data breach trends

Hayes Connor insights: data breach trends in 2018

Scrutinising the past 12 months, Kingsley Hayes, expert data protection solicitor and MD of Hayes Connor, looks at some of the key trends and insights we are seeing in this evolving area of law.

A lack of care is rife

At Hayes Connor Solicitors, we have received more than 2,500 enquiries from customers who have suffered as a direct result of a high profile data breach. That’s in the last six months alone.

These cases saw breaches of personal, financial and sensitive data involving the likes of Ticketmaster, British Airways, Dixons Carphone and Facebook.

Disturbingly, the response provided by many of these large organisations falls short of what we would expect. In many instances, when a breach occurs the accepted risk management plan seems to be:

  1. Say sorry
  2. Provide free security monitoring software
  3. Promise it won’t happen again
  4. Advise the customer that there is nothing that they can do to remedy any losses they might suffer.

Such a noticeable absence of care over the very real impact of a data breach should not be tolerated or accepted.

In 2019 we would challenge businesses to do more to accept their data privacy responsibilities and provide adequate redress where they fail to do so.

If this challenge is not accepted, more and more customers will look for help to protect their privacy, and claim back from organisations where they have suffered loss. Put simply, to avoid the threat of data breach compensation claims, businesses must do more than pay lip-service to the idea of data protection.

The financial impact of data breaches is not immediately apparent

At this stage, it has become clear that the impact and losses people sustain following a data breach are not always immediately apparent. Indeed, at Hayes Connor, we have seen cases where the financial losses only start to occur three to six months later. This is often because data stolen is used in batches over time.

With major breaches now occurring weekly (particularly in the retail sector), we expect this situation to escalate. As such, more must be done to protect customers following a data breach – and this cannot be a short-term fix.

Individuals are becoming more aware of their data protection rights

The introduction of the General Data Protection Regulation (GDPR) in May 2018 coincided with a significant increase in reported data breaches. So it seems that the GDPR has created greater public awareness about individual rights.

Indeed, at Hayes Connor we are currently dealing with over 200 enquiries per month from consumers. Complaints range from the inappropriate use of email to the deliberate or inadvertent disclosure of sensitive, financial, and medical information to third parties.

In most of these cases, the victim of the data breach will have tried to engage with the organisation that has committed the breach and been either rebuffed or provided with a wholly inadequate excuse. In almost all cases the organisation at fault fails to recognise the damage caused by the breach and loss.

The emotional impact of data breaches is not been taken seriously by organisations

You can make a compensation claim if you have struggled emotionally following a data breach, even if you have not experienced any financial loss.

A personal data breach is a 21st-century version of being burgled. And, being the victim of a crime can have a substantial impact on you mentally and physically. For some people, the effects can include a lack of sleep, feeling ill, unsettled or confused. Stress can also affect your friends, your family and your job.

According to Victim Support: “The effects of crime can also last for a long time, and it doesn’t depend on how ‘serious’ the crime was. Some people cope really well with the most horrific crimes while others can be very distressed by a more minor incident”.

Crucially, the law understands the damage that can be caused by worry and upset. But it doesn’t appear that organisations do.

In our experience, companies and their representatives (be they legal or insurance based) are still responding with a pre-packaged “we won’t do it again” approach. This fails to recognise the full impact of the breach, which can be significant and of a psychological nature.

We’ve seen cases where experiencing a data breach has resulted in adverse life events such as having to move house or area, losing a job, relationship stress and separation, and dislocation from friends and family. All of which can lead to a diagnosable psychological injury. And, like financial losses, this is often happening months after the initial breach was revealed.

As awareness of the impact of data breaches grows, so does the need for the breaching organisation to understand that they must assess each victim as an individual, and understand the repercussions of the offence. One size does not fit all.

The ICO’s approach doesn’t yet meet the needs of the individual

Over the last few months, we’ve paid close attention to how the Information Commissioner’s Office (ICO) has responded to data breaches.

In our opinion, the ICO has taken a proactive stance when it comes to commenting on large-scale breaches. This has no doubt been done to secure the attention of the media and politicians, and to make sure that organisations take appropriate action in the immediate aftermath of any breach.

While we understand this approach, we also believe that the still ICO requires education on the lasting a full impact of data breaches. Because to date, the experience of the individual is still being downgraded.

