data breach
, ,

How to stop your phone from tracking your every move

Did you know that some companies are using your smartphone to track you throughout the day? And quite often you will have agreed to this personal surveillance simply by agreeing to the terms and conditions of using a service.

If you are worried about the likes of Facebook and Google using your phone to keep tabs on you, there are some steps you can take to take back ownership of your personal data and privacy.

How to protect your privacy

  • Turn off location history
  • Delete your location history
  • Delete apps that you no longer use from your device
  • Avoid apps that demand access to a huge amount of personal data (e.g. Facebook Mobile). Instead you can access these services via a browser with a private mode
  • Check the default settings of all the apps you use.

However, when you turn off location history, Google still tracks your location when you use key services including Maps, search and weather. To prevent Google from doing this:


  • Go to Settings
  • Select Google
  • Select Google Account
  • Select the Data & Personalisation
  • Select Web & App Activity and toggle off


If you really want to prevent your phone from tracking you, you should also turn off location services on your iPhone or Android device and only turn this back on when needed (e.g. when you want to use Google Maps). However in doing so your phone will feel a whole lot less useful.

Check out this page to see everywhere you have been with your phone.

If you are worried about how your data has been used and want to speak to one of our experts contact us today

hayes connor solicitors
, ,

Organisations are failing to understand the emotional impact of data breaches

At the end of last year, our managing director Kingsley Hayes revealed the key data privacy trends that our firm has seen since the General Data Protection Regulation (GDPR) came into force. You can read more about these trends here. One thing we are seeing is that organisations are not taking the emotional impact of data breaches seriously. Many of which we trust to look after our sensitive information.

What are we seeing when it comes to the emotional impact of data breaches?

At Hayes Connor Solicitors, we have received more than 2,500 enquiries from customers who have suffered as a direct result of a high profile data breach. That’s in the last six months alone.

Every day we are also helping the victims of smaller data breaches who are miserable and upset because of a data breach.

All too often, the victim of the data breach will have tried to engage with the organisation that has committed the violation. But they will have been rebuffed or offered a wholly inadequate excuse.

Almost every organisation fails to recognise the stress, anxiety, upset and anguish caused by the data breach.

A personal data breach is a 21st-century theft

If a criminal came into your home and stole your private information, you would be distressed. So why should you feel any less upset at having your online data taken?

Being the victim of a crime can have a substantial impact on you mentally and physically. For some people, the effects can include a lack of sleep, feeling ill, unsettled or confused. Stress can also affect your friends, your family and your job.

We’ve seen cases where experiencing a data breach has resulted in adverse life events. For example, having to move house or area, losing a job, relationship stress and separation, and dislocation from friends and family. All of which can lead to a diagnosable psychological injury. And this is often happening months after the initial breach was revealed.

What do the experts say?

According to Victim Support:

“The effects of crime can also last for a long time, and it doesn’t depend on how ‘serious’ the crime was. Some people cope really well with the most horrific crimes while others can be very distressed by a more minor incident”.

Furthermore, at Hayes Connor we recently spoke to renowned clinical psychologist Professor Hugh C. H. Koch – visiting professor in law and psychology at Birmingham City University School of Law – to find out more about the typical psychological effects experienced by victims of data breaches. He said:

“Data breach victims typically experience high levels of anxiety, specific to the data breach but also generalised to other aspects of dealing with correspondence, telephone and digital communication and payment for services. Victims experience social anxiety, with difficulties dealing with friends and neighbours, tradesmen, shopping transactions and can develop oversensitivity or paranoia in their communications with others. They can also develop varying aspects of mood disturbances or depression especially including poor sleep and tearfulness.”

What does the law say?

Thankfully, over the last few years, people are waking up to the reality of mental health. And there is a greater awareness about the lasting effects of psychological suffering and anguish.

Crucially, the law understands the damage that can be caused by worry and upset. So today, you can make a compensation claim if you have struggled emotionally following a data breach. Even if you have not lost money.

