Surprising number of major UK brands have suffered email breaches

Research from haveibeenpwned.com claims to have found out which email accounts brands use to communicate with their clients were analysed as breaches

Posted 23 January 2020 by Gary Flood

Many multinational companies with major UK presences have suffered email breaches – and you might be surprised by some of the names on the list: Apple, Barclays, Deliveroo, IBM, and HSBC.

The data’s been compiled by haveibeenpwned.com to find out which email accounts brands use to communicate with their clients were analysed as breaches. A “breach” is an incident where data has been unintentionally exposed to the public.


Big Blue’s support email (support@ibm.com) has been breached on ten separate occasions from 2015 to the present day, potentially exposing sensitive customer data.  


The email address Apple users are told to contact with security queries and issues (security@apple.com) has been compromised three times since 2015 (in May 2015, August 2017, and March 2019). 

John Lewis

John Lewis and Partners, a brand that anyone in the UK will instantly recognise, but users of its customerservices@johnlewis.com could have had sensitive data exposed, says the company, as its customer service email address was breached in May 2015, January 2017, August 2017, February and March of 2019.


The support@deliveroo.com email address has been breached four times since 2017 – in August 2017, July 2018, October 2019, and March 2019. In the last attack, a spam operation known under the name “Intelimost” exposed over 3 million Deliveroo users’ unique email addresses and their passwords. These were exposed by sending emails which appeared to be coming from people the recipients knew.


The financial technology company and neobank has grown to service more than 10 million users in 2019. But users who have used the formalcomplaints@revolut.com email address to voice their concerns about various issues will be pleased to know that no breaches have been recorded and their information has not been compromised.


One of the UK’s top five banks, HSBC, has been targeted by hackers even more times. The info@hsbc.co.uk email address, which anyone can use to ask for information about the bank was breached no fewer than six times since 2015 (March 2015, August 2017, September 2018, and February, March, October 2019). Email addresses, employers, job titles, geographic locations, as well as names, social media profiles, and phone numbers were exposed. 


The bank’s had its customer service email customerservice@barclays.co.uk breached three times between 2017 and 2019 (August 2017, October 2019, and February 2019). Many pieces of potentially sensitive information were let out in the open by the breaches, including dates of birth, email addresses, IP addresses, geographical locations, names, or phone numbers.