fbpx

Keller Lenkner UK

Data Breach Report 2020.

 

There is no doubt that the last few years have been transformative for data protection. Today, more of our data is being used and shared than ever before; especially as we all exploit technology in our business and personal lives. But this increased reliance on technology does not come without risk, and, as yet, too many organisations are still failing to take data protection seriously.

In 2020, as the world struggled to overcome the challenges brought about by the coronavirus pandemic, data protection issues were thrust into the spotlight as the challenges of an at-home workforce and the need for remote technology and health-focused apps became apparent.

Nevertheless, despite the pandemic, the legal world continued to operate, with record data protection fines being issued by the Information Commissioner’s Office (ICO).

In our 2020 annual report, our expert data protection lawyers take a look at some of the key cases and developments that occurred in the world of data breach law over the last 12 months.

Kingsley Hayes

Head of Data Breach, Keller Lenkner UK.

January 2020
Web Designer

Dixons Carphone was fined by the ICO

In January 2020, the ICO  fined Dixons Carphone £500,000 after a massive data breach at the company in 2017. According to the ICO:

“The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”

The details stolen in this breach included names, home addresses, phone numbers, dates of birth and email addresses. The hackers also got access to the records of 5.9 million payments cards. 

The ICO investigation into the Dixons data breach found:

Keller Lenkner UK has launched a group action against Dixons Carphone. Group actions can be a powerful tool and can have a bigger impact than a single claim.

February 2020
Web Designer

Financial Conduct Authority involved in serious breach

In February 2020, the Financial Conduct Authority (FCA) mistakenly published the private records of 16,000 people online. All the people involved in this data breach had previously made a complaint to the FCA. The data exposed in this breach included the names of the complainants, along with some addresses and telephone numbers. The data was visible between November 2019 and February 2020.

A Crew and Concierge data breach put thousands at risk

A data breach at UK-based Crew and Concierge Limited exposed the personal data of workers in the yachting industry. The breach affected 17,379 people of 50 different nationalities – all of whom were on Crew and Concierge’s books. The data had been online and available for anyone to access without a password since February 2019.
Click Here
March 2020
Web Designer

COVID-19 changed everything

In a month that changed everything, on 11 March 2020, the coronavirus outbreak was labelled a pandemic by the World Health Organisation. 

Quick to see the impact this might have on data protection, Kinglsey Hayes (who later joined Keller Lenkner UK as Head of Data Breach), raised concerns in the media about how the coronavirus pandemic might lead to an increase in data breaches. 

In particular, he discussed:

Hammersmith Medicines Research was targeted by cybercriminals

On 14 March 2020, the Maze ransomware group attacked the computer systems of Hammersmith Medicines Research (HMR) – a company which performs early clinical trials of drugs and vaccines. 

HMR did not pay the ransom. Malcolm Boyce, managing and clinical director at HMR said: “We have no intention of paying. I would rather go out of business than pay a ransom to these people”.

In response to this refusal, the cyber gangsters published the personal and medical details of more than 2,300 former volunteer patients online. The information has since been taken down.

The extremely sensitive and confidential information exposed in this hack includes:

  • names and dates of birth
  • identity documents (scanned passports, National Insurance cards, driving licence and/or visa documents, and any photographs taken at the screening visit)
  • health questionnaires, consent forms, information from GPs and some test results (including, in some cases, positive tests for HIV, hepatitis, and drugs of abuse).

The data exposed went back years. 

Another Marriott data breach was uncovered

In 2018, a huge data breach put 339 million Marriott International customers at risk. But, in March 2020 it seemed that the hotel giant still was not taking its data protection responsibilities seriously as it suffered a further breach – this time involving the personal information of 5.2 million guests. 

