data breaches
, , ,

Data breaches – should you even care?

In 2019, The ICO was still owed 42% of the total amount of fines it has handed out for data breaches, spam, and nuisance calling since 2015. This demonstrates the difficulty the data protection regulator has when it comes to enforcing the punishments it hands out to companies.

Data obtained by The SMS Works via a freedom of information request found that:

  • 152 fines have been issued since 2015
  • 30% of these remain unpaid.

This unpaid amount does not include the £183m and £99m fines facing British Airways and Marriott Hotels. These are under appeal and not yet owed to the ICO.

The sheer amount of unpaid fines shows a complete lack of responsibility and care from offending organisations.

Companies are demonstrating a history of data protection failures

At the same time, it has been discovered that Marriott has suffered another data breach. On this occasion, rather than customers, it is employees who have had their privacy violated due to a third-party. It is astonishing that, even in the face of a £99m fine, Marriot still doesn’t seem to be taking its data protection responsibilities seriously.

But it’s not alone.

Just a few weeks after the ICO announced plans to fine British Airways a whopping £183.93 million for its 2018 data breach, a vulnerability with the airway’s check-in procedures, once again, exposed passenger information.

Also, in November 2019, T-Mobile suffered a severe data breach with over a million pre-paid customers believed to be affected. But this wasn’t the first time T-Mobile had suffered a security failure. In August last year, the company admitted to a data breach which affected around two million customers.

And the list goes on.

In early 2020, Dixons Carphone Warehouse was fined £500,000 by the Information Commissioner’s Office (ICO). The Dixons Carphone data breach resulted in 10 million customer records being accessed from Currys PC World and Dixons Travel stores. The details were stolen by cybercriminals. But that breach was not the first time that the company had failed to protect its customers. The Carphone Warehouse, which merged with Dixons, was previously fined £400,000 following another cyber-attack. At that time, the huge fine was one of the biggest ever handed out by the Information Commissioner’s Office.

So, at best, we could argue that big companies are not learning from their security mistakes. At worst they just don’t care.

Is there any point in making a complaint?

Here at Hayes Connor Solicitors, we help our clients to claim compensation for breaches of their data privacy rights. And it’s a job we take very seriously. Not least because we understand the full and often traumatic effect a data breach can have on an individual. But, in light of these findings – and with breaches happening on an almost daily basis – is there any point even trying to stand up for your data privacy rights?

Absolutely!

Certainly, where there is a pattern of breaches, there are likely more significant security issues at play. In fact, we would argue that in many cases these organisations are lucky that they haven’t suffered more attacks. Because when you adopt a reactive “break-fix” approach rather than a proactive security-first approach, it’s only a matter of time before something else goes wrong.

But just because some organisations aren’t prioritising data security doesn’t mean you shouldn’t.

Cybercrime can result in both financial and/or identity theft. And the result of either of these can be devastating. With enough information, cybercriminals can apply for credit in your name, set up fraudulent bank accounts and access your existing accounts. Even if you haven’t lost out financially after a data breach, this doesn’t mean that there is “no harm done.” A personal data breach is a 21st-century version of being burgled. If a criminal came into your home and stole your private information, you would be distressed. So why should you feel any less upset at having your online data taken?

Even if a privacy violation doesn’t cause you damage or distress, that doesn’t mean you shouldn’t do anything about it. Your data has value and organisations are legally obliged to look after it.

Something has to be done to make companies accountable for their data protection failures. And, in many cases, taking action against these organisations is the only way to make them improve their security processes.

Is it really their fault?

Cybercriminals are becoming more and more sophisticated. But even where a company has come under attack, this doesn’t let them off the hook. If they have done everything in their power to protect your data and have robust security processes and procedures in place, it is unlikely that they would be found guilty by the ICO.

Also, where a third-party has been involved in a breach (e.g. in the Ticketmaster data breach), this doesn’t mean the company that collected your data isn’t to blame. It is their responsibility to put adequate checks and processes in place to secure vendor access. So, implicating the third party as the bad actor is both dishonest and legally neither here nor there.

The reality is that in most cases, data breaches happen because of a failure to implement reasonable and robust processes. These organisations must be made to get their houses in order. But it’s essential to get specialist legal help to tackle these offenders head-on.

If the ICO can’t do anything, what can you do?

The scale of unpaid fines begs the question of whether the ICO has the powers it needs to be fit for purpose. But that doesn’t mean there is nothing you can do. Because, while the ICO investigates and fines companies for data protection failures, it does not award compensation to victims.

That’s where we come in.

Hayes Connor Solicitors is a law firm operating in the data breach and protection sector. We help our clients to claim data breach compensation following data protection violations, GDPR breaches and other cyber offences. Our firm has established itself as the leading niche provider of legal services in this area. A relatively new and evolving area of law, this is all we do. Consequently, we have become a specialist in data protection law and data breach compensation claims. As a result, we lead our field when it comes to understanding the complexities involved.