As it stands, the ICO is not coming down hard on organisations that are reporting data breaches and apologising for the violations. This can leave victims of data breaches wondering whether their suffering has even been taken into account.

For example, at Hayes Connor, we have experience of a particular organisation with a track record of committing data breaches that can only be described as atrocious. Over the last four years over 150 reported incidents of the same type have been made, and despite reported changes to process and internal governance, in the months leading up to the implementation of the GDPR another significant and life-affecting breach occurred. Unfortunately, for those involved in this case, the ICO’s response was less than satisfactory. We hope that, as time progresses, so too will the ICO’s approach.

The law is evolving when it comes to data protection

Of course, data privacy is still a relatively new area of law. So it’s to be expected that it is still evolving. Recently we have seen more emphasis on the relationship between privacy rights and data protection from a legal perspective. And this is good news for individuals as it means we can start a claim based on more than one ground (i.e. for the misuse of private information and for breach of data protection obligations).

Other significant developments include:

  • Making it much easier to bring claims for compensation for distress alone (rather than as an add-on to a financial loss claim)
  • The courts looking at a wider-range of factors when deciding on appropriate compensation (e.g. the consequences of the misuse of data, what information was breached, etc.)
  • The ability to hold organisations to account for data breaches caused by employees, third-parties, etc.

Also, the law now realises how important it is that cases are assessed in detail and on their unique merits.

Ultimately, while much has been achieved since the introduction of the GDPR, there is still a fair way to go before individuals can expect a standard of data protection we should all aspire too. And, until then, it seems likely that data breach claims will only continue to increase.

If you would like to contact us regarding a data breach case then you can do so here

data breach compensation

Who can make a data breach claim?

Data breach claims are on the rise, not least because more and more organisations are using our sensitive personal data without investing in the necessary security measures to keep it safe.

At Hayes Connor Solicitors, our data breach lawyers are committed to upholding the rights of consumers across the UK. And, as part of this responsibility, we aim to ensure that as many people as possible understand their rights when it comes to this evolving and often complicated area of law.

So, in the UK, who can make a data breach claim?

Anyone who has suffered damage or distress caused by an organisation breaching any part of the Data Protection Act (the UK’s interpretation of the GDPR), has the right to claim compensation following a data breach. Both individuals and companies can make a data breach claim for compensation.

But, to claim compensation you must be able to prove that you suffered as a result of the data protection breach. And you can claim for both damages and distress.

Until recently, while a person who suffered damage might have had their compensation increased to take into account any associated distress, in most cases compensation would not have been awarded for distress alone. The only exception to this is where information had been used for journalistic, artistic, or literary purposes. However, this is no longer the case.

Today, you can make a data breach claim for distress even if you have not lost out financially.

How should you start your data breach claim?

If you think that a company is not looking after your data as well as it should, you can make a subject access request. You can make a subject access request at any time. For example, many of our clients make subject access requests to start the compensation claim process following a data breach. Find out more about how to make a subject access request here.

You should also ask the ICO to assess an organisation if you think it is guilty of a breach. If you want to contact the ICO you can do this here.

If the ICO thinks that an organisation has not complied with its obligations, it can give advice and ask it to solve the problem. The ICO’s main aim is to improve the information rights practices of organisations, where there is an opportunity to do so. However, the ICO will not usually investigate concerns where there has been an undue delay in bringing it to its attention. So, you should raise your concerns with the ICO within three months of your last meaningful contact with the organisation concerned (when you discovered the data breach).

However, it’s important to understand that, while the ICO does have the power to impose hefty fines on organisations in breach of their duties, it does not award compensation. But if the ICO thinks that an organisation is guilty of a breach, you can then use this information to support a data protection compensation claim.

Appointing an expert data protection solicitor

If you have contacted the ICO about a potential breach, Hayes Connor Solicitors can start to investigate your claim. We will work with the ICO to gather as much evidence as possible to help our clients succeed. In some cases, we can start a data breach claim without you having first registered your concerns with the ICO, but we always recommend this as a first step.

If you want to find out more about claiming for a data breach you can contact us here.

Merry Christmas

We would like to wish all our clients and followers a very Merry Christmas

takeover fraud

Bank customer loses thousands of pounds in takeover fraud

In the latest example of takeover fraud, a customer of the Royal Bank of Scotland (RBS) had more than £4,300 stolen from her account despite the fraudulent caller answering one of her security questions incorrectly.

