Hayes Connor Solicitors Data Breach Overview: 2019


Hayes Connor Solicitors is a law firm operating in the data breach and protection sector. We help our clients to claim data breach compensation following privacy violations, GDPR breaches and other cyber offences. A relatively new and evolving area of law, this is all we do. Consequently, we have become a specialist in data protection law. And we lead our field when it comes to understanding the complexities involved.

In this report, we take a look at some of the critical cases and legal developments that have occurred over the last 12 months. By shedding some light on events, we hope to raise awareness of the importance of data privacy. And help businesses and individuals to become fully protected in our increasingly online world.

Kingsley Hayes

Managing Director, Hayes Connor Solicitors.

Kingsley Hayes

Kingsley Hayes

Managing Director

In this report

Key observations

Scrutinising the data protection landscape, here are some of the key trends and insights witnessed by the Hayes Connor team over the last 12 months.

  • The majority of data violations are entirely avoidable

    Cybercrime and data breaches are now commonplace with both private and public sector organisations failing in their data protection duties. But it is preventable human error, rather than cybercrime, that is behind the vast majority of privacy violations. In response, organisations now need to have a full audit of the personal information held, where it has come from, and how it will be used.

  • The ICO appears to be delaying its decisions

    Despite our understanding of the Information Commissioner’s Office (ICO) and its processes, we are concerned about the time some decisions are taking.

    For example, in July 2019, the ICO announced its intention to fine Marriott International £99.2 million and British Airways £183.39 million for infringements of the General Data Protection Regulation (GDPR). Following this announcement, both BA and Marriott International had 28 days to respond. But this period has long since passed.

    Such delays are making it difficult for victims of data breaches to move on with the rest of their lives.

  • More than 40% of ICO fines haven’t been paid

    As well as the delays, in 2019 it came to light that the ICO was still owed 42% of the total amount of fines it had handed out for data breaches, spam, and nuisance calling since 2015. Does the ICO need more powers?  Surely a change in the law is needed to make sure that organisations not only take their data protection responsibilities seriously, but that they suffer the consequences where they don’t.

  • The law sits firmly behind the rights of individuals when it comes to data protection

    This year, The Court of Appeal made a ruling on the Lloyd v Google case, which may open the floodgates to data breach claims.

    The Court decided that claimants would be entitled to compensation even if the only personal information breached was their email address. It also ruled that a claim would be valid without the requirement to prove a loss or damage as the loss of control of the personal information was sufficient grounds.

    The ground-breaking judgement also clarified that firms representing only a portion of the total number of individuals affected in major data breaches, can claim compensation for the entire population affected and can thereafter distribute the funds.

    This is a very significant development which recognises that personal information has a value and when that private data is compromised, the individual has a right to compensation whether or not they have suffered actual, or potential, financial loss or psychological injury.

    Businesses who are not already taking their data protection obligations seriously will have to step up their data protection practices or face legal action and hefty costs.

  • Data protection was at the forefront in the lead up to the general election

    In a politically charged year, data protection was firmly intertwined with wider political developments.

    The ICO wrote to all political parties at the beginning of November reminding them to adhere to data protection laws following its investigation into how data analysis was being used for political purposes. Also, in November, data security was front of stage following two attempted cyber-attacks against the Labour Party.

    With significant amounts of private data being stored, processed and shared by all political parties, the importance of robust cybersecurity measures at all times was firmly highlighted.

    Just before the 2019 general election, Twitter announced that it would ban all political ads. The ICO was likely happy with the move as it had already expressed serious concerns about how data is being used for political purposes. In fact, in 2017 it launched a formal investigation into this very topic.

  • Self-reporting has increased

    GDPR now requires organisations to report data breaches within 72 hours or face penalties. This is likely to be a critical factor in the number of data breach reports being made. On a positive note, anecdotal evidence suggests that businesses are getting better at identifying and reporting cyberattacks. And if organisations are now taking cybersecurity more seriously, this can only be a good thing for individuals.

“Businesses who are not already taking their data protection obligations seriously will have to step up their data protection practices or face legal action and hefty costs”.

Kingsley Hayes, Managing Director, Hayes Connor Solicitors

An overview of the year

January 2019

Two high street banks sent out replacement cards following the Ticketmaster data breach

Nine months after the Ticketmaster data breach, two banks (The Royal Bank of Scotland and NatWest) sent out replacement credit and debit cards for at-risk customers. The bank informed customers that this was a precautionary measure.

