect your own business against similar cyber attacks.


Let’s get into it.


October's biggest breaches


Air Europa


Air Europa, a Mallorca-based airline, fell victim to a data breach, exposing the private payment information of its customers.


The breach, discovered on October 10th, revealed that customer payment data, including credit card numbers, expiration dates, and CCV codes, had been accessed during the cyber attack.


Alarmingly, this breach occurred 41 days prior, on August 28, going undetected until suspicious activity was identified on one of the airline's systems.


While the precise number of affected individuals remains undisclosed, the exposure of CCV codes is in violation of the PCI DSS regulations, which raises significant concerns.


Air Europa has advised customers who used credit cards for flight payments to cancel their cards as a precaution against potential fraudulent activities.


The Air Europa breach underscores the importance of adhering to PCI DSS regulations to minimise risks and mitigate the impact of breaches on customers' payment data.



23andme


Biotech company 23andMe faced a serious data breach where customer accounts were accessed through a credential-stuffing attack.


This led to the theft of genetic data, potentially including names, email addresses, birthdates, and genetic ancestry information.


The hackers seemed to focus on individuals of Ashkenazi Jewish and Chinese descent, causing concern within these specific communities.


A hacker claimed to possess and attempted to sell user details in an online forum, particularly emphasising Jewish individuals.


Upon detecting the breach, 23andMe involved digital forensics experts and law enforcement. They've taken steps, including requiring all users to reset their passwords as a precaution.


This incident adds to ongoing concerns about data privacy and security within genetic testing companies. This data information isn't currently protected by HIPAA, the health privacy law, and 23andMe's privacy policy still allows for third-party data sharing.


This breach stresses the need for unique and strong passwords for separate accounts to prevent unauthorised entry and protect your personal data.


Sony


In October, Sony informed nearly 6,800 employees about an earlier data breach that was linked to a prior security breach associated with the MOVEit transformation system.


Through this system, hackers gained unauthorised access to U.S.-based employee data stored on Sony's servers.


As a response, Sony offered credit monitoring services to those affected and addressed the vulnerability to prevent any potential future data breaches.


These breaches highlight the persistent challenges in protecting personal data within large corporations, emphasising the critical need for updated security measures and continuous vigilance, regardless of a company's size.


Lyca Mobile


Lyca Mobile, a London-based mobile operator, functioning on EE's network, has faced a data breach, creating significant disruptions for millions of Lyca Mobile users.


Upon discovery, Lyca Mobile took swift measures to contain the breach by isolating and shutting down compromised systems.


Despite these efforts, the attackers gained access to various personal information stored within their systems, including names, birth dates, addresses, copies of identity documents, customer service interactions, and partial payment card information.


Although the specific details of the stolen data were not specified, concerns have arisen regarding compromised customer passwords and potential risks associated with phishing attempts, fraud, and unwanted marketing communications.


As the largest mobile virtual network operator (MVNO) with over 16 million customers globally, the magnitude of the breach poses a considerable risk.


This incident reminds us of the necessity of rapid and effective response strategies. A swift response can significantly reduce exposure and potential impact.


Preventive measures are a crucial aspect of cybersecurity planning.


What your organisation can learn from the October data breaches


Considering the recent breaches in October, it's important to follow regulations and continuously review cybersecurity protocols.


Here are key points to consider when reviewing your cybersecurity measures to protect your organisation and customers:


  • Compliance with industry standards: Adhering to regulations like PCI DSS is vital to protect customer data and avoid severe consequences due to non-compliance.
  • Strengthening security measures: Implementing multi-factor authentication, encouraging strong passwords, and updating security systems can significantly reduce the risk of unauthorised access.
  • Incident response and preparedness: Develop and regularly test an incident response plan. This includes clear steps for swift action in case of a security breach to minimise its impact.
  • Clear communication: Timely and transparent communication with affected customers and regulatory bodies builds trust and helps contain the breach's impact.
  • Customer data protection emphasis: Continuous evaluation and enhancement of security protocols are necessary to protect personal information, prevent misuse, and reduce the risks associated with breaches and fraud.
  • Third-party risk management: Assess and manage risks associated with third-party vendors, ensuring they maintain strong security practices to safeguard shared data.

How can Bob's Business help your organisation


At Bob's Business, we provide tailored compliance solutions and customised employee training to protect your organisation.


With our support, your organisation can proactively enhance its cybersecurity and prevent breaches like these from happening. Click here to explore courses tailored to your organisation.


Back to resources

Ready to build your cybersecurity culture?

Whether you’re looking for complete culture change, phishing simulations or compliance training, we have solutions that are tailor-made to fit for your organisation.

Girl with laptop
Boy with laptop
man and woman with laptops
ISO27001
ISO9001
Global Cyber Alliance