In larger cases, we work alongside expert data protection barristers. This means you will get the very best level of legal support available.

With all the experience and expertise needed to win against even the biggest of companies, we work with you to protect your rights and hold organisations to account for their failures.

ticketmaster
, , ,

Is Ticketmaster really not to blame for its data breach?

At Hayes Connor, we have issued a claim for damages of up to £5 million against ticketing giant Ticketmaster following its 2018 data breach. This is the first high profile action to be launched on behalf of multiple claimants in the UK since GDPR came into force.

But, to date, Ticketmaster is refusing to accept any blame for the breach. Despite the fact that, almost a year after the hack:

  • 63% of all the clients we took on have suffered multiple fraudulent transactions on their payment cards
  • 31% of all clients involved in this case suffered from distress and/or psychological trauma.

Instead, Ticketmaster claims that all responsibility for the data breach rests with Inbenta – a software provider that supplied Ticketmaster with chatbot software. It is this software that was compromised in the data breach incident.

Lawyers for the event ticket sales website said that Ticketmaster “is of the belief that it is not responsible for the Potential Security Incident”. That’s despite the fact that it was Ticketmaster that put the third-party Javascript on a payment page.

What actually happened in the Ticketmaster data breach?

Malicious hacking group Magecart was able to gain access to thousands of Ticketmaster’s customer payment details via a “customer support product hosted by Inbenta Technologies”.

The malware used compromises webpage elements – typically Javascript – to gain access to customer payment cards and other sensitive details.

However, Inbenta has refuted that it is responsible, stating that:

“Upon further investigation by both parties, it has been confirmed that the source of the data breach was a single piece of JavaScript code… Ticketmaster directly applied the script to its payments page, without notifying our team. Had we known that the customized script was being used this way, we would have advised against it.”

Is Ticketmaster right?

Our data protection experts don’t think so. In fact, we strongly disagree with this defence and are currently collating evidence to prove that Ticketmaster was liable for the breach.

In addition, according to RiskIQ, Ticketmaster also used SocialPlus  – another company allegedly compromised by Magecart. So, while Inbenta has been established as the entry point for the malicious attack on its systems, at least one other source containing the skimmer had access to the Ticketmaster websites. This indicates a failure in security at Ticketmaster.

Indeed, where a third-party has been involved in a breach (e.g. in the Ticketmaster data breach), this doesn’t mean the company that collected your data isn’t to blame. It is their responsibility to put adequate checks and processes in place to secure vendor access. So, implicating Inbenta as the bad actor is both dishonest and legally neither here nor there.

In our expert opinion, Ticketmaster is using Inbenta as a scapegoat for this breach. And in doing so, it trying to stop fair and right reparation being paid to its victims. But, having seen the evidence supplied by Inbenta, we are more confident than ever that Ticketmaster is guilty of severe data protection failures, and that it will be made to compensate victims.

Ticketmaster data breach group action

At Hayes Connor, we are registering people who are interested in making a compensation claim because of the Ticketmaster data breach. Once you register with us, we will be in touch to find out more about how the breach affected you.

Our first group action is ready to be heard in the High Court. But, because of the number of people affected by the Ticketmaster security breach, we are now registering people who want to join a second wave of claimants. We will then progress your claim once our first group action has been decided in court.

Crucially, you do not need to have suffered any financial loss or emotional distress to make a claim. If you have suffered a privacy violation caused by Ticketmaster’s breach of the Data Protection Act, you have a right to claim compensation.

REGISTER NOW

tmobile
, ,

T-Mobile data breach. Should you be worried?

In November 2019, T-Mobile suffered a severe data breach. Over a million pre-paid customers are believed to be affected. According to T-Mobile, the following data might have been exposed in the data breach:

  • Names
  • Phone numbers
  • Billing addressees
  • Account numbers
  • Rates, plans and calling features

Were you involved in the T-Mobile data breach?

T-Mobile has said that all affected individuals have been notified. However, it also says that if you don’t receive a notification, this could be because they don’t have up-to-date contact information for you. So, all customers should check their contact details on their account in the event that T-Mobile needs to reach them.

If you are a T-Mobile customer, it is also worth checking your spam folder and any old email accounts in case the email has gone there.

If you are/were a pre-paid T-Mobile customer, and you have not received a notification and would like to confirm if your information was impacted, you can email privacy@t-mobile.com.

Should you be worried about the T-Mobile data breach?

It does not appear that payment information and credit card information are included in the breach. However, that doesn’t mean that the people involved in this breach are safe. A phone number alone is often enough for hackers to extort further information and commit crimes. Indeed, we regularly deal with cases where seemingly “safe” data exposed in a breach is used to commit financial and/or identity theft.

Is T-Mobile failing to protect its customers?

