FAQs about the Police Federation of England & Wales Data Breaches
March 31, 2023
We have collated some of the frequently asked questions put to our data protection lawyers about the PFEW data breaches. Get out answers…
In March 2019, The Police Federation of England and Wales (PFEW) suffered two ransomware cyber-attacks. During the attacks, the hackers accessed the PFEW’s systems and encrypted several of its databases, making them inaccessible to the PFEW. The attacks also gave cybercriminals access to the same databases, which contained the personal information of around 130,000 police officers at all levels.
In March 2022, three years after the incident, the PFEW finally admitted liability for unlawfully processing police officers’ personal data by not having the appropriate technical and organisational measures in place. PFEW claims there is no evidence that data was actually taken. Nevertheless, PFEW members affected by the data breaches still haven’t been told exactly what happened.
Many members have experienced lasting distress following these cyberattacks and have contacted us to help establish the facts and make a compensation claim.
KP Law has now launched a group action and is acting for 13,000 police officers affected by the PFEW data breach.
Your data might have been compromised in this attack if any of the following apply:
The PFEW has failed to notify retired police officers of the attacks directly
Because the Federation holds officer data until their death (or their 100th birthday), retired officers could be involved in this data privacy violation, even if they were not PFEW members at the time of the breach.
Many retired officers were affected but not notified of the PFEW cyber incidents directly. This is a significant failure by the PFEW.
If you retired before 2019 but were – or were previously – a PFEW member, you might be affected and have the right to claim compensation.
On its website, the PFEW states that it is highly unlikely that personal data has been “exfiltrated”. It claims that, without proof of exfiltration, PFEW members and retired officers do not have a claim for compensation.
This is not true!
“Exfiltration” is not the legal basis for our action against the PFEW.
Under the GDPR, a ‘personal data breach’ is any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed. The mere fact that the PFEW’s databases were encrypted by the cybercriminals shows that personal data was unlawfully processed – and PFEW has admitted that it failed to take appropriate technical measures to protect its members’ data!
The PFEW has admitted that it cannot recover much of the data, that data has been lost, and that data has been destroyed because of the cyber-attacks. Furthermore, the PFEW cannot confirm exactly what happened to its members’ data. Although it continues to claim that there is ‘no evidence’ that data was taken by cybercriminals during the attacks, it cannot say for sure.
For these reasons, and because of the distress caused by not knowing what has happened to the compromised data, affected members and former officers have valid compensation claims against PFEW.
It is misleading., and the PFEW does its members a disservice, to suggest otherwise.
Organisations are expected to make efforts to prevent any loss, destruction, or unauthorised disclosure of the personal data they have collected. Further, they are expected to share details about data breaches with those who have been affected.
The PFEW states that it is highly unlikely that personal data has been “exfiltrated” in the security incidents. However, even if this is the case, a clear GDPR data protection breach has occurred. As such, affected serving and retired officers are entitled to claim against PFEW.
The PFEW data breach could have significant consequences for its members. Our clients have told us that they are appalled the PFEW did not inform them about the data breach, that they are worried that the breach has put them and their families at risk, and that they feel let down by the PFEW.
“I was appalled that the data breach occurred and then the most alarming thing was not to be informed of the actual data breach meaning I could not do anything about to protect myself and my personal details.”
Police Federation Member
“I thought I would receive a full response from the Police Federation and information regarding their response and actions they were going to take in the future. I felt like the Police Federation were unable to protect my information. I feel like they don’t care about it, I don’t feel valued.”
Police Federation Member
“I was surprised that such a professional organisation could allow such an act to happen. As serving Officers we place a level of trust within the PFEW in providing us with layers of protection and ensuring that we are treated with fairness and equality and providing us with a service that protects our interests and safety. I immediately thought that the PFEW had failed my colleagues and oneself in respect of this data breach.”
Police Federation Member
“I thought that this was a very unsafe position to leave me in. I have been part of one of the largest organised crime investigations ever in UK history and had a key role in ensuring this successfully put dozens of top level criminals in prison. The exposure of my data made me think that the police Federation did not take data security seriously and left me and my family at risk.”