However, some people used social media to complain about the way the incident was being handled. In many cases, this was the first time they had heard of the breach. There were also questions about the length of time it took the banks to address this issue. Especially as banking start-up Monzo requested replacement Mastercards for all affected customers in April 2018.

What happened in the Ticketmaster data breach?

The Ticketmaster hack hit around 40,000 people in the UK. It compromised personal and financial information, including customer names, addresses, email addresses, phone numbers, payment details and account login details. Some customers had their cards used by cybercriminals.

Hayes Connor also revealed some worrying stats relating to the Ticketmaster data breach

We crunched the numbers and discovered that:


of all the clients we took on suffered multiple fraudulent transactions on their payment cards


of all clients involved in this case suffered from distress and/or psychological trauma

boutique law firm

Hayes Connor was highly commended as boutique law firm of the year

Hayes Connor Solicitors was highly commended at the Eclipse Proclaim Modern Law Awards in the boutique law firm of the year category.

The prestigious awards, celebrate and identify sparkling talent and success in the modern legal services arena. They also showcase and set the benchmark for best practice in the ever diverse, challenging and exciting legal landscape. The event organisers were overwhelmed with nominations in 2019, receiving more submissions than ever before, so this was a significant achievement by our firm.

As well as the boutique law firm of the year commendation, Hayes Connor was also shortlisted in the Marketing and Communication Strategy of the Year category.

February 2019

Ticketmaster was issued with a Letter of Claim

Hayes Connor sent out a ‘Letter of Claim’ to Ticketmaster. This made us the only UK legal firm launching a multi-party action against Ticketmaster.

Financial services were in the spotlight

Reported data breaches by financial services firms rose 480% in a year. And, in the sector, retail banking saw the most substantial rise in the number of data breach reports, jumping a staggering 2400%*.


Hayes Connor interviewed renowned clinical psychologist Professor Hugh C H Koch

To shed some light on the emotional impact of privacy violations, we interviewed renowned clinical psychologist Professor Hugh C. H. Koch – visiting professor in law and psychology at Birmingham City University School of Law – to find out more about the typical psychological effects experienced by victims of data breaches. This interview featured in Today’s Legal Cyber Risk.

“Data breach victims typically experience high levels of anxiety, specific to the data breach but also generalised to other aspects of dealing with correspondence, telephone and digital communication and payment for services. Victims experience social anxiety, with difficulties dealing with friends and neighbours, tradesmen, shopping transactions and can develop oversensitivity or paranoia in their communications with others. They can also develop varying aspects of mood disturbances or depression especially including poor sleep and tearfulness.”

Professor Hugh C. H. Koch 

It was a bad month for local authorities

Almost 6,000 people had their data breached after a City of York Council app was hacked.

A damming report found that Sandwell Council suffered 500 data breaches in just five years.

Wokingham Council suffered its fifth data breach in a year.

March 2019

The Police Federation of England & Wales (PFEW) suffered a data breach

120k police officers across England & Wales had their personal details exposed. The violation occurred as a ransomware cyber-attack hit the PFEW headquarters. It took almost two weeks to inform the affected parties.

TeamSport Indoor Karting employees had their data breached

TeamSport Indoor Karting suffered a significant data breach involving former employees of the company. In a letter to those involved, TeamSport Indoor Karting said that a file was released in error on Friday 22nd March. This file contained personal information relating to their previous employment with the company.

Data breach pitfalls in the event of a no-deal Brexit were raised

Our MD and data protection heavyweight Kingsley Hayes featured in Legal Futures advising businesses on how to prevent data protection breaches in the event of a no deal Brexit.

As we enter a new era, the majority of businesses will need to look at several different aspects of how they operate and continue to deliver their products and services while avoiding data breach pitfalls and other Brexit challenges.”

Kingsley Hayes, Managing Director, Hayes Connor Solicitors


Also in March, we featured in Legal Futures to raise awareness of our#NotJustHackers campaign.

This campaign highlights that the vast majority of data protection violations are due to human errors rather than malicious, deliberate cyber-attacks.

April 2019

Ticketmaster data breach was highlighted on the BBC

In April 2019, our multi-million-pound damages claim against Ticketmaster was issued in the High Court. The BBC covered news of our High Court action against Ticketmaster.


The number of clients Hayes Connor represented in the Ticketmaster data breach.

£5 million

The estimated total value of our claim against Ticketmaster.

The Bounty pregnancy club was fined

The Bounty pregnancy club was fined £400,000 after it illegally shared the personal information of more than 14 million people.

