Manchester Evening News, 30th March 2018

The MEN covered news of our data breach action against Facebook and Cambridge Analytica as both organisations deny any wrongdoing.


What does Facebook know about you?

You know that Facebook is embroiled in a massive privacy row. But among the news about what happened, who knew what, and what is still to be revealed, it’s important to look at WHY this data breach matters to ordinary people here in the UK.

What data does Facebook hold?

Lots. In fact, much, much more than most of us were aware. To access your Facebook data archive, go to your settings and click on ‘Download a copy of your Facebook data’.

Here is just some of the data Facebook might hold on you (depending on your permission settings):

  • Your profile details including your age, gender and education
  • Your telephone number and email address
  • Your likes and your friends’ likes
  • The websites you visit
  • Which events you’ve been invited to (and whether you accepted or declined the invitations)
  • Your political leanings
  • Your travel habits
  • Your relationship history
  • Every single person you’ve ever been a friend with on Facebook, including requests sent, denied requests and removed friends
  • Which ads you have clicked on (how often and when)
  • Which advertisers have your details
  • Every single contact on your phone, including ones you no longer have
  • How many times you’ve contacted every person whose contact details you’ve kept in your phone. This includes calls and texts made through your cellular network which have nothing to do with Facebook
  • Every single message you have ever sent via its platform
  • Every picture you’ve ever shared or received.

Why should you care?

Maybe you don’t care that Facebook has access to all this info. And, if the social media giant could 100% guarantee that this data was being kept safe, that might be okay. But the latest breach shows that Facebook has already put this data at risk due to poor internal processes. So, how can we be sure that this won’t happen again? And what is being done with the information already out there?

What criminals can do with your data

We already know that Facebook is under investigation, and that our data might have been used to influence how some of us voted in the Brexit campaign. And, if true, the manipulation of our democratic processes should be horrifying to everyone.

But even for those of us that aren’t political, we should be very worried about what could happen if this massive amount of data got into the wrong hands.

Cybercrime is on the rise, and according to research, hackers stole or compromised an estimated £20.2bn worth of records from businesses last year. While people of any age can be victims of identity fraud, the risk increases if you share information on social media. Even a normal, accessible profile can be used by criminals.

Check out this video by fraud prevention service Cifas to see how easy it is.

How private is your data?

Victims of ID fraud might have no idea that it is even happening until it is too late. Signs that your identity has been stolen include:

  • Bills or emails showing goods or services you haven’t ordered
  • Unfamiliar transactions from your account
  • An unexpected dip in your credit score

Take action now!

But what can you do to protect yourself and your data? Make sure you review your privacy settings on Facebook and all other social media channels. In particular, find out which apps have access to your Facebook data.


, ,

Data breach due to processing error.

A public services report that identified sensitive and personal information about Sarah* and her family was mistakenly posted to a random person. The most likely cause of the breach was a processing error when sending the report with a covering letter. Unfortunately this is a common yet dangerous occurrence in large and small organisations.

As a result, Sarah felt compromised in her dealings with the public body, and became stressed and anxious that the information would fall into the wrong hands. She was able to make a data breach claim which took into account the initial breach and the subsequent impact.

*Not real name


Data breach leading to increase in unwanted spam.

Paul* was the subject of a data breach when his employer was hacked and his personal and sensitive financial information was put at risk.

As a direct result of that hack, Paul was subsequently bombarded with unwanted spam calls and text messages, some of which became quite personal. This proved to be very distressing and resulted in Paul and his family suffering from distress and worry. Paul was diagnosed with an anxiety-related psychological condition that would require treatment to help him fully recover.

As the spam could be traced back to the original data hack, Paul was able to claim for the breach of his data and the injury caused.

Unfortunately, this situation is not limited to employers as such data is often held by public organisations, GPs, finance houses and public service suppliers. If you feel that your data has been compromised and you can track any increase in unwanted calls, entails, texts etc. back to that breach, you may have a claim for compensation. In the first instance you should report the breach to the ICO so they can investigate.

If you have experienced something similar to Paul then contact our experts today for advice on whether you can claim and what to do next.


*Not real name


Breach of data leading to employment dispute.