Also in March 2020

3000
tenants were put at risk after a data breach at the Watford Community Housing Trust
890000
customers of Virgin Media had their personal information breached
0
Informed customers about a security incident at the company. People who had called the 118118 Money customer service line could be affected.
April 2020
Web Designer

The Supreme Court found Morrisons not liable for 2014 data breach

The Supreme Court decided that supermarket chain Morrisons was not liable for a deliberate data breach caused by a disgruntled employee. However, this decision does not mean that businesses can be complacent. In most cases, data breaches are not caused by people seeking to cause damage to a brand. Instead, they are the result of genuine human error made possible due to poor security processes and a lack of training. And, for that, an employer can still be held liable.

May 2020
Web Designer

Over nine million people had their details hacked in the EasyJet data breach

EasyJet admitted that it had fallen victim to hackers. According to the airline, the personal details of nine million customers had been accessed and 2,208 passengers had their credit card details stolen (including CVV numbers!). Shockingly, EasyJet knew about the hack in January 2020. But it only warned customers whose credit card details were stolen in early April, and everyone else was notified in May. This raised serious questions about why it took so long to inform customers, especially as not doing so put them at additional risk.

Cathay Pacific was fined £500,000 by ICO for data breach

EasyJet wasn’t the only airline to hit the news because of a data breach in May 2020. Cathay Pacific Airways Limited was also fined £500,000 by the Information Commissioner’s Office (ICO) for a similar offence. In this case, the airline’s failure to secure its systems resulted in the personal details of some 9.4 million customers being exposed. Of these customers, 111,578 were from the UK.
Find out more about our current airline actions
June 2020
Web Designer

Babylon Health app breached patient confidentiality

The Babylon Health GP video appointment app gave some users access to videos of other patient consultations. The app had become especially popular during the COVID-19 pandemic, as it provided an alternative to visiting the doctor in person.

Commenting on the breach, Kingsley Hayes said:

“Healthcare is rapidly going digital. But, amidst this online information revolution, there must be robust protections in place. This is essential to secure confidential and sensitive medical data. Especially because, should such information become public, this could cause considerable distress and embarrassment to those involved. And, it might even be exploited by criminals.

“By allowing GP sessions to become public, Babylon has breached the Data Protection Act, and doctor-patient confidentiality. The healthcare sector handles some of our most sensitive personal data, and, as patients, we have the right to expect this will be taken care of. Babylon failed to do this.”

July 2020
Web Designer

Blackbaud alerted customers to a system breach

In July 2020, it was revealed that over 100 educational and third-sector organisations were at risk following a breach of the Blackbaud cloud platform. Blackbaud – a firm that provides administration, fundraising, and financial management software – was targeted by cybercriminals in a devastating cyber-attack. The hackers demanded a ransom in exchange for deleting the data, which Blackbaud paid.

The US-based software provider took weeks to warn people that their data had been stolen. Furthermore, despite initially claiming that financial data had not been stolen, Blackbaud has since admitted that bank account information and users’ passwords were among details feared accessed by hackers. Although not everyone will have had their financial details compromised. 

According to media reports, the affected institutions included:

The British Dental Association (BDA) confirmed that its servers were illegally hacked

In July 2020, hackers targeted the British Dental Association’s (BDA) systems. Cybercriminals accessed personal and financial data including: 

  • bank account numbers
  • sort codes
  • names
  • contact details
  • transaction histories
  • correspondence logs
  • case notes
  • some patient information could also have been compromised.

As the BDA confirmed that its servers were illegally hacked, it also warned dentists to be extra vigilant. In particular, the BDA has suggested that members take the following steps as a precaution:

August 2020
Web Designer

18,000 coronavirus test results were published in data breach error

On 14 September 2020, Public Health Wales (PHW) admitted that a mistake had led to a data breach violation involving the data of Welsh residents who had tested positive for COVID-19 between 27 February and 30 August.

The breach exposed the following information:

  • For 16,179 people, the data consisted of their initials, date of birth, geographical area and sex
  • For 1,926 people living in enclosed settings (e.g. nursing homes and supported housing), or residents who share the same postcode as these settings, the information also included the name of the setting.
September 2020
Web Designer

Strengthening our firm's role as a consumer-champion law firm, in September 2020 we were delighted to launch a new data breach and cybercrime division.