What is takeover fraud?

Takeover fraud happens when a criminal uses another person’s account information (e.g. a credit card number) to buy products and services. Takeover fraud is also used by scammers to extract funds from a person’s bank account.

With more than 24,000 reported cases, takeover fraud increased by 7% last year with bank accounts the most popular target.[1]

What happened in this case?

According to a report by BBC Watchdog Live, the bank maintained that the customer was aware of the transaction and refused to refund her. To make matters worse, the Financial Ombudsman Service – which helps to sort out disputes between financial businesses and their customers – backed RBS after the initial complaint.

However, following a BBC investigation, was revealed that in a recording of the fraudulent phone conversation, a woman can be heard incorrectly answering a security question.

What’s more, a second transaction request made during the same phone call was refused after the caller was unable to answer additional security questions. This eventually led to a warning being raised against the account. The bank’s records also show that the fraudster failed the bank’s voice recognition checks and that the transaction was marked as a “potential account takeover”.

Despite this, a transaction of £4,318 was approved by the bank in a decision which it refused to reverse.

RBS has now apologised to the woman and issued her a full refund. However, it is unclear whether this would have happened without the Watchdog Live investigation.

Worryingly, the bank failed to consider the evidence in this case, including warnings raised by its security processes.

A new code of conduct

Since the con took place, most banks have signed up to a new code of conduct which provides an additional layer of protection to customer affected by bank scams. The new code is designed to minimise the number of financial cybercrimes by encouraging consumers to remain vigilant.

In essence, the new code means that a bank (or another financial provider) can only refuse to reimburse stolen funds where the customer has shown a very significant degree of carelessness. In this case, as the bank failed to heed the warning signs and the woman was in no way negligent, RBS would be liable for the subsequent loss.

Furthermore, under the new guidelines banks should not automatically blame the victims of increasingly sophisticated scams and must take a fairer approach to compensation. What this means is that you can be confident that any claim for reimbursement will be given fairer and quicker consideration.

The code is expected to be finalised next year.

Cybercriminals are becoming increasingly sophisticated

Online criminals are becoming increasingly sophisticated. And it’s not just lone hackers people should worry about. Today, cybercrime syndicates are evolving from existing criminal structures. And, as they strive to become as rich as possible, these criminals are sharing information and collaborating.

As such, banks must make sure that their processes are just as sophisticated and robust.

In this case, it was revealed that the woman’s phone line was diverted to a mobile number on the day of the call. This led to the bank to believe that they were speaking to her at her home address. However, if all the other security checks and processes had worked, the woman would not have been left without her funds for over a year.

Can you get help for takeover fraud?

If you have been the victim of a takeover scam and need help getting your money back, there is some good news.

As well as setting out a new industry code designed to minimise the number of scams by encouraging consumers to remain vigilant, the new industry protections will help victims to secure compensation.

If you need legal help following a takeover scam, Hayes Connor can help. Our professional, friendly team will be pleased to answer any questions you might have, and advise you on what to do next.

[1] Cifas

data breach claims

What is no-win, no-fee?

Access to professional legal advice is a fundamental right. That’s why it’s important that everyone can afford to make a data breach or cybercrime compensation claim should they need to. Removing the financial risk, at Hayes Connor Solicitors, we provide our services on a no-win, no-fee basis to help our clients get the compensation they deserve. But what does this actually mean and are there really no costs if you appoint us?

What is no-win, no-fee?

A no win, no fee agreement is an arrangement between you and your solicitor. Also known as a Conditional Fee Agreement (CFA), if your claim is not successful, you won’t have to pay any money for the work carried out (as long as you adhere to the terms of our agreement).

No win, no fee agreements help people get the compensation they need following an incident that wasn’t their fault.

What if your claim is successful?

If your claim is successful (and that’s what we all want!), you might have to make a contribution to your solicitor’s costs. This ‘success fee’ is taken from the compensation awarded to you. The amount of the success fee depends on when your case is settled. But, with us, you’ll never have to pay more than 25% of your compensation. And, in some large group action cases, we might be able to recover this cost from the other party. In such cases you won’t have to pay any costs – win or lose.

