This month in data breaches: November edition

The season of good cheer is upon us, but not for every company.

Even as many businesses start to wind down and Christmas parties get into full swing, careless errors can still cost your company thousands.

Throughout November, social media platforms and public services suffered significantly from these data breaches. Curious? Read on to see the big names breached, and to discover how these breaches could have been prevented.

Meta

Following a breach that resulted in the online publication of more than 500 million user identities, Facebook's owner was fined £230 million by the Irish data authority.

After scraping information from global Facebook users' public profiles in 2018 and 2019, the Data Protection Commission (DPC) claimed Meta had violated two provisions of the EU's data protection rules.

Since September of last year, Meta has been subject to roughly €1 billion in fines from the DPC. While the watchdog fined Meta €17 million in March for additional GDPR violations and €225 million to Meta's WhatsApp in September of last year for "severe" and "serious" GDPR violations, Meta was hit with a €405 million fine in September for allowing teenagers to create Instagram accounts that publicly displayed their phone numbers and email addresses.

The General Data Protection Regulation (GDPR) is an EU law that makes organisations that hold the personal data of EU citizens accountable for its use. Every organisation needs to be aware of data protection laws in order to avoid fines, protect the privacy of their consumers, and maintain their reputation.

Twitter

It has been a wild couple of months for Twitter recently, with new rules, a new owner, and two data breaches arriving in short order!

Last year a Twitter vulnerability allowed hackers to acquire Twitter IDs, names, login names, locations and verified status; it also included private information, such as phone numbers and email addresses, even if the user had hidden these fields in the privacy settings.

The bug was reportedly specific to Twitter’s Android client and occurred with Twitter’s API.
The vulnerability had already been patched by Twitter in January 2022.

In November 2022, though, after this stolen data was made public online, last year's breach has returned to haunt Elon Musk's platform.

According to BleepingComputer, security expert Chad Loder, who first broke the story on Twitter and was removed shortly after publishing it, was the source of information about this more serious data leak. Following Elon Musk's takeover of Twitter, Loder shared a redacted excerpt of this broader data breach on Mastodon, a social media platform many former Twitter users migrated towards.

Hereford School

A Herefordshire School has been the victim of a recent data leak, but what can we learn from it?

It was revealed that hackers had stolen students' personal information, including names, ages and addresses, and have since published this on the dark web.

Although the root cause of the data breach is unknown at present, the Executive Head has announced extra measures to counteract such attacks in the future by introducing "two-factor authentication, robust passwords and antivirus software, in place to try and avoid the attacks."

It’s just another example of a data breach highlighting the need for a robust cybersecurity awareness training programme within organisations big and small.

Reading GP

An NHS review has been prompted by a Reading GP clinic's "major data leak" that exposed nearly 300 private email accounts.

The South Reading & Shinfield Group Medical Practice sent out an email to clients inviting them to a patient involvement group meeting. In this email, 288 email addresses were carbon copied (CCd) into the invitation, but they were not blind CC'd by the sender (BCC).

The inclusion of email addresses in the standard CC created the risk of disclosing personal information to individuals who did not know one another, which amounted to a personal data breach.

One of the recipients replied, "Probably not the best to have everyone's email public here. I'm replying all just to let people know."

In May 2020, at the start of the Coronavirus pandemic, an outsourcing business named Serco made a mistake similar to this one by mistakenly disclosing the email addresses of 300 persons who were undergoing training to support the government's "track and trace" service.

A staff member sent an email to recipients requesting that they not contact the help desk for information regarding their training; however, all personal email addresses were included in the CC area rather than the BCC section. This led to the breach. That implied that everyone who got the email could clearly see the personal email addresses of all the other trainees.

This is a perfect example of a workplace mistake that may have been easily prevented. It's easy to assume that all employees automatically understand email etiquette in the workplace when the reality is often the opposite.

It's yet another reason why cybersecurity and compliance training is essential for every organisation - no matter their size. Ready to deploy training your team actually want to take? Check out our product range here.