Keller Lenkner UK is one of the most experienced group action and multi-claimant law firms in the UK. Our legal team has represented thousands of workers and consumers, and, with experience in complicated litigation and high-risk cases, we are used to standing up to well-funded corporates. Already taking on giants such as Uber, Volkswagen and Mercedes, in September 2020 we strengthened our role as a consumer-champion even further, with the launch of a new data breach and cybercrime group.

Introducing a new data protection champion

“Over the last few years, I’ve seen how data breach law has evolved, both here in the UK and across the world, and I’ve helped thousands of clients get the compensation they deserve after an injustice. However, there is no doubt that - when it comes to data breach violations - large organisations are smarter and better resourced than ever before. And it can be difficult for some firms to stand up to such strength. In response, the UK needs a new data breach champion. I’m thrilled to take up my position as Head of Data Breach at Keller Lenkner UK, and look forward to securing the best possible result for each and every client.”
Kingsley Hayes, Head of Data Breach, Keller Lenkner UK
Find out more about our data breach team

Shopify data breach worries merchants and customers

Shopify admitted that it caught two rogue employees stealing transaction data from its online stores. The theft impacted around 200 merchants and their customers. The businesses put at risk in the Shopify data breach included Kylie Jenner’s make-up company, which has already informed customers about the privacy violation. The incident occurred between 15 August and 15 September 2020.

October 2020
Web Designer

ICO fined Marriott International £18.4million

The ICO fined Marriott International Inc £18.4 million after a data breach put the personal data of some 339 million customers at risk. Seven million guest records related to people in the UK.

The ICO investigated on behalf of all EU authorities as lead supervisory authority under the General Data Protection Regulation (GDPR). The penalty and action have been approved by the other EU Data Protection Authorities.

Whilst the Marriott data breach was discovered in 2018, it could affect customers who made a booking at one of the affected hotels and timeshare properties as far back as 2014. However, the penalty only relates to the breach from 25 May 2018, when new rules under the GDPR came into effect.

ICO fined British Airways £20 million

The ICO fined British Airways £20 million for a serious data breach which took place in 2018. The breach – which happened due to a cyberattack – compromised the personal and financial details of more than 400,000 British Airways customers and staff.

The hack went undetected for more than two months and was eventually discovered by a third party. According to the ICO: “It is not clear whether or when BA would have identified the attack themselves. This was considered to be a severe failing because of the number of people affected and because any potential financial harm could have been more significant”.

British Airways was initially facing a £183 million fine for the data breach. However, this amount was reduced to £20 million after appeal.

Keller Lenkner UK launched data breach proceedings against Royal Mail

In October 2020, we issued legal proceedings against the Royal Mail. The action related to the release of employee information collected by Royal Mail as part of an internal investigation following allegations of harassment and bullying made against another Royal Mail employee.

The claimants in this case had a reasonable expectation of privacy given the circumstances. Despite this, during the investigation, personal information was sent to a third party. The personal data included addresses, mobile telephone numbers, and in one case the name of an individual who had asked to remain anonymous. Although Royal Mail had informed the claimants that interview notes would be shared with the third party, those involved were reassured that their personal details would be removed before doing so.

Keller Lenkner UK believes that Royal Mail is vicariously liable for the actions of its employees in sending the documents to the third party, as the employees were acting within their field of activities and furthering their employer’s purposes.

November 2020
Web Designer

Ticketmaster fined £1.25 million for data breach

In October 2020, the ICO  fined Ticketmaster £1.25 million for a shocking data privacy failure which took place in 2018. In this case, cybercriminals hacked Ticketmaster’s website resulting in a significant data breach. The Ticketmaster data breach exposed customer names, addresses, email addresses, phone numbers, financial/payment details and Ticketmaster login details. In total, 40,000 people in the UK had their payment details swiped.

Although the breach began in February 2018, the penalty only related to the breach from 25 May 2018, when new rules under the General Data Protection Regulation (GDPR) came into effect.