At Hayes Connor, our data protection experts certainly think so. T-Mobile has been very unforthcoming about the data hack, stating that it doesn’t want to provide additional information at this time. However, for victims of this data breach, this stance is both unhelpful and potentially dangerous. Not least because, until they know the full picture, T-Mobile customers could still be at risk.

Your privacy matters

A data breach is a serious failure, so, even if your information is never used against you, that doesn’t mean that you can’t hold T-Mobile to account for putting it at risk in the first place.

Regardless of the outcome of this breach, T-Mobile neglected to protect its customers’ privacy rights. So, if your data was involved in this breach, the law agrees that you can make a T-Mobile compensation claim.

How to stay safe following the T-Mobile data breach

Protect your T-Mobile account

  • T-Mobile has advised customers to confirm or update their PIN/passwords on their T-Mobile account immediately
  • Customers are also advised to check their accounts for any suspicious activity.

Protect your finances

  • Contact your bank or credit card provider immediately if you spot any unfamiliar transactions or suspicious activity
  • Keep an eye on your credit score for any unexpected dips
  • Consider contacting all the major credit reference agencies to ensure credit isn’t taken out in your name.

Watch out for further attacks

  • Be on your guard following the T-Mobile data breach
  • Always question uninvited calls, messages, texts, etc. in case it’s a scam
  • Be aware that, just because someone knows your details (such as your name and address or even your mother’s maiden name), it doesn’t mean they are genuine
  • Understand that a legitimate bank or other financial organisation will never contact you ask for your PIN or full password or ask you to move money to another account for fraud prevention reasons.

Put some data protection best practices in place

  • Register with the Cifas protective registration service
  • Change all your passwords
  • Make sure your devices are protected by up-to-date internet security software.

Find out more about what to do if you are the victim of a data breach.

Should you make a T-Mobile data breach compensation claim?

At Hayes Connor Solicitors, we are considering starting a no-win, no-fee group litigation action for UK customers who have had their data privacy violated in the T-Mobile data breach. To become part of this group action, we need you to register with us. This guarantees that you will form part of the compensation claims that will be lodged by us.

Our data protection breach solicitors are true experts in this type of law. Unlike other firms, it is all we do, and we have been doing it for longer than most. So, we are confident that our team will get the results you deserve. We have all the experience and expertise necessary to get the best possible result for you.

Crucially, you do not need to have suffered any financial loss or emotional distress to make a claim against T-Mobile. If you have suffered a privacy violation caused by an organisation breaching any part of the Data Protection Act, you have a right to make a claim. Furthermore, claiming compensation isn’t just in your best interests. It could also be the only way to ensure that organisations implement more secure processes.

To become part of our group action, we need you to register with us. This guarantees that you will form part of any compensation claim lodged by us.

We can take on your claim on a no-win, no-fee basis.

Register now

 

, ,

Supercasino, Jackpot247 & Vernons data breach

Over the last few days, we have received several queries about a data breach at online betting website Vernons.com. In an email to customers, the company said:

“We regret to inform you that Vernons has suffered a security incident and some of your personal data has been revealed to an unauthorized person”.

Payment information is said to be secure. However, the company does admit that names, email addresses, telephone numbers and home addresses have fallen into the hands of a cybercriminal. This information is hugely valuable to fraudsters, so customers of Vernons must take steps to protect themselves.

The breach might also impact SuperCasino and Jackpot247.

According to a discussion on an internet forum, the company became aware of the breach on 8th December 2020. So, it looks like there may have been a delay in reporting this issue – leaving customers vulnerable to malicious attacks during this time.

Vernons is currently working with police to identify the criminals involved and protect itself from further similar incidents.

What are your rights?

First and foremost, it’s important to know that your private and confidential data is valuable. Some criminals sell this kind of information on the dark web and others buy it and use it to commit further crimes such as identity fraud and theft. That’s why it’s so important that organisations who have access to your data keep it safe.

Crucially, the law recognises the value of this information and has put steps in place to protect your consumer rights. This means that:

  • If anyone holding your data has suffered a data breach (either at the hands of criminals or because of an accident) they must tell you ASAP
  • They must also inform the UK’s data protection regulator (the Information Commissioner’s Office)
  • You are entitled to know what happened. So, if you feel like you are being fobbed off, you can ask for more information.

If you are concerned about a data breach that you have been involved in, you should also report it to the Information Commissioner’s Office as they might launch an investigation and fine the offending organisation.

Protecting yourself after a data breach

If a company contacts you to let you know that your data has been put at risk, you must take some basic security steps. So, following the Vernons data breach you should:

  • Change your account password on the site that has been attacked
  • Change your passwords on other accounts that use the same password
  • Make sure that your passwords don’t use any of the info that has been stolen (e.g. your street address or telephone number)
  • Use a different password for every account (if you are worried about remembering them all you could sign up to a password manager)
  • Be aware of common phishing techniques and keep an eye out for fraudsters who attempt to gather additional personal information
  • Not click on any suspicious links – even if it looks like they have been sent by someone you know
  • Question uninvited emails, calls, texts, etc. Instead, contact the company directly using a known email or phone number
  • Not share any sensitive information about yourself or your accounts, like your PIN or full banking password. Your bank would never ask for this information, so if you receive a letter, text or e-mail asking you to send banking information or money, do not reply
  • Never be talked into withdrawing or transferring money for safekeeping
  • Keep an eye on your bank and credit card statements to see if there is anything you don’t recognise.

