data breach solicitors
, ,

Do you have to hand over your personal data to a pharmacist?

At Hayes Connor, we want to reduce the number of data violations taking place across the UK. To do this, we are helping to raise awareness of data privacy matters and educating people and businesses to prevent mistakes from happening. And, after seeing some of our advice on how to keep your personal data safe, one concerned individual contacted us after being given a medication service questionnaire from her local pharmacy.

What was the problem?

The questionnaire asked for a whole range of sensitive medical information including:

  • Her name and contact details
  • Details of her GP practice
  • A list of any medical conditions
  • Whether she is pregnant
  • Whether she smoked
  • Any mental health requirements
  • A list of the medications she takes and any side effects of these medications
  • Whether she has dementia
  • If she had an impairment of the liver, heart, kidneys or lungs
  • Whether she has any visual or hearing impairments
  • If she has any physical impairments.

Contacting Hayes Connor Solicitors with a copy of the questionnaire, the woman said: “I’m quite disturbed at the way this has been issued. There is no indication about whether the questionnaire is voluntary and I fear that many people will hand over this extremely sensitive data without question.”

Does the pharmacy need this information?

Pharmacies across the UK are providing an extremely valuable service to patients while removing some of the burden from doctors. And, certainly having this information could help them to provide more tailored medical advice. But, the way in which this particular survey has been issued is worrying.

Crucially, we think that it breaks data protection laws.

What does the law say?

Unless you have been living under a rock, you will have heard about the General Data Protection Regulations (GDPR). Under the GDPR, any organisation that handles personal information such as names, email addresses, phone numbers, payment details and medical information has to put robust measures in place to keep this safe.

The more you know about the GDPR, the easier it is to make sure you hold organisations to account when it comes to keeping your data safe.

Under the GDPR you have the following rights (among others):

  • The right to be informed if your personal data is being used. This includes things like why an organisation is using your data, how it is using it, what type/types of data it is using, how long the data will be kept, if it shares this data with any third parties, and more
  • The right to limit how organisations use your data. You can restrict the way an organisation uses your personal data. To exercise your right you should make your request directly to the organisation in questions and be clear why you want the data to be restricted. In some circumstances you can also object to an organisation using your data at all
  • The right of access to your data. You have the right to find out if an organisation is using or storing your personal data. To exercise this right all you have to do is ask for a copy of this data. This is called making a subject access request (SAR). You can make a subject access request at any time. For example, you can make a SAR if you want to find out if information is being held about you and how it is being used
  • The right to get your data corrected or deleted. You can challenge the accuracy of any personal data that an organisation holds about you and ask for it to be corrected, added to, or deleted.

This survey does not provide customers with any of this information. And, to make matters worse, there is no communication explaining that providing this data is voluntary. Likewise, the pharmacy hasn’t provided any details on how it will handle and keep this sensitive medical information safe, and that is very worrying.

Our advice in this situation would be to:

If the pharmacy does not respond satisfactorily you should then inform the Information Commissioner’s Office.

Committed to upholding your data protection rights

At Hayes Connor Solicitors, we are committed to making sure that people across the UK understand their data protection rights, and know what they can do when these rights have been ignored, overlooked or abused.

Find out more about your rights on the ICO website.

For more advice on how to keep your data safe, you can also follow us on Twitter and Facebook.

Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to recover any losses or give us a call on 0151 363 5895 to discuss your case in more depth.


British consumers likely to avoid organisations following a data breach

Customers in the UK are more likely to change their spending habits following a data breach than those in the US. That’s according to research into consumer trust and spending habits[1].

In fact, 41% of UK customers would stop spending money with a business forever following a data security breach compared to just 21% of US consumers.

The research also found that:

  •  26% of UK customers won’t spend money with brands they don’t trust to handle their data. That figure drops to just 18% for Americans
  • Americans are more likely to be a victim of a security breach than Brits (44% as opposed to 38%)
  • Retail and travel industries are among the least trusted industries on both sides of the Atlantic
  • 56% of UK respondents were uncomfortable about giving out their credit card details over the phone. However, this figure dropped to just 42% for their American counterparts.

For UK businesses, the findings issue a stark warning about the potential consequences of a data breach.

According to a spokesperson for the report:

“Awareness of data security is something that is on everyone’s radar, yet our UK and US surveys have highlighted some real differences of opinions and traits, when comparing attitudes to data and payment security between the two countries.