Your obligations under a no-win, no-fee agreement

You do have obligations under a CFA:

  • You must not mislead your solicitor
  • You must not fail to co-operate
  • You must act in accordance with the agreement and the advice given by your solicitor
  • Should you wish to terminate your claim, you will be responsible for all costs and disbursements incurred by your solicitor.

Can you afford the risk?

Well yes. Because if you lose you won’t have to pay a penny!

In most cases, the loser has to pay the winner’s costs and disbursements (other legal expenses such as court fees). But to protect you from these costs, we always take out insurance to insure against this risk on your behalf. This is called ‘After the Event’ insurance (ATE).

With ATE insurance, if you lose your case (including a group action case), any costs will be paid by the insurance provider. This means that if your claim is not successful, you won’t have to pay a penny.


From the very first time you speak to us, you’ll find us helpful, friendly, and experienced. While each case is different, we can usually tell you straight away if you have a claim or not. Once you have confirmed that you want to proceed on a no-win no-fee basis, we’ll remove the hassle and take care of all the complex legal work for you. We always make sure you are fully informed about any potential costs before we proceed.


For more advice on how to keep your data safe, follow us on Twitter and Facebook.

, ,

500 million Starwood guests at risk following the Marriott data breach

Customers of Starwood Hotels & Resorts are at risk of identity and financial fraud following a massive data breach. Starwood’s hotel brands include W Hotels, Sheraton, Le Méridien and Four Points by Sheraton.

See the whole list of hotel and timeshare brands hit by the data breach here.

Marriott International purchased Starwood Hotel & Resorts for $13.6 billion in 2016, creating the largest hotel chain in the world. Marriott-branded hotels use a different reservation system and this has not been affected by the data breach.

What happened in the Starwood data breach?

The hotel chain has admitted that an unauthorised party had compromised its guest reservation database.

Worse, it appears that the hackers have had access to the network since 2014 and that they have accessed, copied and removed the private data of around 500 million customers. This information includes a combination of

  • names
  • addresses
  • phone numbers
  • email addresses
  • passport numbers
  • account information
  • dates of birth
  • gender
  • arrival and departure information
  • credit card/bank card details.

While the hotel chain used an encrypted credit card system, it has admitted that the hackers could have stolen the encryption keys needed to decrypt this financial data.

What should you do if you are affected?

The Marriott group has said that it will contact all affected customers whose email addresses were in the Starwood reservation database. If you have been a customer of any of the affected hotels or timeshare properties between 2014 and 10 September 2018 and you haven’t received an email make sure that you check your junk mail folder.

There is also a free helpline. For UK customers the number is 0808 189 1065.

The Information Commissioner’s Office (ICO) is also looking into this matter. The ICO is the independent authority charged with upholding data protection rights in the UK. In a statement it has said: “We have received a data breach report from Marriott involving its Starwood Hotels and will be making enquiries. If anyone has concerns about how their data has been handled they can report these concerns to us.”

Will Starwood offer compensation?

To date, no monetary reparation has been offered. However, this is one of the most serious data breaches of its kind. The theft of personal and financial information could lead to identity and financial fraud which has the potential to cause huge harm. So, if you are a Starwood Hotels & Resorts customer and you have suffered financial loss or distress because of the data breach you could be entitled to compensation.

Two US-based law firms have already filed class action lawsuits against Marriott International, and at Hayes Connor Solicitors we are now considering launching a group action to compensate UK victims of the Marriott data breach.

What are we seeing?

The Starwood Hotels & Resorts is a huge data breach. Not only because it affects millions of people, but also because the hackers have had access to this information since 2014.

Although the Marriott is headquartered in the US, it still has to comply with the EU’s rules when dealing with citizens here. And, at Hayes Connor we have already received an influx of queries from people across the UK who are worried that they have been put at risk.

The good news is that the data regulator is investigating the case and Marriott International could be hit be a huge fine under the GDPR (the latest data protection regulations). However, this is of little help to consumers.

What should you do now?