Claiming compensation for the Vernons data breach

Cybercrime is difficult to avoid. Often because an organisation has not put the necessary prevention methods in place to keep your data safe.

To make matters worse, many companies are falling short of what we would expect when a failure in data privacy occurs. In our experience, companies are still responding with a pre-packaged “we won’t do it again” approach. This fails to recognise the full impact of the breach, which can be significant.

You can claim compensation for the following if you are the victim of cybercrime.

  • Financial losses. With enough information, cybercriminals can apply for credit in your name, set up fraudulent bank accounts and access your existing accounts
  • Distress, anguish and anxiety. Being the victim of a crime can have a significant impact on you mentally and physically. For some people, the effects can include a lack of sleep, feeling ill, unsettled or confused. Stress can also affect your friends, your family and your job
  • Loss of privacy. If a company does not protect your data in the way it is legally obliged to do, and you have suffered a loss of privacy, you can make a claim. For example, if your email address was stolen or otherwise put at risk.

Claiming compensation isn’t just in your best interests. The only way organisations will be persuaded to take their responsibilities seriously, and make the necessary improvements, is by hurting their bottom line.

Why choose Hayes Connor Solicitors?

If you have become the victim of cybercrime because of such negligence, you may be able to claim compensation. At Hayes Connor Solicitors, we’ve been helping people to achieve the redress they deserve for over 50 years. So we know what it takes to make a successful cybercrime claim.

What’s more, as the UK’s leading data protection law firm, our experience in data breach claims is unmatched in the UK. We are a true specialist in this relatively new but increasingly important field of law. This is all we do.

A lack of care and understanding about data breach law can leave victims open to advice and representation below the standard expected. And this could see you lose out financially as a result.

Importantly, despite being the most experienced data protection solicitors around, we provide no-win, no-fee funding arrangements so you don’t have to worry about costs. And we explain everything in plain English to make sure you understand the process and what we need from you before we begin.

If you are not sure about making a claim, we also provide a free consultation. On this call, we answer any questions you might have and go through your options with you. We will do all this without charging you a penny and with no pressure to take things further.

START A DATA BREACH CLAIM

 

YAHOO representative
, ,

What is the Yahoo Representative Action?

In 2014, a Russian state-sponsored cyber-attack resulted in personal data being stolen from over 500 million Yahoo user accounts worldwide. Despite evidence that the firm knew about the hack soon after it happened, the data breach wasn’t reported until September 2016.

Following its inquiry into the breach, the ICO (the UK’s data protection regulator) found that Yahoo had failed to prevent the hack. The ICO also condemned inadequacies that had been in place at Yahoo for some time without being discovered or addressed. In response, Yahoo was fined £250,000 for the data breach.

But what has happened since then?

Yahoo agrees to set up a $117.5 million compensation fund

In October 2019, a US class action settlement allowed Yahoo users to file a claim for compensation.

Under this deal, anyone who had a Yahoo account between January 1st, 2012 and December 31st, 2016 became eligible to seek a payout from the fund. People who had a Yahoo account – including traditional Yahoo email or accounts on Yahoo Fantasy Sports, Yahoo Finance, Tumblr and Flickr – during this time, could also get two years of free credit monitoring services.

But the settlement only applies to residents of the United States or Israel.

At Hayes Connor, we believe that UK customers deserve compensation too. And, in response, we are launching a representative action against Yahoo.

What is a representative action?

A representative action is a type of group action. Representative actions are launched when a group of people are affected by the same issue and have experienced the same level of harm.

Representative actions tend to be used in straightforward mass data privacy scenarios. For example, where customers of a company have had their email addresses stolen and data privacy violated.

In representative actions, one member of the action will typically sue on behalf of themselves and the rest of the group. Once compensation has been agreed, each member of the representative action will receive the same amount.

One solicitor will represent all clients. A judge will decide who this solicitor is. Because of our unique experience in data breach group actions, we expect that Hayes Connor will be appointed as the representative in many future actions – including the Yahoo data breach.

A recent data protection case has made claiming against Yahoo even easier

A recent data protection case has transformed how data breach claims will be managed in the UK. The result of this court action will impact those people in the UK consumers who had their personal details put at risk in the Yahoo data breach.

This is because, until now, to join a group action data breach claim, victims had to be able to prove that they had experienced harm as a direct result of the breach. For example, emotional distress or financial loss. However, the Court of Appeal has now decided that all data breach claims are valid, even if someone hasn’t suffered financial or emotional damage as a result. If a company does not protect your data in the way it is legally obliged to do, you can claim for this data privacy failure.