Organisations must educate themselves about the emotional impact of data breaches

Should a data breach occur, it’s vital that an appropriate response is made. But, in our experience, too many companies and their representatives (be they legal or insurance based) are still responding with a pre-packaged “we won’t do it again” approach.

However, it is vital that businesses not only do more to meet their data privacy responsibilities, but that they also provide an adequate response where they fail to do so.  And that requires a greater understanding of the full impact of privacy violations. Because these can be significant and of a psychological nature.

Without such awareness – and appropriate measures to address the distress, anguish and anxiety that can be caused by data breaches – more and more customers will look for help to protect their privacy. And claim back from organisations where they have suffered.

Leading by example

At Hayes Connor, we want to reduce the number of data violations taking place across the UK. To do this, we are helping to raise awareness of this issue. We are also educating people and businesses to prevent similar mistakes from happening.

For more advice on how to keep your data safe, follow us on Twitter and Facebook.

Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to recover any losses. Or give us a call on 0151 363 5895 to discuss your case in more depth.

Today’s Legal Cyber Risk, 29th March 2019

Victims of push payment fraud are given greater protection and commitment from banks and building societies after a new voluntary code comes into effect. We commented on this positive development.


, ,

Banks to pay push payment scam compensation

A number of leading banks have agreed to contribute to a fund for victims of push payment scams.

Push payment scams happen when cybercriminals trick someone into sending them money by pretending to be someone else. Push payment scams saw £148 million lost in the first half of 2018.

Banks that have signed up to the new push payment scam compensation fund include Barclays, HSBC, Lloyds and RBS. Other banks such as Santander and Nationwide, have also made a similar commitment.

Historically, banks have avoided paying push payment scam compensation to victims unless there was a fault in their processes. This is because the customer authorised the payments.

The scheme will be introduced as an interim measure until a permanent solution can be agreed. It is expected that banks will reimburse somewhere between £30million and £40million more in push payment compensation in 2019 as compared to last year.

How to protect yourself from push payment fraud

Action Fraud – the national fraud reporting service – recommends taking the following advice to stay safe:

  • Be suspicious of requests to transfer money by bank transfer or virtual currency instead of safer methods (e.g. credit card or payment services such as PayPal)
  • Trust your instincts. If something feels wrong then it is right to question it
  • Don’t pay for goods or services unless you know and trust the individual or business
  • Be aware that personal information obtained from data breaches is making it easier for cybercriminals to create highly targeted phishing messages and calls
  • Don’t assume a person/organisation is genuine just because they’re able to provide some basic details about you
  • Always be suspicious of unsolicited requests for your personal or financial information.

Also, it’s important to understand that your bank would not:

  • Ask you to share any sensitive information about yourself or your accounts, like your PIN or full banking password
  • Ask you withdraw or transfer money for safekeeping
  • Send someone to your home to collect cash, a PIN, cards or cheque books
  • Try to panic you out of taking security checks.

A win for consumers

Commenting on the new push payment scam compensation fund, a spokesperson at consumer group Which?, said: “This long-awaited move to ensure victims of bank transfer scams are properly reimbursed when neither they nor the bank is at fault is a major victory for consumers.

“The banks must now act to ensure this scheme is implemented swiftly so consumers can have confidence that losing life-changing sums of money to this type of fraud is a thing of the past.”

What can you do if you are the victim of push payment fraud?

If you have been the victim of an attempted push payment scam, you should contact Action Fraud. However, if you have lost money as a result of the scam, you must also report it as a crime. You should also notify your bank ASAP.

At Hayes Connor Solicitors, we want to reduce the number of data violations and successful cyber scams taking place across the UK. To do this, we are raising awareness of this issue and educating people to help stop fraudsters in their tracks. For more advice on how to keep safe, follow us on Twitter and Facebook.