“UK consumers certainly seem more guarded with providing personal information, such as payment card details, over the phone, yet the US is catching up fast. Similarly, if a security breach has occurred at an organisation, Brits appear more likely to avoid that organisation in future, and instead go elsewhere. In my opinion, 2019 is the year that organisations need to take steps to provide far clearer assurances to consumers as to how their data is being captured, processed and stored otherwise customers are not going to wait, and they may find them going elsewhere for their purchase.”

Smaller doesn’t mean safer

British consumers shouldn’t be complacent as the report shows that there is still a lack of awareness about cybercrime and data breaches. According to the findings, over half of UK respondents (55%) felt they could trust a local store with their data more than a national company.

But, according to UK government statistics, smaller organisations are experiencing a significant number of cyber-attacks. In fact, with 42% of small and micro businesses identifying at least one breach or attack over a 12 month period[2].

So, more small and medium sizes businesses are being affected by data breaches than ever before. And, in many cases, cybercriminals are specifically targeting smaller companies. This is because they are less likely to invest in robust cybersecurity processes. So, when handing over your valuable data you need to be aware of the risk. Regardless of whether you are giving to a national bank or a local hairdresser.

Be aware. Be safe from a data breach

At Hayes Connor, we want to reduce the number of data violations taking place across the UK. To do this, we are helping to raise awareness of this issue. We are also educating people and businesses to prevent similar mistakes from happening.

For more advice on how to keep your data safe, follow us on Twitter and Facebook.

Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to recover any losses. Or give us a call our helpline to discuss your case in more depth.

[1] PCI Pal


, ,

Could you spot a phishing attack?

Human error is the leading cause of data breaches. In response, the Information Commissioner’s Office (ICO) has produced a handy toolkit to help businesses communicate the importance of information security. This includes tips on spotting a phishing attack.

At Hayes Connor, we’re sharing some of the tips included in this toolkit. In doing this we aim to raise awareness of the importance of this issue. We also want to help organisations across the UK improve their data protection processes.

Tip: Phishing email? Don’t get caught hook, line and sinker

What is a phishing attack?

Phishing scammers use emails, texts, websites, phone calls and social media to access your data, your computer, or your financial accounts. Typical phishing scams include:

  • Where fraudsters contact you posing as your bank
  • Where fraudsters contact you posing as a company (e.g. Microsoft) and encourage you to complete steps that let them gain access to your computer
  • Where scammers send out an email from a service you use (e.g. PayPal, Google Drive, Dropbox, etc.). This link instructs you to click on a link which leads to a fake page that collects your login details
  • Where you receive an email from a person or company you know and trust which includes your personal information and lures you into clicking on a malicious URL or email attachment
  • Where scammers pretend to be from someone in the same company as you in a bid to steal the private data of your customers.

Phishing is a serious crime, and victims can suffer both financial loss and distress.

Quick tips to avoid a phishing attack

Check out these tips on how to spot phishing attacks and prevent cybercriminals from stealing your information.

  • Beware of emails with poor spelling and grammar. This is one of the most common signs that an email isn’t legitimate. However, phishing scammers are getting more sophisticated, and sometimes it’s almost impossible to tell a fake email from a real one
  • Roll over hypertext links (without clicking them), to see if the actual URL differs from the one displayed
  • Hover your mouse over the email address in the ‘from’ field to see if the website domain matches that of the organisation the email claims to be from
  • If you get an email warning you that your account has been closed or put on hold, go to the organisation’s website (via Google, not the email) and contact them to make sure the email is legitimate. Do this regardless of how authentic the message appears to be
  • If you receive an email informing you that you’ve won a prize (or the lottery) do not provide any personal information without checking that this is genuine. If you cannot remember entering the competition is it probably a scam
  • Do not respond to emails asking you to make a charitable donation. If you’d like to donate to a charity, do so by visiting their website directly
  • If you receive an email that looks in any way suspicious, never click to download the attachment, as it could be malware
  • If you are in any doubt, DO NOT click on any links or open any attachments. Instead, you should go to the organisation’s website directly (not via the email) and contact them to make sure the email is legitimate.

Not just hackers

Data breaches are not just caused by cybercriminals. For more advice on how to keep your data safe, follow our #notjusthackers campaign on Twitter and Facebook.

Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to recover any losses or give us a call on 0151 363 5895 to discuss your case in more depth.


Significant number of businesses still not investing enough in cybersecurity

A recently published government report has revealed that while cybersecurity is increasingly recognised as high risk to businesses, significant cybersecurity gaps remain. The FTSE 350 Cyber Governance Health Check 2018 report found that 72 per cent of organisations rated cyber threats as a high business risk, up from 54 per cent the previous year.

data breach
, ,

ICO fines London council for Police Gangs Matrix breach

The Information Commissioner’s Office (ICO), has fined the London Borough of Newham £145,000. This comes after a breach disclosed the personal information of more than 200 people who featured on the controversial Gangs Matrix.

This case was considered under previous data protection legislation. If it had been brought under the General Data Protection Regulation, the fine could have been much higher.

What happened in the Police Gangs Matrix data breach?

The Gangs Matrix was set up following the 2011 London riots. It contains the names and personal details of thousands of people. According to the Met, these individuals either pose a risk of committing gang violence, or of becoming victims.

In January 2017, a council employee sent an email to over 40 recipients that contained an unredacted version of the Gangs Matrix. This included dates of birth, home addresses, and information on whether they were a prolific firearms offender or knife carrier. As well as their alleged associated gang.

The recipients of the email included partner organisations that work together to respond to gang-related crime. Between May and September 2017, rival gang members managed to obtain photographs of this information via the social media platform Snapchat.

What was the impact of the Police Gangs Matrix data breach?

During 2017, the Borough went on to experience incidents of serious gang violence. The victims included people whose data had been violated.

There is no concrete evidence that the data breach and the violence are connected. But the ICO recognises that significant harm and distress can be caused when this type of sensitive personal information is not kept secure.

The ICO has established several failures by Newham Council

Following its investigation, the ICO found that Newham Council had no specific sharing agreements, policy or guidance in place to regulate how its staff and partner organisations securely handled and used the Gangs Matrix.

To make matters worse, the Council did not report the data breach to the ICO.  It did conduct an internal investigation. But this did not take place until many months after the breach was discovered.

Speaking about the data breach, the deputy commissioner of the ICO said:  “Our investigation concluded that it was unnecessary, unfair and excessive for Newham Council to have shared the unredacted database with a large number of people and organisations, when a redacted version was readily available. The risks associated with such a transfer of sensitive information should have been obvious.”

He added: “This is a reminder for organisations handling and sharing sensitive information to make sure they have suitable processes, training and governance in place to ensure they meet their accountability obligations.

“Data protection is not a barrier for information sharing but it needs to be compliant with the law. One of the ways in doing this is by conducting data protection assessments. We have a data sharing code which provides guidance on how to share data safely and proportionately, and we will soon be publishing an updated code.

“Ultimately, personal information must be processed lawfully, fairly, proportionately and securely, so the community can have confidence that their information is being used in an appropriate way.”

This is not the first time the database has caused problems

In total, the Gangs Matrix holds details of around 3,500 people. Some of who are as young as 12. It stores their full name, date of birth, and home address. It also holds information on whether someone is a firearms offender or a knife carrier. Also, each individual is allocated a green, amber or red rating indicating their apparent risk of violence.

Concerns have been raised that the matrix violates human rights. Not least because young black men and boys make up more than three-quarters of the list.  What’s more, the Guardian found that in one London borough, 40% of young people on the list had “zero” risk of causing harm.

In response, the ICO has undertaken a separate review of the database. This found that a failure to adhere to data protection principles potentially caused “damage and distress” to the disproportionate number of black men on it. In response, the Metropolitan Police force was ordered to radically reform the matrix.

What can you do if you have suffered because of this data breach?

According to the ICO, problems with the Gangs Matrix go back to 2011 and created a plausible risk to this data. There is also real concern about the impact on its mainly black and ethnic minority data subjects (people on the database).

If you have suffered damage or distress caused by the Gangs Matrix you have a right to claim compensation. To find out how we can help you recover any losses, contact us to discuss your case in more depth.

For more advice on how to keep your data safe, follow us on Twitter and Facebook.

Liverpool Echo, 22nd April 2019

We talked to the Liverpool Echo about the fact that the majority of data breaches are entirely preventable with most incidents resulting from human error rather than malicious cyber attacks.

data breach claims

Has Google put your privacy at risk?