Marriott is still working with cybersecurity experts to determine the scope of the breach. However, it is vital that you do everything you can to protect yourself. This includes:

  • Contacting your bank/credit card provider immediately if you are worried that your financial details have been exposed
  • Beware of fraudsters who attempt to gather personal information (phishing)
  • Report any suspected phishing attempts to the police and relevant authorities
  • Look out for any bills or emails showing goods or services you haven’t ordered, or any unfamiliar transactions on your account and alert your bank or card provider immediately if there is any suspicious activity
  • Keep an eye on your credit score for any unexpected dips. Call Credit, Experian and Equifax to ensure credit isn’t taken out in your name
  • Beware of any unsolicited communications that refer you to a web page asking for personal data
  • Register with a suitable fraud prevention service
  • Change your passwords on all your accounts
  • If compensation is offered, do not be not fobbed off by a low amount. The effects of a data breach can be severe and long-lasting, so it’s vital that you get the justice you deserve.

Committed to helping victims of data breaches and cybercrime we can take on your claim on a no-win, no-fee basis. Our initial assessment is always free. We’ll ensure that you are fully informed on this matter and will notify you about the investigation and your legal rights when making a claim.

If you have received an email from Marriott letting you know that your details have been put at risk, get in touch. We’ll let you know if and when you can claim. You can also read our step by step guide to making a data breach claim here. 


data breach solicitors
, ,

2018 data breaches. What do you need to know?

Over the last 12 months, cyber-attacks and data breaches have rarely been out of the headlines. And, this is causing more and more of us to worry about what might happen if hackers manage to access our accounts and steal our valuable data.

The truth is, in a digital age, almost everything we do online needs a degree of trust. From buying a holiday to sharing on Facebook or checking our credit rating. But, all too often, the companies we are putting our faith in are letting us down. And, all too often we don’t know we are being hacked until it is too late.

Here are some of the most significant data leaks our expert data protection lawyers have been dealing with this year.


In June 2018, Ticketmaster UK identified malicious software on a customer support product hosted by an external third-party supplier.

Following the breach, Ticketmaster admitted that thousands of UK customer data had been accessed. This included a number of customers’ personal and financial details.

Find out more about the Ticketmaster data breach.


The Equifax data breach might have started in 2017, but throughout 2018 we continued to be contacted by people worried that their data had been breached.

The second largest credit reference agency in the UK, Equifax is used by a wide range of companies. So, even people who were not Equifax customers discovered that the company held a wealth of information about them. Information which lenders use to assess whether to give credit cards, loans, mortgages etc.

As a result, up to 15 million British consumers were at risk of having their personal details stolen.

An ICO investigation, carried out in parallel with the Financial Conduct Authority, revealed multiple failures at the credit reference agency. And, as a result, Equifax has now been fined £500,000.

Find out more about the Equifax data breach.

British Airways

Initially, it was revealed that almost 400,000 British Airways customers had had their personal and bank/credit card details stolen in what was reported to be one of the most severe cyber-attacks in UK history.

Worryingly, it took over two weeks before the data breach was detected by the airline. In response, questions were asked as to whether poor systems have made this cyber-attack worse.

When investigating this case, a second data breach was also uncovered. In this instance, 77,000 people had their names, addresses, email addresses and detailed payment information taken. This included card numbers, expiry dates, and card verification value (CVV) numbers. And, a further 108,000 people had their personal details stolen.

Find out more about the BA data breach

Dixons Carphone

The Dixons (Carphone Warehouse) data breach took place in 2017 and resulted in 10 million customer records being accessed from Currys PC World and Dixons Travel stores. The details stolen by cyber criminals include names, addresses, phone numbers, dates of birth, and email addresses. All of which can be used by cybercriminals to commit further crimes. The hackers also got access to the records of 5.9 million payments cards (nearly all of which were protected by chip and pin).

Again, while this case took place in 2017, the ramifications have continued into this year.

Find out more about the Dixons Carphone data breach


Earlier this year, a whistle-blower revealed how Facebook data was illegally harvested and used to influence the US Presidential election. The violation occurred after Cambridge Analytica targeted users with political messaging after obtaining data from the social media platform. Questions were raised over whether this data was also used to influence the outcome of the Brexit referendum.

To make matters worse for the social media giant, in addition to the Cambridge Analytica scandal, the platform was also hacked in September. In this instance, hackers stole digital login codes in what has been described as Facebook’s worst ever security breach.

Steps to follow after a data breach

With people everywhere now facing the threat of more regular security breaches, it’s vital that you know what to do should you become a victim of online data theft.