While the fine was among the highest ever issued, the breach happened under the UK’s old data protection laws and before the introduction of the GDPR. This capped the potential fine at £500,000. Under the new data protection regime, the maximum fine for a company of Bounty’s size is now €20m (£17m).

What happened in the Bounty pregnancy club data breach?

Bounty provides free samples, vouchers and guides to new parents and expectant mothers. These parents can sign up through its website and mobile app, and are even directly recruited on maternity wards.

In a shocking breach of trust, between June 2017 and April 2018 the Bounty pregnancy club shared approximately 34.4m records with 39 organisations, without its users’ permission. The data shared was sensitive and included information about potentially vulnerable new mothers, mothers-to-be, and very young children.

The ICO issued a fine for the Police Gangs Matrix breach

The ICO fined the London Borough of Newham £145,000 after a breach disclosed the personal information of more than 200 people who featured on the controversial Gangs Matrix.

The Gangs Matrix was set up following the 2011 London riots. It contained the names and personal details of thousands of people. According to the Met, these individuals either posed a risk of committing gang violence, or of becoming victims. Concerns were raised that the matrix violated human rights. Not least because young black men and boys made up more than three-quarters of the list. What’s more, the Guardian found that in one London borough, 40% of young people on the list had “zero” risk of causing harm.

Google admitted giving hundreds of firms access to your Gmail inbox

Google admitted giving hundreds of firms access to its users’ Gmail inboxes. In a letter to lawmakers in the US, the multinational technology giant said that third-party developers could both access and share data from Gmail accounts. First published in the Wall Street Journal, Google’s head of US public policy revealed that: “Developers may share data with third parties so long as they are transparent with the users about how they are using the data”.

The ICO launched a consultation on a Code of Practice to help protect children online

The ICO introduced a new set of standards that all online services must meet to safeguard children’s personal data. This code set out what is expected of those responsible for designing, developing or providing online services likely to be accessed by children. This includes apps, connected toys, social media platforms, online games, educational websites, streaming services, etc. The code is not restricted to services specifically directed at children, it also applies to online services that process the personal and sensitive data of children.

The government suffered two serious data breaches

Windrush data breach

The Home Office admitted that an administrative error exposed the email addresses of hundreds of Windrush migrants. These recipients had all signed up to be kept informed about the Windrush compensation scheme which was launched the previous week.

EU Settled Status data breach

In another “administrative error”, the Home Office failed to conceal email addresses in a group communication. This email was sent to applicants of the EU Settled Status scheme. The controversial scheme allows EU nationals and their families to secure their rights in the UK after Brexit.

The government’s annual Cybersecurity Breaches Survey 2019 was released

The government published its annual Cyber Security Breaches survey. This looked at how UK organisations approach cybersecurity. It also looked at the impact of a data protection breach. Key findings included:

  • Size matters

    Data breaches and cyber-attacks were more prevalent within medium sized businesses (60%) and large organisations (61%).

  • Businesses are not taking their responsibilities seriously enough

    Only 30% of businesses had made improvements to their cybersecurity since GDPR.

  • Phishing is a significant threat

    The most common attacks were phishing emails, with 80% of businesses experiencing breaches or attacks.

  • Cyber-security incidents decreased in 2019

    The overall figures for identified data breach or cybersecurity incidents decreased from 43% in 2018 to 32% in 2019.

Hayes Connor discussed AI

As the use of artificial intelligence increased, we told Today’s Legal Cyber Risk that enhanced technology meant that the security of personal data is even more vulnerable. However, human error remained a greater threat than hackers.

May 2019

Push Payment Fraud code came into effect

A new voluntary code was introduced to provide greater protection to consumers. It saw a commitment from banks and building societies to reimburse victims of push payment fraud. While the change was welcomed, we argued that more needed to be done.

Find out more about push payment fraud. 

“Banks have historically been reluctant to reimburse customers who have found themselves victim to this type of fraud arguing that the customer had been negligent. The new rules mean that financial institutions that are signed up to the code will now reimburse victims for any financial loss if they can demonstrate that they have taken reasonable care.

“More needs to be done however, to counter scammers’ ever more creative and highly convincing means and methods of stealing significant sums. The new rules will go some way to compensating victims’ financial loss, however, may not consider other losses suffered which can include psychological distress and time taken off work as a direct result of a scam. Prevention is key and wider awareness and vigilance is required”.
Kingsley Hayes, Hayes Connor Solicitors

What is Push Payment Fraud?

