There is no doubt that the last few years have been transformative for data protection. Today, more of our data is being used and shared than ever before; especially as we all exploit technology in our business and personal lives. But this increased reliance on technology does not come without risk, and, as yet, too many organisations are still failing to take data protection seriously.
In 2020, as the world struggled to overcome the challenges brought about by the coronavirus pandemic, data protection issues were thrust into the spotlight as the challenges of an at-home workforce and the need for remote technology and health-focused apps became apparent.
Nevertheless, despite the pandemic, the legal world continued to operate, with record data protection fines being issued by the Information Commissioner’s Office (ICO).
In our 2020 annual report, our expert data protection lawyers take a look at some of the key cases and developments that occurred in the world of data breach law over the last 12 months.
Head of Data Breach, Keller Lenkner UK.
In January 2020, the ICO fined Dixons Carphone £500,000 after a massive data breach at the company in 2017. According to the ICO:
“The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”
The details stolen in this breach included names, home addresses, phone numbers, dates of birth and email addresses. The hackers also got access to the records of 5.9 million payments cards.
Keller Lenkner UK has launched a group action against Dixons Carphone. Group actions can be a powerful tool and can have a bigger impact than a single claim.
In a month that changed everything, on 11 March 2020, the coronavirus outbreak was labelled a pandemic by the World Health Organisation.
Quick to see the impact this might have on data protection, Kinglsey Hayes (who later joined Keller Lenkner UK as Head of Data Breach), raised concerns in the media about how the coronavirus pandemic might lead to an increase in data breaches.
In particular, he discussed:
On 14 March 2020, the Maze ransomware group attacked the computer systems of Hammersmith Medicines Research (HMR) – a company which performs early clinical trials of drugs and vaccines.
HMR did not pay the ransom. Malcolm Boyce, managing and clinical director at HMR said: “We have no intention of paying. I would rather go out of business than pay a ransom to these people”.
In response to this refusal, the cyber gangsters published the personal and medical details of more than 2,300 former volunteer patients online. The information has since been taken down.
The extremely sensitive and confidential information exposed in this hack includes:
The data exposed went back years.
In 2018, a huge data breach put 339 million Marriott International customers at risk. But, in March 2020 it seemed that the hotel giant still was not taking its data protection responsibilities seriously as it suffered a further breach – this time involving the personal information of 5.2 million guests.
The Supreme Court decided that supermarket chain Morrisons was not liable for a deliberate data breach caused by a disgruntled employee. However, this decision does not mean that businesses can be complacent. In most cases, data breaches are not caused by people seeking to cause damage to a brand. Instead, they are the result of genuine human error made possible due to poor security processes and a lack of training. And, for that, an employer can still be held liable.
The Babylon Health GP video appointment app gave some users access to videos of other patient consultations. The app had become especially popular during the COVID-19 pandemic, as it provided an alternative to visiting the doctor in person.
Commenting on the breach, Kingsley Hayes said:
“Healthcare is rapidly going digital. But, amidst this online information revolution, there must be robust protections in place. This is essential to secure confidential and sensitive medical data. Especially because, should such information become public, this could cause considerable distress and embarrassment to those involved. And, it might even be exploited by criminals.
“By allowing GP sessions to become public, Babylon has breached the Data Protection Act, and doctor-patient confidentiality. The healthcare sector handles some of our most sensitive personal data, and, as patients, we have the right to expect this will be taken care of. Babylon failed to do this.”
In July 2020, it was revealed that over 100 educational and third-sector organisations were at risk following a breach of the Blackbaud cloud platform. Blackbaud – a firm that provides administration, fundraising, and financial management software – was targeted by cybercriminals in a devastating cyber-attack. The hackers demanded a ransom in exchange for deleting the data, which Blackbaud paid.
The US-based software provider took weeks to warn people that their data had been stolen. Furthermore, despite initially claiming that financial data had not been stolen, Blackbaud has since admitted that bank account information and users’ passwords were among details feared accessed by hackers. Although not everyone will have had their financial details compromised.
According to media reports, the affected institutions included:
In July 2020, hackers targeted the British Dental Association’s (BDA) systems. Cybercriminals accessed personal and financial data including:
As the BDA confirmed that its servers were illegally hacked, it also warned dentists to be extra vigilant. In particular, the BDA has suggested that members take the following steps as a precaution:
On 14 September 2020, Public Health Wales (PHW) admitted that a mistake had led to a data breach violation involving the data of Welsh residents who had tested positive for COVID-19 between 27 February and 30 August.
The breach exposed the following information:
"Data is playing a crucial role in reducing the spread of COVID-19, but the need for robust security measures to protect personally identifiable information should not be overlooked. At this time of crisis, organisations – especially those that deal with sensitive medical data – must ensure that patients are protected. This is particularly important as the UK quickly adopts new technology such as apps to help keep us safe. Being mindful of potential data protection risks and implementing appropriate security measures must remain a priority.
"Of course, our healthcare sector does a fantastic job, often under very challenging circumstances. But all too often data privacy is being treated as an after-thought. As in this case, the vast majority of data breaches are caused by human error, but we should not downplay the potential impact of this violation. Not least because those affected are no doubt already experiencing distress due to a positive COVID-19 diagnosis. The additional worry about having their privacy violated at this difficult time could prove devastating."