  • If you are worried that your banking details have been exposed, contact your bank immediately
  • Beware of fraudsters who attempt to gather personal information (phishing)
  • Report any suspected phasing attempts to the police and relevant authorities
  • Look out for any bills or emails showing goods or services you haven’t ordered, or any unfamiliar transactions on your account and alert your bank or card provider immediately if there is any suspicious activity
  • Keep an eye on your credit score for any unexpected dips. Call Credit, Experian and Equifax to ensure credit isn’t taken out in your name
  • Beware of any unsolicited communications that refer you to a web page asking for personal data
  • Register with a suitable fraud prevention service
  • Change your passwords.
  • If you are offered any form of compensation or free services from the organisation that put your data at risk it’s important to check the small print. Be careful that in accepting any offer you are not giving away your rights to pursue a separate data breach compensation claim at a later date
  • If you decide you want to make a data breach claim, read our handy step-by-step guide. If you have suffered damage or distress caused by an organisation breaching any part of the Data Protection Act, you have a right to claim compensation
  • Inform the Information Commissioner’s Office (ICO) about your concerns. While it does not award compensation, if the ICO believes that the organisation in question broke the law, you can use this information in court to help prove your claim
  • Contact Hayes Connor Solicitors. Our expert, online fraud and data protection solicitors will advise you on whether you have a valid claim and will be pleased to answer any questions you might have. If you are not sure whether your information has been misused or mishandled, we can find this out for you. Our initial assessment is always free. We’ll ensure that you are fully informed on this matter and will notify you about the investigation and your legal rights when making a claim.
data breach

Credit card details hacked in Vision Direct data breach

Cybercriminals have compromised the contact information and financial details of Vision Direct customers in a recent data hack.

Both personal and financial information has been put at risk, including full name, address, phone number, email address, and password details, as well as sensitive credit card numbers, expiry dates and CVV security codes. This information could be used to carry out financial fraud and data theft, so customers are understandably worried.

Earlier this week, the UK retailer informed its customers that their data was stolen in a five-day hack between 3rd and 8th of November. It is understood that a bogus Google Analytics script added to Vision Direct’s website let hackers breach the company’s security defences.

Should you be worried?

The breach affects customers who logged into their Vision Direct account or updated their personal details during the period in which the hack took place. At present, 16,300 customers are thought to be at risk.

In a letter to its customers, Vision Direct has admitted that this “information could be used to conduct fraudulent transactions”.

It continues: “Vision Direct has taken steps to prevent any further data theft, the website is working normally and we are working with the authorities to investigate how this theft occurred.”

Vision Direct will contact any customers who it believes have been affected by the data breach. The company has also asked all users to review their bank statements and change their passwords on the site as soon as possible.

Is Vision Direct responsible for the data breach?

Even where cybercriminals target a business, in the eyes of the law it is still responsible for the data it holds. And, if found to be (even partially) responsible for a data breach, under the new General Data Protection Regulation (GDPR), it could be liable for millions of pounds in fines and compensation.

In this case, questions have been raised over whether or not Vision Direct had been storing CVV codes as it is not permitted to keep verification codes after payments are authorised. If this is found to be the case, the regulator is likely to come down hard on the business.

If you have suffered damage or distress caused by an organisation breaching its data protection responsibilities, you also have a right to claim compensation.

At Hayes Connor Solicitors, we have considerable experience helping individuals whose data has been breached and would also recommend some additional steps to keep users safe.

This includes looking out for fraudsters who attempt to gather more personal information (phishing), informing the Information Commissioner’s Office (ICO) about your concerns and reporting any suspected phishing attempts to the police and relevant authorities.

You can also check websites such as to see if your details have been compromised in a data breach.

Hayes Connor shortlisted for two Modern Law Awards

Modern Law Awards 2019

We are delighted to announce that Hayes Connor Solicitors, (part of the Forster Dean Solicitors group of companies) has been shortlisted for two Modern Law Awards.

Now in their sixth year, the Eclipse Proclaim Modern Law Awards were launched to celebrate and identify sparkling talent and success in entrepreneurship, market development, business management and best practice in the modern legal services arena. The event organisers were overwhelmed with nominations this year, receiving more submissions than ever, so it is a significant achievement to be shortlisted.

Hayes Connor has been shortlisted in two categories in the 2019 awards: Boutique Law Firm of the Year and Marketing and Communication Strategy of the Year.