December 2020
Web Designer

Twitter fined €450,000 by Irish data regulator

In the first major tech post-GDPR case, Twitter was fined €450,000 by the Irish Data Protection Commissioner (DPC) for privacy breaches. This was the first time a multinational tech firm had been held to account by the Irish regulator since GDPR was introduced. The penalty was issued as Twitter failed to promptly declare and properly document a data breach.

The Irish DPC is the lead EU privacy supervisor for several tech giants.

This case could be significant as there is a backlog of investigations against the likes of Facebook, WhatsApp, Google, Apple and LinkedIn (amongst others). Facebook has said that it has put aside €302 million for potential regulatory fines.

Almost 300 patients involved in an NHS data breach

NHS Highland patients were involved in a serious medical data breach. The health board admitted that the details of 284 patients were sent to 31 people. The data breached included patient contact details, dates of birth and name of their clinics. 

HMRC guilty of ‘serious’ personal data breaches

In December 2020, it came to light that HMRC had reported a series of ‘serious’ personal data incidents last year. For example: 

  • HMRC sent out NI number letters relating to 16-year-old children with incorrect details. This breach impacted almost 19,000 people.
  • A fraudulent attack saw cybercriminals access the details of over 60 employees. This data included names, contact details and other information such as usernames and passwords. 573 people are said to have been impacted as a result. In this case, the affected customers may not yet have been notified.
  • In a smaller but still serious breach, the data of an employee was put at risk when paperwork was left on a train. The sensitive information breached included medical notes and HR letters.

Other data breaches at HMRC occurred due to cyber-attacks and a catalogue of human errors.

About Keller Lenkner UK

When it comes to legal support, large organisations are smarter and better resourced than ever before. And it can be difficult for some law firms to stand up to such strength when representing clients after a data breach.

At Keller Lenkner UK, our data breach team has the legal expertise and resources necessary to take on the corporate giants. We have supported thousands of multi-claimant and group-action data breach clients, and we can do the same for you.

Our Group Actions

DVLA

The DVLA makes money selling the names and addresses of registered vehicle owners to private parking companies so they can issue fines. If you have been issued with a parking charge notice you could be affected and due compensation.

Read More »

LinkedIn

LinkedIn has suffered a massive data breach affecting 700 million people. In total, 92% of LinkedIn users are reportedly affected by this breach. The stolen data includes salary information.

Read More »

Special Forces

In June 2021 it was revealed that over 100 special forces troops were publicly identified in an email security breach. Given that the names of those in special forces units are strictly protected, this is a severe breach that could have serious repercussions on UK intelligence and those whose data has been revealed.

Read More »
Total Fitness Data Breach

Total Fitness

Anyone involved in the Total Fitness data breach could now be at risk. Customers should be aware that criminals might try and contact them using the stolen contact details. Victims of this breach are now at a greater risk of fraud, theft, and scams.

If your data was included in this breach, and you live in England & Wales, you may be able to make a no-win, no-fee compensation claim with Keller Lenkner UK.

Read More »

Foxtons

In January 2021, London-based estate agent Foxtons discovered that it had experienced a huge data breach. But, despite an investigation finding 16,000 card details, addresses and correspondence related to this breach on the dark web, Foxtons did not tell its customers that criminals had accessed and exposed their data.

Read More »

Transform Hospital Group

In December 2020, UK cosmetic surgery provider Transform Hospital Group Ltd., also known as The Hospital Group, admitted that it had been hit by a ransomware data security attack. This incident resulted in the theft of extremely sensitive customer data.

Read More »

People’s Energy

Anyone involved in the People’s Energy breach could now be at risk. Customers are being warned that criminals might try and contact them using the stolen contact details. Victims of this breach are now at a greater risk of fraud, theft, and scams.
If your data was included in this breach, and you live in England & Wales, you may be able to make a compensation claim with Keller Lenkner UK.

Read More »

Twitter

In December 2020, Twitter was fined €450,000 by the Irish Data Protection Commissioner (DPC) for failing to promptly declare and properly document a data breach. This comes after a Twitter bug led to private tweets being made publicly available.