Jane* was referred to a qualified third-party for a standard workplace assessment. This assessment was designed to make sure Jane had everything she needed to reach her full potential in her job. However, the party conducting the evaluation added sensitive personal information about her to their report and gave this to her employer.

This information was not relevant to the assessment Jane undertook. Worse, it led to a dispute between Jane and her employer over the disclosures she made while applying for her job.

In response, Jane made a data breach claim against the workplace assessment provider. As well as claiming for the initial breach of her sensitive information, she also claimed damages for the loss and injury she suffered by the infringement when this knowledge was used against her.

Today, such unlawful disclosures are all too familiar, and in such cases, this can result in complex anxiety and stress. But in such situations, you can claim damages for any psychological injuries caused by the breach of your personal data. If you find yourself suffering, make sure you seek appropriate medical attention as soon as any symptoms arise so that the impact can be adequately assessed.

*Not real name

, , ,

Woman’s driving licence shared without her permission by a local council.

The public sector is privy to a wide range of our sensitive information and this data is regularly shared between organisations as part of modern governance and the delivery of public services. But, all too often this data is put at risk by government organisations.

What happened in this case?

The secretary of a committee informed Mrs Timlin* that the local council had emailed them a copy of her driving license.

Concerned that her data had been breached, Mrs Timlin searched online for a data breach solicitor and then emailed Hayes Connor to find out if we thought the case was worth taking on.

How did we help?

We agreed that Mrs Timlin’s data had been breached and took her case on a no-win, no-fee basis. We sent Mrs Timlin a detailed questionnaire which she filled out and returned along with some supporting documents so we could prepare her case.

Next, we instructed our appointed barrister to provide expert advice on Mrs Timlin’s prospects of success and the amount of compensation she was entitled to for the data breach.

Then we sent a letter before action (LBA) to the council. The LBA let the local authority know that we would be starting proceedings against it and we were very serious about getting Mrs Timlin the compensation she deserved for the distress caused by the violation.

The council responded, attempting to justify why it felt her claim was not valid. However, we replied setting out why it was, and we requested that they supply a number of documents as evidence. We also sent a ‘Part 36’ offer to the authority. This is designed to encourage parties to settle disputes without going to trial. This offer was accepted.

Commenting on her experience, Mrs Timlin said: “Highly professional and very informative, every step of the way. Also been very helpful! After this experience I can’t think of anything at all that could improve your service. Everything was explained to myself in a straightforward way, and I certainly would recommend Hayes Connor, without a doubt! Absolutely fantastic!”

Local government data breaches

Despite the threat of crime, all too often it’s human error that is often to blame for data breaches. If you have suffered damage or distress caused by an organisation breaching any part of the Data Protection Act, you have a right to claim compensation.

At Hayes Connor Solicitors, we’ve been helping people to do just that for over 50 years, so we know what it takes to make a successful central or local government data breach compensation claim.

Find out more about making a NO WIN NO FEE compensation claim, or contact us today for a free initial assessment.

*Name has been changed.

, ,

Man finds new owner of his computer console online using his login details.

Your data is a valuable commodity, but all too often the businesses we trust do not protect this as well as they should do. So, it’s no wonder that data breaches are on the rise.

What happened in this case?

Mr Andrew* sold his games console to a high street retailer under its ‘buy back’ service. This gave him the option to repurchase it at a later date. However, Mr Andrew didn’t take up this offer, and his console was then sold on.

Disturbingly, Mr Andrew then saw the person who bought his console online, using his login details. The new owner had access to his personal information and some of his bank details. Understandably this caused Mr Andrew a great deal of distress.

According to the retailer’s data protection protocols, every console should be erased of all personal information before it is sold to a new customer. In this case, this didn’t happen.

How did we help?

After searching online for a data privacy solicitor, Mr Andrew contacted Hayes Connor for our help. He gave us a call and found us easy to talk to. Next, we sent him a detailed questionnaire which he filled out and returned along with some supporting documents so we could review his case.

We took on Mr Andrew’s case on a no-win, no-fee basis. We instructed our appointed barrister to provide expert advice on his prospects of success and the amount of compensation he might win. At this stage, we also gathered additional evidence from Mr Andrew.