So, many more people are now free to claim from Yahoo. What’s more, following the ruling, people can now seek compensation from Yahoo, even if the only personal information breached was their email address.

Join our Yahoo representative action claim

If you are concerned that your data was treated negligently by Yahoo, contact Hayes Connor Solicitors immediately. The settlement reached in the US and the result of the ICO’s investigation in the UK mean that you could have a very strong case. There are no costs to join our group action and there is no obligation to proceed.

START YOUR CLAIM

equifax data breach
, ,

Making an Equifax data breach claim

As the UK’s leading data breach law firm, we understand that making a claim for compensation can seem daunting. That’s why we’ve made the process of making an Equifax data breach claim as quick and easy as possible.

And, to make sure you are fully informed before starting, here’s some information on who can claim, what making a claim involves, and who we are. By making sure you are fully informed before you take the next step, we ensure a stress-free experience from start to finish.

What happened in the Equifax data breach?

Because of a series of data protection failures, Equifax let the personal data of millions of people fall into the hands of hackers.

Equifax has already been found guilty of the breach. And, the UK’s data protection regulator has fined Equifax £500,000. But none of this money will go to victims of the data breach.

In the US, Equifax will pay $1.4 billion to compensate those who have been affected. We believe that UK customers deserve compensation too.

Are you eligible for Equifax data breach compensation?

Equifax has contacted those people who had their personal details accessed. However, if you think that you have been involved in this breach but don’t have a letter, you can still register with us.

Are there any reasons why you shouldn’t claim?

With hacks and breaches happening more and more often, something has to be done to make companies accountable. So, claiming compensation isn’t just in the best interests of victims – it could also be the only way to ensure that organisations implement more secure processes.

But it’s important to get specialist legal help, especially as there are a number of “claims management companies” all too keen to turn data breach claims into the new PPI.

What do you need to know about Hayes Connor?

  • We are an established and trusted firm that has been helping people to claim compensation for over 50 years
  • We are true experts in data breach law. This is all we do, and we have been doing it longer than most other solicitors. We lead our field when it comes to understanding the complexities involved
  • We offer no-win, no-fee funding arrangements. And there are no hidden costs or admin expenses. Find out more about what no-win no-fee means
  • We won’t charge you if you win. As well as providing No-Win, No-Fee funding arrangements, we won’t charge you a “success fee”. This means you’ll get all of the compensation awarded to you
  • We have secured insurance for our Equifax data breach action. This is important as it helps protect you
  • We work with expert data protection barristers. This means you will get the very best level of legal support available
  • We have created a range of jargon-free guides to make sure you understand exactly what is involved when claiming compensation
  • At Hayes Connor Solicitors, we have never done PPI claims. What’s more, we only ever get in touch with people who have asked us to. This means we never cold call, send spam texts, spam emails, or engage in any other form of nuisance marketing. We never pressure anyone into making a claim.

What happens once you join?

Once you’ve signed up, we’ll be in touch to let you know what we need from you, and what the next steps will be.

What do you need to do now?

Starting your Equifax data breach case is easy. All you need to do is sign up here.

 

bank scammers
,

Bank scammers: what you’ve told us!

Earlier this year, we shared one of our articles on Facebook. The post was called Has your bank warned you that you are being scammed? Watch out!’ And the responses we’ve received confirms just how much of a problem this type of cybercrime is.

Has your bank warned you that you are being scammed? Watch out!

In our post, we said that there has been a rise in shrewd and dangerous bank scams. A few years ago, it was easy to spot criminals; often because of the clumsy way they tried to get people to hand over their bank details. But this is no longer the case. Today’s scammers are smarter than ever, so people need to be extra vigilant.

We shared one example where people get a call from “their bank”, warning them that they are in the process of being scammed. But, in a panic to make sure they don’t become a victim, these individuals often give criminals access to the very data they need. We also revealed how one of our team helped to stop a financial scam when it became clear that cybercriminals were targeting her friend on Facebook. Find out more about the Google Pay Scam.

What did you tell us?

While we hope that our post will help people to challenge and stop bank scams, some of the things you told us are just as enlightening.

Banks still don’t understand the need for security checks

Some people told us how, even today, some banks still don’t understand the need for basic security checks:

“I remember years ago getting a (probably genuine) phone call from my bank. They were totally flummoxed when I asked them to prove who they were before I answered any security questions to prove who I was!

Another said:

“Went into the branch and they verified it was a genuine marketing call and couldn’t understand my refusal to talk to an unidentifiable cold caller.”

And, someone else commented:

“One young man wanted our security when he had rang us. When asked for proof he got quite indignant. We always say write to us if it’s that important.”

However, you should never be rushed into handing over personal or financial information. If something doesn’t feel right, do what these customers did and listen to your instincts. Leave the conversation if it makes you at all uncomfortable. A legitimate organisation should never try to talk you out of taking security checks.