Alternatively, if you have been the victim of a push payment scam, find out how we can help you to recover any losses or give us a call our office to discuss your case in more depth. We can help you to claim compensation and steer you through the aftermath of a bank or credit card scam – minimising the impact on you as much as possible.

We are also considering a group action claim against banks who have failed their clients after they have lost money through no fault of their own. A group action is where a group of people, all affected by the same issue, collectively bring their cases to court. Group actions can be a powerful tool and can have a bigger impact than a single claim.


AI not enough to counter data breaches due to human error

According to US technology conglomerate Cisco, 99% of devices will be connected to the internet by 2020. While increasingly sophisticated artificial intelligence counters a significant number of threats to personal data, human error is a greater risk than cyber criminals according to Hayes Connor Solicitors.

data breach
, ,

Hackers jailed for one of the biggest data breaches in history

Two friends from Staffordshire who carried out a huge data hack have been jailed. The pair, who are aged just 21 and 23, breached the TalkTalk website in 2015 as part of a group of hackers.

During the raid, the pair managed to get away with the names, addresses and dates of birth of 1.6 million TalkTalk customers, before sharing much of the data online. They pleaded guilty last year to various charges related to the cyberattack.

How did the hack affect TalkTalk?

TalkTalk was subsequently fined £400,000 by the Information Commissioner’s Office (ICO) for not appropriately securing the data. In total it is thought that the cybersecurity incident has cost the telecoms firm a whopping £77 million in lost business.

In this case, the flaw in TalkTalk’s website that sparked the breach was exposed by another 17-year-old boy. The “significant, sophisticated systematic hack” is thought to be one of the biggest data breaches in history.

TalkTalk spotted issues with its site on 21 October 2015 and immediately launched an investigation before warning customers the following day. However, an inquiry by the ICO found that that insufficient security at the company permitted customer data to be accessed “with ease”. And that TalkTalk could have prevented the data breach if it had taken basic steps to protect its customers’ information.

According to the ICO: “For no good reason, TalkTalk appears to have overlooked the need to ensure it had robust measures in place despite having the financial and staffing resources available”.

What did the judge say?

Following the hack, TalkTalk’s then CEO faced blackmail attempts, with the hackers demanding Bitcoin in exchange for the stolen data.

Commenting on the two hackers, the judge said that they were “individuals of extraordinary talent” and that she was sure that their actions “caused misery and distress to the many thousands of the customers at TalkTalk.”

The pair were also caught with stolen login details to NASA systems.

The judge came down hard on the young cybercriminals, stating that “It is of the first importance that the court sends a clear message. Illegal activities on this scale are not a game. They will be taken very seriously by the courts.”

What to do immediately after a data breach

If you have suffered damage or distress caused by an organisation breaching any part of the Data Protection Act, you should:

  • Inform the Information Commissioner’s Office (ICO) about your concerns
  • Contact your bank and/or credit card providers immediately
  • Beware of fraudsters who attempt to gather personal information (phishing)
  • Report any suspected phishing attempts to the police and relevant authorities
  • Look out for any bills or emails showing goods or services you haven’t ordered, or any unfamiliar transactions on your account and alert your bank or card provider immediately if there is any suspicious activity
  • Keep an eye on your credit score for any unexpected dips. Call Credit, Experian and Equifax to ensure credit isn’t taken out in your name
  • Beware of any unsolicited communications that refer you to a web page asking for personal data
  • Register with a suitable fraud prevention service
  • Change your passwords.
  • If you are offered any form of compensation or free services from the organisation that put your data at risk it’s important to check the small print. Be careful that in accepting any offer you are not giving away your rights to pursue a separate data breach compensation claim at a later date
  • Contact Hayes Connor Solicitors. Our expert, online fraud and data protection solicitors will advise you on whether you have a valid claim and will be pleased to answer any questions you might have. Our initial assessment is always free. We’ll ensure that you are fully informed on this matter and will notify you about the investigation and your legal rights when making a claim.


data breach
, ,

120k police officers in the UK have had their personal details exposed

What happened in this case?