Read More »
Blackbaud

Blackbaud

In 2020, over 100 educational and third-sector organisations were put at risk following a breach of the Blackbaud cloud platform. Blackbaud – a firm that provides administration, fundraising, and financial management software – was targeted by cybercriminals in a devastating cyber-attack. The hackers demanded a ransom in exchange for deleting the data, which Blackbaud paid.

Read More »

UK Universities

Several UK universities are involved in a global privacy violation. This university data breach occurred as Blackbaud – a firm that provides education administration, fundraising, and financial management software – was targeted by cybercriminals.

Read More »

National Trust

The National Trust has issued a data breach alert after a cyberattack on cloud computing company Blackbaud. Blackbaud provides software to the National Trust. The National Trust confirmed that data about its volunteering and fundraising communities has been compromised. Its 5.6 million members are not though to be at risk.

Read More »

Hammersmith Medicines Research

The Maze ransomware group attacked the computer systems of Hammersmith Medicines Research (HMR) – a company which performs early clinical trials of drugs and vaccines. The criminal group had previously promised not to attack medical organisations during the coronavirus outbreak.

Read More »

Greater Manchester Police

The personal details of victims of crime in Greater Manchester have been put online by mistake.

The data breach affects victims of sexual abuse, witnesses and people reporting crime. According to the Force, no informant details were breached.

Thousands of people are thought to be affected.

Read More »

Hackney Council

Hackney Council was sit by a serious cyberattack that affected most of its services. If you think you may have lost data in this incident, contact Keller Lenkner and we will help you to investigate that loss.

Read More »

Marriott

In 2018, a huge data breach put 339 million Marriott International customers at risk. And, in 2020, Marriott confirmed another data breach – this time involving the personal information of 5.2 million guests.

Read More »

T-Mobile

In November 2019, T-Mobile suffered a severe data breach. Over a million pre-paid customers are believed to be affected. T-Mobile was very unforthcoming about the data hack and did not provide additional information at the time of the breach.

Read More »

Ticketmaster

In June 2018, Ticketmaster admitted to a huge data breach. The breach happened after a supplier to Ticketmaster was infected with malicious software while having access to the Ticketmaster website. The Ticketmaster data breach affects up to 40,000 people.

Read More »

TeamSport

TeamSport Indoor Karting, which operates racing circuits across the UK, suffered a significant data breach. The breach affects former employees of the company.

Read More »

Police Federation

In 2019, The Police Federation of England and Wales (PFEW) suffered a severe data breach following a ransomware cyber-attack hit the PFEW headquarters. Around 120,000 current and former officers are affected.

Read More »

OnePlus

OnePlus has emailed customers to let them know that a data breach put their personal information at risk. Worse, OnePlus confirmed that the hack resulted in customer order information falling into the hands of an unauthorised third-party.

Read More »

Dixons

The Dixons Carphone Warehouse data breach resulted in 10 million customer records being accessed from Currys PC World and Dixons Travel stores.

Read More »

Equifax

In 2017, poor security processes at Equifax led to a huge data breach. The ICO has since fined Equifax £500,000 and people who have been affected by the breach can register to make a compensation claim.

Read More »

Equiniti

In August 2019, over 750 annual benefit statements were sent to the wrong postal addresses. These statements were for police officers of Sussex Police.
Equiniti, a company that provides support, communications and technology platforms to help manage company pensions, was responsible for distributing these statements.

Read More »

LOQBOX

Fintech startup LOQBOX – a company that helps people to improve their credit ratings – suffered a cyber-attack in February 2020. As well as personal data, some financial information was also breached.

Read More »
Easyjet data breach

Easyjet

In 2020, EasyJet admitted that, as well as the personal details of nine million customers, over 2,000 passengers had their credit card details accessed by hackers.

Read More »

If you would like to speak to us about your data breach or cybercrime experience and find out how much compensation you could be entitled to, contact Keller Lenkner UK today for a free, no-obligation, assessment of your case.