Push payment fraud (also called APP fraud) happens when cybercriminals deceive individuals into sending them money. Because the victim believes the fraudster to be genuine, they authorise the handover of cash. The money is then quickly transferred to different accounts, often abroad, which makes getting it back almost impossible.

Data Breach Investigations report was published

The 2019 Data Breach Investigations Report was published by Verizon.

Amongst the 41,686 security incidents in both the public and private sector organisations, across 86 countries, the report found that:


affected small businesses.


Of all incidents were experienced by the public sector.


Of all incidents were experienced by healthcare organisations.


Of all incidents were experienced by the financial sector.


of data breach incidents were a result of hacking.


Of incidents were due to human error or occurred following data misuse by authorised users.

Kingsley Hayes commented on the report in in Legal Futures.

“The findings will be a surprise to many small business owners, particularly as the data breaches that hit the headlines are those impacting high profile brands. It exposes the fact that no business, large or small, is immune from cyber security risks or data breaches resulting from human error”.

Kingsley Hayes, Managing Director, Hayes Connor Solicitors

TalkTalk data breach hit the headlines

Also in May, BBC Watchdog Live revealed that TalkTalk failed to inform 4,545 customers that their personal information was stolen as part of a 2015 data breach. Making matters worse, BBC researchers found details for many customers online after a simple Google search. This information included full names, addresses, email addresses, dates of birth, TalkTalk customer numbers, mobile numbers and bank details. This information could have been accessible online since the breach.

What happened in the TalkTalk data breach?

In 2015, a TalkTalk data breach saw the personal information of 157,000 customers stolen. TalkTalk spotted issues with its website and immediately launched an investigation before warning customers. However, the ICO found that that insufficient security at the company permitted customer data to be accessed “with ease”. The ICO also said that TalkTalk could have prevented the data breach if it had taken basic steps to protect its customers’ information.

In response,  TalkTalk was fined £400,000. Two friends from Staffordshire (aged just 21 and 23), breached the TalkTalk website as part of a group of hackers. They have since gone to jail.

June 2019

Hayes Connor hit back

As data breaches continued to rise, we started to see media reports asserting that data breach claims are the new PPI, and comparing data protection lawyers as “ambulance chasers”.

In response, we argued that, every day, privacy breaches are causing misery and upset to people across the UK. And, with organisations failing to take their data protection responsibilities seriously, we asserted that something had to be done to make companies accountable for such loss and anguish – and to ensure that failing organisations implemented more secure processes.

Perhaps it was time to turn the spotlight on those businesses not doing enough to meet their legal obligations under the GDPR?

Cryptocurrency wallet service GateHub was involved in a huge data hack

A statement published on the GateHub blog admitted that some customers had had their ledger wallets hacked and funds stolen. GateHub offers a digital wallet to store cryptocurrencies. Cybercriminals managed to steal 24 million XRP Tokens (commonly referred to as ‘Ripple’) from more than 200 individual GateHub user accounts. In total, the theft is thought to be valued at over $US 10 million. Find out more about cryptocurrency fraud.

Mermaids suffered a data breach

Mermaids UK, a charity that supports transgender children and young people, experienced a severe data breach. According to an article in the Sunday Times, the Mermaids data breach exposed thousands of private emails between the charity and parents. The emails were made public online.

True Visions Productions (TVP) was fined for data breach

A TV production company was fined after filming expectant mums without their permission. True Visions Productions (TVP) was making a Channel 4 documentary on stillbirths. TVP had the hospital trust’s permission to be on site. But the company did not explicitly warn all visitors about the filming. Nor did they get acceptable permission from those affected by the filming. As a result, TVP unfairly and unlawfully filmed patients and was fined £120,000 by the ICO.

Hayes Connor discussed the issue of data privacy as a mental health issue

We talked to Pro Privacy about the mental health implications on individuals following a data breach and discussed why this is often overlooked by organisations who have failed to protect their personal information.

“There is a significant lack of understanding and recognition of the psychological impact on individuals whose confidential information is not held, and used, correctly. The damage can, in some cases, surpass the resulting – and potential – financial losses as individuals’ mental health and wellbeing is affected leading to a rise in claims for psychological harm following a data breach.”

Kingsley Hayes, Managing Director, Hayes Connor Solicitors

July 2019

As we moved into the summer, Hayes Connor Solicitors reported a surge of new data breach enquiries.

Two HUGE data breach fines were annouced

£183.4 million

British Airways

The ICO announced that it planned to fine British Airways £183.4m following its data breach in 2018. British Airways said that it was surprised and disappointed about the huge penalty and said that it planned to appeal the decision.