The Police Federation of England and Wales (PFEW), has suffered a severe data breach across a number of its databases. As a result of a ransomware cyber-attack, the names, email addresses, National Insurance numbers, ranks and serving forces of around 120,000 police officers have been exposed. The breach affects officers at all levels up to the rank of chief inspector.

In addition, a second database has also been affected. This violation involves a booking system for the PFEW conference and hotel facilities in Leatherhead. The breach includes the names, addresses and email addresses of guests who visited for leisure purposes. Any guests who stayed at the facilities between 1 September 2018 and 9 March 2019 may also have had their financial details (credit card number and expiry date) put at risk. The breach does not affect officers who stayed as Federation representatives on courses.

A third database has also been breached. This involves the PFEW claims case management system. Any member who requested PFEW assistance for an investigation, inquiry or complaint during their service (if dealt with at HQ at Leatherhead) could have had their name, address, National Insurance number, and bank details accessed by cybercriminals.

The PFEW was alerted to the ransomware cyber-attack on March 9th. However, members were not informed about the breach until 21st, and a helpline for those affected was only made available from Friday 22 March.

Local Federation branches have not been affected.

How has the Police Federation responded?

In a letter to its members, the Federation said: “We are deeply sorry that this has happened and that data we hold about you has been affected and know that this will cause you some concern.

“We have instructed a leading forensics firm to help us investigate the matter. This is a complex process and will take some time. Indications are that it was not targeted specifically at PFEW and was likely part of a wider campaign. There is also no evidence at this stage that any data was extracted from PFEW’s systems, although this cannot be discounted at this stage. Whilst we consider at this stage the risk of your data being extracted or misused is low, we wanted to alert members as to the risk at the earliest opportunity.”

This response is not good enough

Commenting on the breach, Kingsley Hayes, managing director at Hayes Connor Solicitors said: “While the Federation claims that the risk to data is low, there is no way that they can know that. In many data breach cases it can take months for the full impact and losses to become apparent. We have seen instances where the financial losses only start to occur three to six months later. This is often because data stolen is used in batches over time.

“What’s more, simply knowing that your details could be in the hands of cybercriminals can lead to anxiety and distress. Experiencing a data breach can result in adverse life events such as having to move house or area, losing a job, relationship stress and separation, and dislocation from friends and family. All of which can lead to a diagnosable psychological injury.

“For police officers knowing that their personal information could be in the hands of criminals is bound to be even more distressing.”

What is happening now?

The PFEW has been working with the National Crime Agency who is dealing with this incident as a criminal offence. It has also put a number of measures in place to help stop the further spread of the malware. In addition, the Federation is liaising with the National Cyber Security Centre and the Information Commissioner’s Office as this matter is investigated.

Where to get help

The Federation has said that any officers concerned about fraud or lost data should contact Action Fraud. Advice can also be obtained from the National Cyber Security Centre.

The PFEW helpline is also available on 0800 358 0714. Opening hours are Monday to Friday 8am to 6pm, and Saturday and Sunday 9am to 3pm.

Furthermore, the PFEW website has the latest information and FAQs regarding this breach.

Claiming for compensation

At Hayes Connor, our expert solicitors deal with a significant number of data breach cases every day. During our work, we see many different types of claims and understand how data breaches can affect people in different ways.

If you have suffered damage or distress caused by an organisation breaching any part of the Data Protection Act, you have a right to claim compensation.

In most cases, data breaches happen because of a failure to implement reasonable and robust processes. So claiming compensation isn’t just in your best interests, it is often the only way organisations will be persuaded to take their responsibilities seriously and make the necessary improvements.