Last week, Google admitted giving hundreds of firms access to your Gmail inbox. Our data breach solicitors look at what happened, and what you can do to protect your data.

In a letter to lawmakers in the US, the multinational technology giant said that third-party developers could both access and share data from Gmail accounts. This means that hundreds of apps (and their human employees) might be able to read your messages and share data from your inbox. Often for marketing purposes.

Google says that it thoroughly vets any third parties that are granted access. But this revelation is bound to concern anyone worried about their data privacy. Especially following the Facebook/Cambridge Analytica scandal.

In a letter, first published in the Wall Street Journal, Google’s head of US public policy revealed that: “Developers may share data with third parties so long as they are transparent with the users about how they are using the data”.

However, our data breach solicitors are very concerned about this revelation. And, in particular, how it impacts users in the UK. And there are fears that the process of sharing data is not compliant with the Data Protection Act (the UK’s interpretation of the GDPR).

At Hayes Connor, we are very worried that data protection regulation has been breached and will be seeking urgent clarification on this matter. If we find that Goggle has put the privacy of its UK customers at risk, our data breach solicitors may launch a group action compensation claim against the company.

What should you do now?

According to Google, you have options around how you grant access to apps. However many people may not be aware that they’ve given apps such access to their accounts.

If you are in any way concerned it is vital that you review your Gmail permissions immediately.

To do this:

  1. Select “Account” from the app menu in the top right-hand corner of your Gmail account
  2. Under “Sign in & Security, click on “Apps with account access”
  3. See the apps which you’ve given access to since you created your account
  4. Select ‘Manage Apps’ to review in more details
  5. If you see an app you don’t trust, you can block it by clicking “Remove Access.”

Only a year ago, Google pledged to protect its user’s privacy and prohibit email scanning. And, while Google has itself stopped scanning Gmail users’ email, this latest revelation is bound to cause distress.

Industry experts have called the practice a “dirty secret” while other security experts are surprised that Google permits this practice. Especially when considering the recent increases in data breaches.

If you are in any way concerned we would encourage you to report this issue to the ICO for further investigation. You can do this here.

You call also (securely) register your data with Hayes Connor Solicitors, and we will keep you updated as the outcome of any investigation into this matter.


data breach solicitors
, , ,

Can you claim compensation for the Police Federation data breach?

Last month, the Police Federation of England and Wales (PFEW) admitted that it suffered a severe data breach across a number of its databases. This data privacy violation happened as a result of a ransomware cyber-attack. A criminal investigation has now been launched into the Police Federation cyber-attack.

What happened in the Police Federation data breach?

In a Twitter statement, posted on 21st March, the PFEW said: “We can confirm we have been subject to a malware attack on our computer systems. We were alerted by our own security systems on Saturday 9 March. Cyber experts rapidly reacted to isolate the malware and prevent it from spreading.”

The statement also included a press release with more information about the attack. You can read this in full here.

However, people were soon pointing out that the PFEW took 12 days to inform its members about the attack. And the way some members found out was also questioned.


“So this happened on 9th March and it is only now the 21st March that you tell your paying members?? Absolutely disgraceful handling by the federation.”


“I’d rather my OH not be told via a press release, but direct contact from federation! Press releases are for the public not the potential victims”.


“So if the attack was discovered on 9th March, why did it take 12 days to alert everyone? I assume you have reported your data breach to the information commissions office?”


“Members are always last to find out. Why has it taken over 11 days to inform your members…”



What information was exposed in the PFEW data breach?

The names, email addresses, National Insurance numbers, ranks and serving forces of around 120,000 police officers may have been exposed. The breach affects officers at all levels up to the rank of chief inspector.

Also, any guests who stayed at the PFEW conference and hotel facilities in Leatherhead between 1 September 2018 and 9 March 2019 may also have had their financial details (credit card number and expiry date) put at risk.

In addition, the PFEW claims case management system has also been compromised. So any members who requested PFEW assistance for any investigation, inquiry or complaint could have had their name, address, National Insurance number, and bank details accessed.

However, the PFEW claims that there is no evidence at this stage that any data was extracted from PFEW’s systems, although this cannot be discounted.

Local Federation branches have not been affected.

How is the PFEW ransomware attack impacting police systems?