Commenting on the news Kingsley Hayes said:

 “The ICO has sent a clear message to all businesses – follow the law and protect customers’ personal information or pay a hefty penalty. Hayes Connor is representing 450 British Airways customers whose personal information was violated – including login details, payment card information, names and addresses.

 “Placed in the wrong hands, these details can be used to obtain credit fraudulently causing havoc, significant financial loss and psychological distress to those affected. Reports state that the international airline will be appealing the decision claiming that it had found no evidence of any financial loss to date as a result of the harvesting of 500,000 customers’ details.

 “It is unlikely that this appeal will stand as hackers with this much stolen data are likely to use it in batches over time. In the meantime, the stress and anxiety suffered by affected customers is significant.

 “Organisations have a legal obligation to take all the necessary measures to adequately protect the personal information held by them – this includes implementing robust cybersecurity to prevent hackers from obtaining private data as was the case with British Airways.

 “We estimate that each of our clients is entitled to an average of £1,650 each, the figure will be higher for those who have been medically affected.”

£99.2 million


The ICO announced plans to fine the US hotel group £99.2 million for its data breach. Marriott said that it would appeal the fine.

Kingsley Hayes, said:

“The ICO has started to show its teeth with two international organisations facing significant fines this week. Marriott International suffered a cyber-attack in 2014 affecting millions of its guests yet the incident was not discovered until four years later.

 “This raises serious questions about the robustness of its cybersecurity and the frequency that Marriott reviews its data protection measures which is evidently lacking. Interestingly, both British Airways and Marriott International have stated that they will contest the fines indicating that businesses are still underestimating the serious implications, both in the short and long term, on affected customers.”


What happened in the Marriott data breach?

In September 2018, Marriott became aware that hackers had managed to access its Starwood guest reservation database. When investigating the breach, it was uncovered that cybercriminals had enjoyed access to this database since 2014.

During this time the hackers accessed, copied and removed the private data of millions of customers. The stolen data included information such as passport numbers, emails, dates of birth, gender and mailing addresses, and in some cases reservation dates. Marriott, also said that it was not able to rule out whether credit card information was exposed.

Equifax agreed to pay $700m

Equifax agreed to pay up to £561m ($700m) to settle its data breach case in the US. The huge fine was the FTC’s largest data-breach settlement to date. None of this money will go to UK victims.

What happened in the Equifax data breach?

Hackers gained access to Equifax’s systems. The second-largest credit reference agency in the UK, Equifax is used by a wide range of companies to assess whether to give you credit cards, loans, mortgages, etc. So, even if you are not a customer, it could hold a wealth of information about you.

The ICO published its annual report

Key findings included:


The number of public data protection complaints made to the ICO almost doubled in 12 months to 41,661.


The number of businesses contacting the regulator increased by 66%.


Just 34% of consumers trusted organisations to adequately protect their personal information.


Nearly two-thirds of data protection officers had seen an increase in customers and service users exercising their information rights since GDPR came into effect.

Lancaster University suffered a data breach

Lancaster University became the latest organisation to suffer at the hands of cybercriminals after a “sophisticated and malicious phishing attack”. The data breach affected between 12,000 and 20,000 people. The personal information accessed included names, addresses, phone numbers and email addresses. Worryingly, the university also admitted that fraudulent invoices “had been sent to some undergraduate applicants”.

Leicester City fans were put at risk following a data breach

A data breach compromised the personal and financial details of supporters registered with Leicester City Football Club. The data breach impacted customers signed up to its online fan store. Cardholder names, card expiry dates, card numbers, and the three-digit CVV anti-fraud numbers were all put at risk.

Internet-related litigation was in the spotlight

Kingsley Hayes commented on Business Up North about the hidden dangers of internet use and the predicted rise in data breach claims against businesses who not only hold, but distribute data including manufacturers of equipment such as smartphones.

“Along with all the benefits of the internet we now seem to take for granted, are hidden dangers, especially, around data security. A data breach typically affects not one or two users but thousands of individual whose personal and financial data has been unlawfully shared with third parties.”

Kingsley Hayes, Managing Director, Hayes Connor Solicitors

Hayes Connor was appointed was as Data Protection Supplier to Communication Workers Union

Hayes Connor Solicitors was appointed to deliver data protection claims support to nearly 200,000 members of the Communication Workers Union (CWU). CWU is the largest union for the communications industry in the UK and includes members from the postal, telecoms, mobile, administration and financial sectors. Members of the organisation include the Royal Mail, Telefonica 02, UK Mail and BT, EE, Virgin Media and Santander.