Commenting on the accomplishment, Kingsley Hayes, managing director at Hayes Connor said: “Through an almost entirely online approach,Hayes Connor Solicitors has fast become one of the most recognised names in the sector when it comes to helping clients to get the support they deserve following data protection breaches, cybercrime, and other online offences.

“Indeed, over the past 12 months, we have marketed, assessed and processed all our work to a successful conclusion; establishing ourselves as a major player in this developing and niche area of law.

 “As consumers, we all want a fast, efficient, no-nonsense service. And this is just as true when it comes to technically complex legal services. So this is precisely what we deliver to our clients; using new technologies as we strive to ensure continued innovation.

“We have also established our position as a thought-leader, using content to provide value to claimants. We have invested heavily in client education to demonstrate our expertise in this area. The ability to provide clear and concise information about our clients’ rights is key. The nature of the work undertaken is complex and sensitive; so consumers need to understand exactly what redress they can seek.

“While our core strategy is to inform and educate consumers on their rights, this also allows us to market our services across multiple online platforms. We are one of the very few established and well-known law firms that adopt this methodology.

“We are also working with Victim Support to help those affected by cybercrime and data breaches. The partnership sees us provide the charity with regular expertise and advice on its legal content. Together we also create resources that raise awareness of the growing threat of cybercrime and data breaches. We believe that this helps us to exceed the expectations of client care and professionalism, as ultimately, the more people are aware of the risk, the better protected everyone will be.

“Ultimately, we believe that our approach will ensure long-term business success for us, while supporting those we serve, and we are thrilled that we are being recognised for our achievements.”

The award ceremony, which showcases and sets the benchmarks for best practice in the ever diverse, challenging and exciting legal landscape takes place on Thursday 31st January in Manchester.

Starwood Guest Reservation Database Security Incident – have you had this email?

UK customers affected by the Starwood Hotels & Resorts data breach are now receiving an email from Marriott International (which owns the hotel group).

The Starwood brands affected by the data breach include W Hotels, St. Regis,Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels,Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels& Resorts, Four Points by Sheraton and Design Hotels. Starwood branded time share properties are also affected.

The email confirms that:

“On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. Marriott quickly engaged leading security experts to help determine what occurred.

“Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.

“Marriott has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property. For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken. For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information.

“Marriott reported this incident to law enforcement and continues to support their investigation. The company is also notifying regulatory authorities.

“Marriott deeply regrets this incident happened. From the start, we moved quickly to contain the incident and conduct a thorough investigation with the assistance of leading security experts. Marriott is working hard to ensure our guests have answers to questions about their personal information with a dedicated website and call center. We are supporting the efforts of law enforcement and working with leading security experts to improve. Marriott is also devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.”

The email also sets out some steps that Marriott has taken since discovering the breach. These include:

  • Establishing a dedicated call centre to answer questions you may have about this incident. The call centre is open seven days a week, and is available in multiple languages
  • Sending emails on a rolling basis to affected guests whose email addresses are in the Starwood guest reservation database  
  • Providing guests with the opportunity to enrol in WebWatcher free of charge for one year. WebWatcher monitors internet sites where personal information is shared and generates an alert to the consumer if evidence of the consumer’s personal information is found.       

Marriott has also provided some additional security steps victims of the breach cantake. This includes:

  • Monitoring your SPG account for any suspicious activity
  • Changing your password regularly
  • Not using easily guessed passwords
  • Not using the same password for multiple accounts
  • Reviewing your payment card account statements for unauthorised activity
  • Immediately reporting any unauthorised activity to the bank that issued your card.
  • Being vigilant against third parties attempting to gather information by deception (“phishing”), including through links to fake websites
  • Contacting the relevant authorities if you believe you are the victim of identity theft or your personal data has been misused.

In the UK, Action Fraud is the national fraud reporting service, and is the starting point for any police investigation into your loss. UK residents should also in form the Information Commissioner’s Office (ICO).

Committed to helping victims of data breaches and cybercrime, Hayes Connor Solicitors can also help you to claim compensation following the Starwood Hotels & Resorts data breach. And we can do this on a no-win, no-fee basis. Our initial assessment is always free. We’ll ensure that you are fully informed on this matter and will notify you about the investigation and your legal rights when making a claim.

If you have received an email from Marriott letting you know that your details have been put at risk, get in touch. We’ll let you know if and when you can claim. You can also read our step by step guide to making a data breach claim here.