Shopify admitted that it caught two rogue employees stealing transaction data from its online stores. The theft impacted around 200 merchants and their customers. The businesses put at risk in the Shopify data breach included Kylie Jenner’s make-up company, which has already informed customers about the privacy violation. The incident occurred between 15 August and 15 September 2020.
The ICO fined Marriott International Inc £18.4 million after a data breach put the personal data of some 339 million customers at risk. Seven million guest records related to people in the UK.
The ICO investigated on behalf of all EU authorities as lead supervisory authority under the General Data Protection Regulation (GDPR). The penalty and action have been approved by the other EU Data Protection Authorities.
Whilst the Marriott data breach was discovered in 2018, it could affect customers who made a booking at one of the affected hotels and timeshare properties as far back as 2014. However, the penalty only relates to the breach from 25 May 2018, when new rules under the GDPR came into effect.
The ICO fined British Airways £20 million for a serious data breach which took place in 2018. The breach – which happened due to a cyberattack – compromised the personal and financial details of more than 400,000 British Airways customers and staff.
The hack went undetected for more than two months and was eventually discovered by a third party. According to the ICO: “It is not clear whether or when BA would have identified the attack themselves. This was considered to be a severe failing because of the number of people affected and because any potential financial harm could have been more significant”.
British Airways was initially facing a £183 million fine for the data breach. However, this amount was reduced to £20 million after appeal.
In October 2020, we issued legal proceedings against the Royal Mail. The action related to the release of employee information collected by Royal Mail as part of an internal investigation following allegations of harassment and bullying made against another Royal Mail employee.
The claimants in this case had a reasonable expectation of privacy given the circumstances. Despite this, during the investigation, personal information was sent to a third party. The personal data included addresses, mobile telephone numbers, and in one case the name of an individual who had asked to remain anonymous. Although Royal Mail had informed the claimants that interview notes would be shared with the third party, those involved were reassured that their personal details would be removed before doing so.
Keller Lenkner UK believes that Royal Mail is vicariously liable for the actions of its employees in sending the documents to the third party, as the employees were acting within their field of activities and furthering their employer’s purposes.
In October 2020, the ICO fined Ticketmaster £1.25 million for a shocking data privacy failure which took place in 2018. In this case, cybercriminals hacked Ticketmaster’s website resulting in a significant data breach. The Ticketmaster data breach exposed customer names, addresses, email addresses, phone numbers, financial/payment details and Ticketmaster login details. In total, 40,000 people in the UK had their payment details swiped.
Although the breach began in February 2018, the penalty only related to the breach from 25 May 2018, when new rules under the General Data Protection Regulation (GDPR) came into effect.
In the first major tech post-GDPR case, Twitter was fined €450,000 by the Irish Data Protection Commissioner (DPC) for privacy breaches. This was the first time a multinational tech firm had been held to account by the Irish regulator since GDPR was introduced. The penalty was issued as Twitter failed to promptly declare and properly document a data breach.
The Irish DPC is the lead EU privacy supervisor for several tech giants.
This case could be significant as there is a backlog of investigations against the likes of Facebook, WhatsApp, Google, Apple and LinkedIn (amongst others). Facebook has said that it has put aside €302 million for potential regulatory fines.
Kingsley Hayes, Head of Data Breach at Keller Lenkner UK, discussed these findings in Legal Futures.
NHS Highland patients were involved in a serious medical data breach. The health board admitted that the details of 284 patients were sent to 31 people. The data breached included patient contact details, dates of birth and name of their clinics.
In December 2020, it came to light that HMRC had reported a series of ‘serious’ personal data incidents last year. For example:
Other data breaches at HMRC occurred due to cyber-attacks and a catalogue of human errors.
When it comes to legal support, large organisations are smarter and better resourced than ever before. And it can be difficult for some law firms to stand up to such strength when representing clients after a data breach.
At Keller Lenkner UK, our data breach team has the legal expertise and resources necessary to take on the corporate giants. We have supported thousands of multi-claimant and group-action data breach clients, and we can do the same for you.
In June 2021 it was revealed that over 100 special forces troops were publicly identified in an email security breach. Given that the names of those in special forces units are strictly protected, this is a severe breach that could have serious repercussions on UK intelligence and those whose data has been revealed.
In January 2021, London-based estate agent Foxtons discovered that it had experienced a huge data breach. But, despite an investigation finding 16,000 card details, addresses and correspondence related to this breach on the dark web, Foxtons did not tell its customers that criminals had accessed and exposed their data.
The National Trust has issued a data breach alert after a cyberattack on cloud computing company Blackbaud. Blackbaud provides software to the National Trust. The National Trust confirmed that data about its volunteering and fundraising communities has been compromised. Its 5.6 million members are not though to be at risk.
The Maze ransomware group attacked the computer systems of Hammersmith Medicines Research (HMR) – a company which performs early clinical trials of drugs and vaccines. The criminal group had previously promised not to attack medical organisations during the coronavirus outbreak.
The personal details of victims of crime in Greater Manchester have been put online by mistake.
The data breach affects victims of sexual abuse, witnesses and people reporting crime. According to the Force, no informant details were breached.
Thousands of people are thought to be affected.
In August 2019, over 750 annual benefit statements were sent to the wrong postal addresses. These statements were for police officers of Sussex Police.
Equiniti, a company that provides support, communications and technology platforms to help manage company pensions, was responsible for distributing these statements.