Then we sent a letter before action (LBA) to the retailer. The LBA let the business know that we would be starting proceedings against it and that we were very serious about getting Mr Andrew the compensation he deserved.

The retailer responded, attempting to justify why it felt Mr Andrew’s claim was not relevant. However, we replied setting out why it was, and we requested that they supply a number of documents as evidence.

At this stage, we also sent a ‘Part 36’ offer to the retailer. This is designed to encourage parties to settle disputes without going to trial. However, the company rejected this offer and referred us to PlayStation’s guidance when selling on a games console.

In response, we re-requested that the retailer confirm the guidance it provides employees before selling on electronic devices. And, following this, the buisness made Mr Andrew’s an offer of £2,000. We suggested that this should be increased to £3,000 (and costs) and this offer was accepted.

Mr Andrew found working with Hayes Connor Solicitors “really easy and very helpful.” When asked if the documentation we sent was easy to understand he said: “Yes definitely and if I didn’t understand they made me understand straight away.”

Mr Andrew is happy with the result of his case and the excellent service he received. Speaking about his overall view of making a data breach claim he said that he is “really satisfied with Hayes Connor and would never have to think twice about recommending them to anyone else”.

Data breaches by private companies

Private companies must be held accountable for data losses. With large-scale, high-profile hacks and breaches happening more and more often, this could be the only way to ensure that businesses implement more secure processes.

Most data breaches are preventable. However, companies don’t like investing in cybersecurity, updating their systems, or training their staff. Where your data has been put at risk or misused because of the negligence of others, it’s essential that you are compensated, and action is taken to make sure it never happens again.

At Hayes Connor Solicitors, we’ve been helping people to do just that for over 50 years, so we know what it takes to make a successful data breach compensation claim.

Find out more about making a NO WIN NO FEE compensation claim, or contact us today for a free initial assessment.

*Name has been changed.


Tesco Bank data breach. Are you affected?

Tesco Bank is at the centre of a recent data breach investigation after thousands of customers’ sensitive information was carelessly leaked. The bank has found itself in the spotlight after Travelex – which runs Tesco Bank’s foreign currency exchange service – admitted that a breach had occurred putting 17,000 users at risk.

This data leaked includes full names, dates of birth, phone numbers, delivery/billing addresses, email addresses, IP addresses and partial payment card numbers. Travelex stresses that card information was disguised using industry standards, so ‘no financial information was put at risk’.

It is thought that the cause of this breach is down to human error rather than a cyber-attack, although an investigation is ongoing.

Do you need to worry?

The Travelex breach involves travel money customers who used Tesco Bank’s foreign exchange currency service online between 14 December 2016 and January 2017.

If you have been affected, you can expect to receive a letter from Travelex soon. The company has also set up a special hotline 0800 9758376 (Mon-Fri 9am-5pm) or via email

What should you do now?

While Travelex is adamant that financial information is safe, and that there is no indication that any of the data has yet been used by a third party, your name, date of birth and contact details can be used by cyber-criminals with the aim of committing identity theft and fraud. So the breach is a significant one; particularly if the information finds its way onto the darknet.

As such it is vital that those at risk:

  • Report their concerns to the ICO to ensure a full investigation takes place
  • Review guidance issued by the ICO
  • Review all bank accounts and credit card statements for unusual transactions
  • Be cautious of any unsolicited communications that ask for any personal information or refer you to a website asking for the same
  • If you have been the victim of online fraud or identity theft, you should also contact Action Fraud. You can do this online or via telephone. Action Fraud is the national fraud reporting service and is the starting point for any police investigation into your loss.

While Travelex is offering 12 months complimentary fraud protection to those affected, we advise anyone signing up to be careful that in doing so, they are not inadvertently signing away their rights to pursue a compensation claim against the company. If you are any doubt, please contact us and we can advise on the terms and conditions of this offer.

Can you claim compensation?

If you have suffered damage or distress caused by an organisation breaching any part of the Data Protection Act, you have a right to claim compensation. In this case, we would expect payment of between £1,500 – 2,500 due to the details disclosed. However, this could increase further if you suffer any financial losses because of the breach.