Be careful – even if asked to call your bank back

Other people warned that, if you are called on your landline, cybercriminals can still be on the phone even after you hang up. So, as a precaution, you should use a different phone, or phone someone you know to clear the line before calling your bank.

At Hayes Connor Solicitors, we are aware of one sophisticated scheme in which scammers told people that their bank accounts had been hacked. But cleverly, they also encouraged the victims to phone their banks back using trusted contact details. But these scammers didn’t hang up. Instead, they stayed on the line and played a dial tone. When the intended victims called their banks, the scammers impersonated a bank employee and asked them to confirm their PIN and bank details.

The good news is that, over the last few years, the phone companies have put measures in place to ensure that the line clears regardless of who hangs up first. But to stay safe, you should NEVER disclose security details such as your PIN or full banking password to anyone, including anyone calling from your bank. Banks will never ask for this information. Likewise, they won’t ask you to transfer money to another account for safekeeping. If you think you’ve already been a victim of this scam, contact your bank or card company immediately.

Just because a number looks genuine, doesn’t mean it is

Don’t assume an email, text or phone call is authentic. Just because someone knows some personal information about you (i.e. your address, mother’s maiden name etc.), that doesn’t mean they are genuine. Likewise, even if a call or text comes through from a number that looks authentic, it might not be. As one person pointed out:

“Also by spoofing a mobile number they can add messages to a pre existing thread on your phone, so it appears the bank has just replied to your message, or their messages appear under your banks name along with the genuine ones!”

This is correct. Most phones let you see the number of the person calling before you answer. However, fraudsters often change the caller ID to mirror that of your bank. This is called spoofing. What this means is that calls and texts could show up as being from your bank, even if they are not. Text messages from criminals can even appear alongside legitimate texts sent out by your bank.

Is mobile banking the problem?

According to some people who read our post, mobile banking has made it easier for criminals.

“All this scamming never happened before mobile online banking. Stick to banking in branch. Banks have only themselves to blame when they have to pay compensation.”

 It’s true that our digital world comes with additional risk. But there is no going back, and the convenience of online banking cannot be underestimated. However, it is up to the banks to protect their online customers. Although, in our experience, such protection is sometimes woefully lacking. So, with criminals becoming increasingly savvy, we all must do what we can to protect ourselves from banking scams. And claim compensation where the banks have failed, as this is often the only way to force them to improve their security processes.

Get digitally aware

At Hayes Connor Solicitors, we want to reduce the number of data violations and successful cyber scams taking place across the UK. To do this, we are raising awareness of this issue and educating people to help stop fraudsters in their tracks.

For more advice on how to keep safe, follow us on Twitter and Facebook.

Alternatively, if you have been the victim of an online scam, contact us find out how we can help you to recover any losses.

ico
,

Agreement reached between Facebook and the ICO

According to a statement on the Information Commissioner’s Office (ICO) website, an agreement has finally been reached between Facebook and the data protection regulator. This comes after Facebook was accused of failing to protect the personal data of its users. As part of this agreement, Facebook has agreed to pay a £500,000 fine but has made no admission of liability.

What happened in this case?

In 2018, a whistle-blower revealed how Facebook data was harvested to target American voters on behalf of Donald Trump’s election team. Speaking to journalists, Christopher Wylie, an ex-employee of data analytics firm Cambridge Analytica, said that millions of Facebook profiles were harvested and used by his then employer to influence the US presidential election. There were also concerns over whether illegally acquired data was used to target voters and influence the EU referendum result.

Furthermore, while Facebook found out about the breach in 2015, the social media giant failed to alert its users, and did not take adequate steps to recover and secure the private information. In response, the ICO launched an investigation into the activities of Facebook and the retention, sharing and distribution of data illegally in the UK. As part of that investigation, on 24 October 2018, the ICO issued a penalty of £500,000 against Facebook.

Incidentally, in May 2017 the ICO announced a formal investigation into the use of data analytics for political purposes. It admits that, at this time, “we had little idea of what was to come”. Today, this investigation is one of the largest of its kind and is ongoing.

How did Facebook respond?

Facebook chief executive Mark Zuckerberg admitted user privacy mistakes and said he realised he needed to be more public and accountable. In an interview with CNN, he said that he would not be against regulation of his social media company. He has also pledged to review “thousands of apps” in an “intensive process”. However, rather than paying the ICO fine, Facebook filed an appeal.

After much negotiation between the two parties, an agreement has now been reached.

What is the result of this case?

Facebook has now agreed to pay the £500,000 fine to settle the investigation into data harvesting by Cambridge Analytica (now defunct). But despite this, the company does not admit wrongdoing. It argues that it didn’t violate people’s privacy by allowing the data transfers and that its prior terms of service and privacy policies allowed for the transfer of user data to outside developers, unless people adjusted their privacy settings. The ICO has rejected that position.