If you have been affected and want advice contact us today

, ,

Marriott facing GDPR fine and compensation payments

The Marriott data hack is one of the most serious data breaches of its kind. And, following the breach – which resulted in 500 million guests being compromised – the hotel group is facing a GDPR fine and compensation payments to customers.

Marriott data breach compensation

So far, two US-based law firms have already filed class action lawsuits against Marriott International. A class action (also called a group action), is where a group of people – sometimes even thousands of people – who have been affected by the same issue collectively bring their cases to court. These victims then fight together to achieve compensation. Where circumstances are very similar, group actions can be a powerful tool and can have a more significant impact than a single claim.

Find out more about group actions.

A US Senator has also called on Marriott to reimburse those affected to allow them to purchase new passports. However, to date, Marriott has offered no monetary reparation.

Committed to helping victims of data breaches and cybercrime to achieve the justice they deserve, at Hayes Connor Solicitors we are also considering launching a group action to compensate UK victims of the Marriott data breach.

Marriott data breach GDPR

Marriott is a US-based company. But, because many of its guests are EU citizens, the data breach falls under EU GDPR legislation. This means that the hotel group could face a fine of up to £17.8 million or 4% of its annual turnover. Marriott’s turnover in 2017 was £20.4 billion.

So, Marriott could be facing a regulatory fine and litigation. As such the financial implications could be huge. What’s more, if you are a Marriott International customer and you have suffered emotional distress because of the data breach you could be entitled to compensation – even if you haven’t lost out financially.

Many people suffer anguish, anxiety and stress after a data breach and this can have a significant impact on you mentally and physically. Effects can include a lack of sleep, feeling ill, unsettled or confused. Stress can also affect your friends, your family and your job.

So, if you have received an email from Marriott letting you know that your details have been put at risk, get in touch. We’ll let you know if and when you can claim. You can also read our step by step guide to making a data breach claim here. 

We can take on your claim on a no-win, no-fee basis. Our initial assessment is always free. We’ll ensure that you are fully informed on this matter and will notify you about the investigation and your legal rights when making a claim.


New code to protect against push payment fraud is welcomed but more needs to be done

May 28th, 2019 will see a new voluntary code come into effect to provide greater protection and a commitment from banks and building societies to reimburse victims of push payment fraud. While the change is welcomed, more needs to be done says data breach specialist Hayes Connor Solicitors.

, , , ,

NHS family member shared confidential medical information

When it comes to medical data breaches, in most cases, it is human error rather than cybercrime that leads to information falling into the wrong hands. But what happens when someone deliberately accesses and shares your private and sensitive medical records?

In a recent case, our solicitors saw the impact of what can happen when sensitive medical information was revealed by a family member working for the NHS.

What happened in this case?

In this data breach, the sister-in-law of our client (who was a NHS staff member), accessed the NHS system and then shared personal details about our client with the rest of her family. This included specific information about our client’s baby.

As a direct result of this violation, our client’s relationship with family has broken down. She has received threats from a family member resulting in police involvement, and has to deal with the ongoing worry of further danger.

In response, our client has suffered stress, anxiety attacks and trauma. Ultimately she has required medication to be prescribed to help manage the psychological effects of this terrible breach of trust.

To make matter worse, the breach has meant that our client can no longer continue her university studies, so she has also suffered the loss of expenses, and the opportunity to progress her career.

Lessons learned

NHS employees have a duty of confidentiality not to divulge private information. But in this case, this duty was disregarded. And, while the family member who accessed the data is responsible for this, the NHS must do more to protect patient information. For example, by designing systems that only allow the specific specialists, doctors or consultant allocated to a patient to have access to their data.

Also, every staff member accessing a patient’s records should provide a reason for doing so. And all NHS employees should receive regular data protection training to make sure they understand the potential consequences of breaching data protection laws.

For more advice on how to keep your data safe, follow Hayes Connor on Twitter or give us a like on Facebook. Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to recover any losses or give us a call on 0151 363 5895 to discuss your case in more depth.