Ransomware is a type of malicious software. Typically cybercriminals use ransomware to threaten to publish the victim’s data, or to block access to it unless a ransom is paid. Ransomware attacks are becoming more widespread.

As a result of this ransomware attack, the PFEW has suffered severe disruption to services. Backup data was also deleted. Indeed, following the breach the PFEW has made the “difficult decision” to cancel its national conference in June. A statement on Twitter read:

“Experts in business recovery estimate it takes 4 – 6 months to recover from a cyber-attack and with annual conference due in 9 weeks it would not be possible to deliver this on time.”

Can you claim compensation for the Police Federation data breach?

The Information Commissioner’s Office (ICO) is aware of the situation. However, while it has the power to impose hefty fines on organisations who fail to meet their data protection requirements, the ICO does not award compensation.

But, should the ICO find that the PFEW did not meet its data protection requirements, you could have a claim for compensation.

Indeed, even if there is no immediate evidence that personal and sensitive data was successfully extracted from PFEW systems, that doesn’t mean that there will be no impact on those officers affected. In many data breach cases it can take months for the full implications and losses to become apparent. We have seen instances where the financial losses only start to occur three to six months later. This is often because data stolen is used in batches over time.

What’s more, simply knowing that your details could be in the hands of cybercriminals can lead to anxiety and distress. Experiencing a data breach can result in adverse life events such as having to move house or area, losing a job, relationship stress and separation, and dislocation from friends and family. All of which can lead to a diagnosable psychological injury. For police officers knowing that their personal information could be in the hands of criminals is bound to be even more distressing.

How to make a claim following the Police Federation data breach

At Hayes Connor Solicitors, we are experts in data breach cases. Committed to helping victims of data breaches and cybercrime to achieve the justice they deserve, we are now considering launching a no-win, no-fee group action to compensate victims of the Police Federation cyberattack.

Find out more about group actions.

By now those who have been affected should have been emailed. If you have received this email then you may be able to claim compensation once the matter has been investigated.

To ensure that you are fully informed and kept up-to-date, simply fill in our quick form and we will notify you about the investigation and your legal rights when making a claim.



, ,

Disposing personal data? Do so carefully

With human error the leading cause of data breaches, the Information Commissioner’s Office (ICO) has produced a handy toolkit to help businesses communicate the importance of information security to staff.

At Hayes Connor, we’re sharing some of the tips included in this toolkit to raise awareness of the importance of this issue, and to help organisations across the UK improve their data protection processes.

Tip: All information you work with has value. Dispose of it carefully

The risk of not disposing data carefully

When personal and sensitive information is not disposed of correctly, it can fall into the wrong hands. As such, organisations of all kinds must make sure that they correctly destroy and get rid of any such data. Not least because where they don’t, they could face huge fines.

For example, in 2018 the Bayswater Medical Centre in London was found guilty of a serious data protection breach and fined £35,000 by the Information Commissioner’s Office (ICO) after it left highly sensitive medical records, registration forms and repeat prescription information unsecured in an empty building for a year and a half. The data was left on decks, in unlocked cabinets, on windowsills, and in bins. Find out more about this case.

Quick tips

  • Employers must understand the importance of data protection and make sure that strict policies and procedures are put place to ensure the safe disposal of information
  • Simply binning paper-based personal information is not good enough. Un-shredded documents left in the bin or thrown outside for collection could be stolen and used to commit identity theft or corporate fraud. Any organisation that doesn’t have and adhere to a corporate shredding policy could also be in breach of the GDPR
  • Likewise, confidential waste should always be properly disposed of and separated from regular recyclable waste
  • Electronic information held on hard drives and PCs must also be disposed of correctly. This can be done by a professional hard drive and media destruction service
  • In many cases, data breaches can be avoided by staff abiding by the data protection principles of their businesses. But it is up to employers to make sure that all staff receive regular data protection training to make sure they understand the potential consequences of breaching data protection laws.

Not just hackers

Data breaches are not just caused by cybercriminals. For more advice on how to keep your data safe, follow our #notjusthackers campaign on Twitter and Facebook.

Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to recover any losses or give us a call on 0151 363 5895 to discuss your case in more depth.

Today’s Legal Cyber Risk, 17th April 2019

Kingsley Hayes comments on the government’s FTSE 350 Cyber Governance Health Check 2018 report which identified that only 46% of businesses had a dedicated cybersecurity budget despite heightened awareness of the associated risks.