Police Federation Member
“The PFEW should 100% have had things in place to prevent this from happening. It’s absolutely outrageous that this was allowed to happen.”
Police Federation Member
“I felt physically sick. I thought about the physical risk to myself and my family from criminals and I couldn’t sleep at night. I had nightmares and would wake up to any small sound until we moved house. It made me paranoid about new or strange people I saw on my street. It’s was really horrible and I felt terribly let down by the organisation whose job it is to keep us and our personal information safe.”
Police Federation Member
“I did not understand how such an important breach could occur, I placed my trust in the police federation and thought that this would put myself and family at risk of harm.”
Police Federation Member
“My trust in the organisation has definitely been affected negatively and that should not have been allowed to happen. I think the years I have spent reducing the risk of my information being easily accessed has been completely wasted.”
Police Federation Member
We believe that our group action against the PFEW has legal merit for several reasons:
The compromised information includes:
Our PFEW clients have experienced significant and lasting distress as a result of these cyberattacks. They have told us about experiencing fear, anxiety and stress because of the violation; others have had their existing conditions exacerbated. Not knowing how cybercriminals were able to access their sensitive details, or what they have done with this data, has caused our clients considerable distress – especially given the nature of their jobs.
The lack of answers from the PFEW following the breach has also added to our clients’ distress. Unable to get an explanation for why this breach was allowed to happen, many have turned to KP Law for help.
Our data breach team includes some of the most skilled litigation lawyers in England & Wales. We have the experience, diligence and means to fight our clients’ corner and win. We are never afraid of a fight and are ready to take on the large organisations that other law firms shy away from.
We are representing police officers in this case on a no-win, no-fee basis to ensure they have access to the absolute best lawyers without worrying about legal fees.
Ultimately, we act for clients who deserve to win and do everything we can to ensure that they do.
“Police officers deserve to have the highest possible level of protection when it comes to their valuable personal data. Criminals could use this extremely sensitive information to cause serious harm.
“The impact of the PFEW’s data protection failure has had a significant effect on those affected, and the lack of care shown by the federation after the incident has raised further questions about what happened.
We are helping over 13,000 police federation members who are concerned that they are affected by the data protection failure, and we can help you too.”
While the PFEW is attempting to discredit the affected officers’ right to claim compensation for this breach, it has admitted to several facts that we believe strengthen our case. For example:
Despite repeated attempts to open negotiations with the PFEW, it has consistently refused to engage with our data breach solicitors about the claim. In response, KP Law had no choice but to take this matter to Court.
In December 2022, we took an important step forward when we issued a claim form against the PFEW at the High Court. At a hearing in March 2023, the High Court agreed that it was appropriate to make case management directions for a trial of the lead claims. This means that the claims against the PFEW will be managed by the Court going forward in a manner that protects the overall position of the victims and will ensure that the case is litigated efficiently and treated seriously by the PFEW. This increases the chances of success (via Court or settlement) for those affected by the breach. Given the large numbers of people affected by the PFEW hack, we believe that collective litigation is the best and most efficient way to conduct this claim.
The CCMC (Costs and Case Management Conference) is scheduled for two days in September 2024.
On behalf of our clients, we applied for a blanket anonymity order to keep their identities a secret. However, the PFEW asked that we amend this order. As such, claimants may be named in the action, but their addresses and other personal details will be anonymised.
Despite this incident happening almost four years ago, the PFEW still has not fully explained to its members why criminals were able to access its systems. This has left many members frustrated and distressed.
In addition, although the PFEW notified a small proportion of its members directly, the PFEW did not notify all its members who were affected by the attacks. Under the GDPR, the PFEW was required to notify all those affected ‘without undue delay’. The Federation claims that its delay was due to its email being down for several weeks because of the attacks.
At KP Law, we have seen victims of similar data breaches become the target of cybercriminals, with instances of phishing, fraud, and identity theft. By failing to take sufficient steps to notify all those affected, PFEW members were left exposed as they were not given the opportunity to protect themselves from such threats. This added to victims’ worry when they eventually found out about the breach.