However, the settlement does allow Facebook to resume its own investigation into issues around Cambridge Analytica. And, as a result, the ICO believes that this agreement best serves the interests of all Facebook users in the UK.

Commenting on the agreement, James Dipple-Johnstone, the ICO Deputy Commissioner said:

“The ICO welcomes the agreement reached with Facebook for the withdrawal of their appeal against our Monetary Penalty Notice and agreement to pay the fine. The ICO’s main concern was that UK citizen data was exposed to a serious risk of harm. Protection of personal information and personal privacy is of fundamental importance, not only for the rights of individuals, but also as we now know, for the preservation of a strong democracy. We are pleased to hear that Facebook has taken, and will continue to take, significant steps to comply with the fundamental principles of data protection. With this strong commitment to protecting people’s personal information and privacy, we expect that Facebook will be able to move forward and learn from the events of this case.”

Harry Kinmonth, Director and Associate General Counsel, Facebook commented:

“We are pleased to have reached a settlement with the ICO. As we have said before, we wish we had done more to investigate claims about Cambridge Analytica in 2015. We made major changes to our platform back then, significantly restricting the information which app developers could access. Protecting people’s information and privacy is a top priority for Facebook, and we are continuing to build new controls to help people protect and manage their information. The ICO has stated that it has not discovered evidence that the data of Facebook users in the EU was transferred to Cambridge Analytica by Dr Kogan. However, we look forward to continuing to cooperate with the ICO’s wider and ongoing investigation into the use of data analytics for political purposes.”

Social Media and politics

Despite the agreement, it seems that the controversy over how social media is used politically is far from over. Not least because, on the very same day the settlement was reached, Twitter announced that it would stop accepting political ads. This move puts Twitter at odds with Facebook executives who have robustly defended their policy of not fact-checking political ads. But, despite Zuckerberg’s uncompromising stance on this matter, the fact that Twitter has decided not to permit political advertising will put additional pressure on Facebook.

For more data privacy protection news and updates, follow Hayes Connor Solicitors on Twitter and Facebook.

push payment
,

How to avoid push payment fraud

Push payment fraud happens when cybercriminals trick people into sending them money. Because the individual thinks the cybercriminal is genuine, they authorise the handover of cash. The money is then swiftly transferred to different accounts, often abroad, which makes getting it back almost impossible.

Push payment fraud is carried out in many different ways, but ultimately fraudsters are looking to trick you into believing that you are making a payment to someone you can trust.

In some cases, the criminals involved might call hundreds (or even thousands) of people in the hope of deceiving someone. But often these scams are highly targeted and come after hacking a victim’s emails to identify the information needed to defraud them. Push payment fraudsters might also use information violated during a data breach to target their next victims.

Find out more about push payment fraud.

What can you do to protect yourself from push payment scams?

  • Never disclose security details such as your PIN or full banking password
  • Don’t assume an email, text or phone call is authentic. Just because someone knows some personal information about you (i.e. your mother’s maiden name), that doesn’t mean they are genuine
  • Know that banks or other trusted organisations will never contact you and ask for your PIN or full password, or ask you to transfer money to a safe account
  • Be aware who you’re sharing your personal information with. Only give out details to a service you trust and that you’ve contacted directly or are expecting to be contacted by. Even then, do not hand over sensitive information such as your PIN or password
  • Don’t be rushed into handing over personal or financial information
  • If something doesn’t feel right listen to your instincts. Leave the conversation if it makes you at all uncomfortable
  • Always question who you’re talking to. If in any doubt call them back using trusted contact details (you can usually find these on your bank cards) to check the request is genuine
  • Don’t be afraid to say you’ll get back to someone using the phone number or email address as listed on their website. A legitimate organisation would never try to panic you out of taking security checks
  • Never automatically click on a link in an unexpected email or text
  • Make sure you look at the address bar when logging into a website. If there is a padlock icon your connection is secure. If a site doesn’t have this lock icon, do not share any sensitive information
  • If you’re worried that you may be at risk, report it to the Police or Action Fraud straight away.

Getting your money back if you are a victim of push payment fraud

If you have been the victim of a push fraud and need help getting your money back, there is some good news.

Historically, banks avoided paying push payment scam compensation to victims unless there was a fault in their processes. This is because the customers have authorised the payments. However, because of new regulations, people who have been scammed into transferring money directly to a cybercriminal can expect stronger protections.

However, if you have been a victim of this form of cybercrime and your bank is refusing to help, we might be able to help you get your money back, as well as compensation for any distress suffered.

 To do this, we are considering a group action claim against banks who have failed their clients after they have lost money through no fault of their own. A group action is where a group of people, all affected by the same issue, collectively bring their cases to court. Group actions can be a powerful tool and can have a bigger impact than a single claim.

Find out more about making a Push Payment Group Action Claim

Get digitally aware

At Hayes Connor Solicitors, we want to reduce the number of data violations and successful cyber scams taking place across the UK. To do this, we are raising awareness of this issue and educating people to help stop fraudsters in their tracks.