If it is found that the leak was down to human error, there is a case for negligence. What’s more, we are especially concerned that there may have been a delay in disclosing the breach. If this is true, this could lead to aggravated damages being awarded (additional damages caused by the delay).

At Hayes Connor Solicitors we can seek compensation on your behalf. Likewise, if you suspect your data has been mishandled or lost, we can check whether this is the case, and if so, start the claims process.

Because of the number of people involved, we may also be able to mount a group action claim. With this approach, you and the other Claimants collectively bring your cases to court against a Defendant. Where circumstances are very similar, group actions can be a powerful tool and can have a bigger impact than a single claim. As specialists in data law, we are watching this case very carefully and may put together a group action and seek compensation when the investigations are complete.

What now?

If you have been affected by this breach, contact us to start the legal proceedings. Likewise, if you want to be kept up to date on this case, get in touch. We’ll let you know if and when you can claim.


facebook data
, ,

Facebook data breach. Have you been affected?

Last week, a whistle-blower revealed how Facebook data was illegally harvested and used to influence the US Presidential election. The breach occurred after Cambridge Analytica targeted users with political messaging after obtaining data from the social media platform.

Cambridge Analytica got this information from a researcher, who garnered details on the likes and habits of Facebook users via a personality quiz app called ‘This is Your Digital Life’. Crucially, this information was shared without user consent.

The data of around 270,000 users is thought to have been collected via the app, which also accessed public data from users’ friends. Of this, about 50 million profiles were harvested for Cambridge Analytica before the user consent rules were tightened up.

Since then, Facebook chief executive Mark Zuckerberg has admitted to privacy errors and said that he made a mistake in not telling users about the leak when it was uncovered in 2015. It has also been revealed that Facebook could have done more to prevent the breach in the first place.

Worryingly, while Facebook is now changing the way it shares data with third-party applications, in addition to the Cambridge Analytica incident, Zuckerberg admits that this might not be the only instance where user data was exploited.

In fact, more apps could have “gotten access to more information, and potentially sold it” without Facebook knowing. As such, a full investigation of “every app that got access to a large amount of information” is now underway. While specific details haven’t been revealed, the number of apps thought to be covered by this investigation is in the “thousands”.

Protect yourself following the Facebook data breach

Facebook has now promised to inform users if their data was accessed by any apps that might have misused it. In the meantime, to find out which apps have access to your Facebook data, it’s important to review your setting on the platform.

, ,

Facebook could have prevented data breach

Facebook is facing accusations of data harvesting after it was revealed that an “unprecedented” infringement took place in 2014. Perhaps even more damaging, while Facebook found out about the breach in 2015, the social media giant failed to alert its users, and did not take adequate steps to recover and secure the private information.

To make matters worse, whistleblower, Sandy Parakilas who worked as a platform operations manager at Facebook from 2011 to 2012 has told MPs that his concerns about lax data-protection policies at the company were ignored by senior executives. He said that covert harvesting was routine at the social network, and that Facebook did not do enough to prevent, identify – or act upon – data breaches.

Speaking to a parliamentary committee on Wednesday Parakilas said that while the security team at Facebook was “very, very good,” “they’d allowed people to get all this data on people who hadn’t really authorised it, and it was personally identifiable data.”

He added that Facebook gave the impression that it was worried it would be held liable if it investigated a suspected breach and found policies or laws were broken.

Commenting on Facebook’s lack of action over the recent Cambridge Analytica breach revelations, Parakilas said: “It has been painful watching, because I know that they could have prevented it.”

Last night, Facebook chief executive Mark Zuckerberg admitted user privacy mistakes and said he realised he needed to be more public and accountable. In an interview with CNN, he said that he was willing to testify to any US government inquiry over the Cambridge Analytica scandal, and that he would not be against regulation of his social media company. He has also pledged to review “thousands of apps” in an “intensive process”.

Zuckerberg also admitted that Facebook made a mistake in not telling users about the leak when it was uncovered in 2015. He said: “I regret we didn’t do it at the time. I think we got that wrong”.

Have you been affected?

Facebook has now promised to inform users if their data was accessed by any apps that might have misused it.