Years later, we are still receiving enquiries from police officers who were never notified about the breach. We think this is unacceptable.
Where personal and sensitive information is held, significant and robust processes must be in place to secure that data and prevent successful cyberattacks. This is known as the integrity and confidentiality principle. While the PFEW was the victim of two cyberattacks in March 2019, it was the PFEW’s inadequate security measures which created the initial vulnerability.
As such, we believe that the 2019 PFEW data breaches are a clear and serious infringement of data protection laws and a violation of officer trust and safety.
In data breach cases, action is needed to make companies accountable for serious security failures. Claiming compensation is often the only way to ensure that secure processes are implemented. What’s more, in a world that is increasingly digital, cyber-attacks are going to happen. Any organisation that holds sensitive personal data should have taken out insurance to cover the risk of cybercrime.
Organisations like the Police Federation must treat your data lawfully and be held to account when they fail to do this.
At KP Law, we are running the PFEW data breach action on a no-win, no-fee basis. This means you won’t pay a penny towards your case if your claim is unsuccessful. There are no hidden charges or fees.
We have collated some of the frequently asked questions put to our data protection lawyers about the PFEW data breaches. Get out answers…
We have uncovered that the PFEW has failed to notify retired police officers of the attacks. Even if their personal data was compromised in this shocking data security failure.
Find out more about making a group action claim for compensation.
What does no-win, no-fee actually mean and are there really no costs if you appoint us?
We are one of the most experienced multi-claimant law firms in the UK.
Our GDPR, data breach and cybercrime specialists have a combined experience of over 50 years.
We represent clients in group actions with innovation, resources, and expertise.
We work with expert barristers to ensure you get the very best level of legal support available.
We have all the resources and global expertise necessary to take on complicated cases and win.
We have offices in London, Liverpool, Manchester, and Birmingham, and the technology to provide a nationwide service to clients across England & Wales.
We use technology to deliver a better legal experience to our clients.
We work on a no-win, no-fee basis.
We make the process straightforward and hassle-free.
See our answers to the FAQs we get asked about the PFEW Data Breach.
The Police Federation of England and Wales (PFEW) suffered a severe data breach across a number of its databases and servers. The first attack occurred on 9 March 2019 when entry to the PFEW’s network was gained via a “password spraying” attack. This happens when common username and password combinations are used to gain access to a system or network. A robust password protocol should have stopped this initial attack from being successful.
A further, and separate ransomware attack took place on 21 March 2019. This attach impacted the PFEW’s wider IT network. This entry point was via a remote access support tool used by an IT service provider. According to the PFEW, while it has uncovered no evidence that any personal data was accessed, downloaded, or targeted as a result of the cyber incidents “the attackers’ unauthorised access to PFEW’s network means that they had the theoretical ability to access certain personal data held by PFEW.”
Ransomware is a type of malicious software. Typically cybercriminals use ransomware to threaten to publish the victim’s data, or to block access to it unless a ransom is paid. Ransomware attacks are becoming more widespread.
As a result of the PFEW ransomware attack, there was some disruption to services and backup data was also deleted.
Those affected should have been contacted by the PFEW. However, if you suspect your data was compromised, and you have not been told that your information was breached, you can contact our data protection experts for help.
While each case is judged on its own merits, there are some things we would typically look for when it comes to when claiming compensation following a data breach, cybercrime or other GDPR violation:
With stolen data, cybercriminals can make purchases using your bank and credit cards, apply for credit in your name, set up fraudulent bank accounts and access your existing online accounts.
GDPR failures, cybercrime and data breaches can have a significant impact on you, both mentally and physically. They can cause or exacerbate anxiety, stress and other psychological conditions.
KP Law has some of the most skilled data breach lawyers in England and Wales. Here are just some of our success stories.
KP Law is a founding member of the Collective Redress Lawyers Association (CORLA). CORLA aims to improve access to justice for claimants by way of collective redress.