For more advice on how to keep safe, follow us on Twitter and Facebook.

Alternatively, contact us find out how we can help you to recover any losses. We can help you to claim compensation and steer you through the aftermath of a bank or credit card scam – minimising the impact on you as much as possible.

personal data breach
, ,

421 million personal records breached in October 2019

According to cyber risk experts IT Governance, a staggering 421,103,896 data records were confirmed breached last month. Shockingly, that’s considered a good month for data security as the figure only represents about 50% of the monthly average.

October was CyberSecMonth

October was CyberSecMonth. This is an annual campaign, run by the EU, which aims to raise awareness of cybersecurity threats and promote cybersecurity. It does this the same way we do at Hayes Connor – through education and the sharing of good practices.

However, despite the initiative, an IT Governance blog listed all the data breaches and cyber attacks carried out in October. Critically, there were “111 incidents, including several in which sensitive and financial information was compromised”. The post also revealed that it was a “particularly bad month for the UK, with 9 confirmed breaches”.

UK data breaches

The UK-specific incidents which took place in October 2019 included:

Bolton NHS Foundation Trust  

A data breach at Bolton NHS Foundation Trust which saw the personal details of 425 pupils from two Greater Manchester secondary schools ‘misplaced’. The privacy violation occurred when the school nursing service transferred records of children moving from primary to secondary school.

Norfolk and Norwich University Hospital 

A data breach at Norfolk and Norwich University Hospital which resulted in the personal details of 11 patients being sent to the wrong address.

North Devon District Hospital 

A data breach at North Devon District Hospital which saw a patient’s voicemail message, containing personal patient details, becoming the hospital’s answerphone message. Because she had provided her phone number in her message, she was subsequently inundated with calls from patients giving details about their health problems.

PouringPounds.com 

A data breach at money-saving websites used by over 3.5 million which leaked sensitive information onto the dark web. This affected British website PouringPounds.com and Indian sister site CashKaro.com. The data exposed includes bank details, full names, mobile phone numbers, email addresses, plain-text passwords and usernames, IP addresses, and more.

Sonic Jobs 

Data leaks at recruitment sites Authentic Jobs (US) and Sonic Jobs (UK) which exposed 250,000 CVs online.

Home Group 

A breach at Home Group which provides homes to people in England and Scotland. The breach – which affected 4,000 customers – involved names, addresses and contact information.

West Berkshire Council 

A privacy violation at West Berkshire Council after it sent a leisure survey to 1,107 recipients who could all see each other’s email addresses.

UKIP

An alleged theft of data at UKIP after certain individuals were accused of stealing data from the party. In response, the party has suspended its leader and three other members.

Preston Police

A breach at Preston Police force after a receptionist illegally used her force’s confidential database to help her best friend find out about relatives who had been arrested.

Organisations must do more to protect personal data

Commenting on these cases, our managing director and data protection expert Kingsley Hayes said: “Businesses who are not already taking their data protection obligations seriously must step up their data protection practices or face legal action and hefty costs.

He added: “This is particularly important as a recent Court of Appeal makes it possible for people to make a data breach claim, even if they haven’t suffered financial or emotional damage as a result. If a company does not protect an individual’s data in the way it is legally obliged to do, that person can claim for this data privacy failure. What’s more, people can now seek compensation even if the only personal information breached was their email address.”

Find out more about the recent changes.

Have you been affected by a UK data breach?

In the UK, organisations MUST tell you if they have breached your personal data. They are legally obliged to do this under the Data Protection Act.

But despite this, too often people still don’t know that their data has been breached until they hear that a company has been fined by the ICO (or read about it in an article such as this one).

In such cases, it’s worth finding out whether your data was put at risk. Because, if so, you may have a claim for compensation.

What can you do if you were affected by one of these data breaches?

If you have been the victim of a privacy violation due to an organisation breaching any part of the Data Protection Act, you have a right to claim compensation. At Hayes Connor Solicitors, we’ve been helping people to do just that for over 50 years. So, we know what it takes to make a successful data breach compensation claim.

A data breach can result in both financial and/or identity theft. And the result of either of these can be devastating. With enough information, cybercriminals can apply for credit in your name, set up fraudulent bank accounts and access your existing accounts.

But the impact of data breaches goes much further than financial losses. Many victims go on to suffer from stress, anxiety and distress. And, according to Victim Support, the effects of crime can last for a long time. Crucially, if an organisation has failed to protect your personal data, you have a right to claim compensation. Even if you haven’t suffered as a result.

In most cases, data breaches happen because of a failure to implement reasonable and robust processes. So, claiming compensation isn’t just in your best interests. The only way organisations will be persuaded to take their responsibilities seriously and make the necessary improvements is by hurting their bottom line.

START A DATA BREACH COMPENSATION CLAIM