“We are extremely proud to be working with an association as large as the Communication Workers Union which has a long history of campaigning to raise the voice and protecting the rights of its members. There is a strong synergy in our values and commitment to protecting individuals, so we are delighted to be working with its legal team to represent members when their data protection rights have been violated.”.

Kingsley Hayes, Managing Director, Hayes Connor Solicitors

August 2019

The Legal Ombudsman data breach was in the spotlight

Hayes Connor featured in the Law Gazette with news of our data breach claim against the Legal Ombudsman. In this breach, the Ombudsman circulated an email to a number of recipients exposing all their email address details.

There was another British Airways data breach

A vulnerability with British Airway’s check-in procedures, once again, exposed passenger information. In the latest British Airways data breach, researchers at security firm Wandera uncovered unencrypted links within BA’s e-ticketing process. They warned that this vulnerability meant that attackers could easily intercept these links. This meant that they could access and change the flight booking details and personal information of passengers.

Questions were asked about what it would take to make BA meet its legal responsibilities and protect its passengers.

Report revealed that the majority of data breaches occur due to preventable human error

We featured on Today’s Legal Cyber Risk commenting on a report exposing that, while employees were recognised by businesses as the greatest risk to data protection, many were still not providing adequate preventative measures, including educating staff.

Hayes Connor saw an eight-fold increase in claims

In August, we reported an eight-fold increase in claims in the past 12 months. This came after our firm saw a surge in both mass data breaches and individual cases following data protection violations in the public and private sectors.

“Since GDPR came into effect, there have been a number of high-profile data breaches involving the private details of thousands of UK consumers. Hayes Connor has experienced significant growth in this period which has been driven both by greater accountability following GDPR and heightened consumer awareness.

“We have continued to invest in our people, our systems and our marketing to deliver an exceptional service to clients who have suffered potential, or actual, financial losses and who may also have experienced mental health issues as a result.

“The cost to businesses who fail in their data protection obligations is rising. We estimate that the cost of compensation for damages will be upwards of £20 million following mass data breach incidents such as Ticketmaster, British Airways and Marriott International.

“This is in addition to the hefty fines now being issued by the ICO. Insurance underwriting in relation to cyber insurance is likely to be tightened in the coming months, particularly as reports show that the vast majority of businesses are still failing to implement robust measures to prevent incidents from taking place.

“Businesses need to urgently review their cybersecurity to avoid facing increasing, and potentially uninsured or uninsurable risks around claims costs.”
Kingsley Hayes, Hayes Connor Solicitors

September 2019

A settlement was agreed in the Yahoo data breach case

Yahoo confirmed that it was nearing a $117.5 million settlement. This pay-out was designed to end a massive class-action lawsuit for the series of data breaches. However, the money would only be given people who live in the US and Israel.

What happened in the Yahoo data breach?

Yahoo suffered a series of hacks by organised crime groups between 2012 and 2016. These attacks were possible due to systemic failures in its cybersecurity systems. One of the worst Yahoo data breaches happened in 2014. In this hack, a Russian state-sponsored cyber-attack saw personal data stolen from over 500 million customers worldwide.

Teletext was the latest to be hit by a data breach

It was revealed that Teletext, the trading name for package holiday firm Truly Travel, risked customers’ personal data after 212,000 customer call recordings had been left on an unprotected server for three years. We commented on the Teletex data breach on Today’s Legal Cyber Risk. Kingsley Hayes said that the latest breach was a stark reminder that storing private information in the cloud does not mean that that data is automatically secure.

Hayes Connor discussed why the exposure of smartphone security risk demonstrated a worrying trend

Kingsley Hayes raised concerns about data protection on mobile phones following news that a serious cyber security risk had been exposed affecting one billion smartphones. The significant gap in security was only identified following an independent third party’s research. This issue was covered in Today’s Legal Cyber Risk.

“The finding demonstrates a worrying trend of businesses only realising lax cyber security when it is exposed by a third party. This indicates that implementing robust preventative measures, and regularly reviewing cyber security, is still not top of the agenda – as it should be – for far too many organisations”.

Kingsley Hayes, Hayes Connor Solicitors

Symphony Legal

Hayes Connor was highly commended in Innovative Marketing award

Hayes Connor Solicitors was highly commended for its innovative marketing at The Symphony Legal Annual Conference.

The Symphony event is designed to spark inspiration, ideas, and innovation for anyone involved in running a law firm. Hayes Connor was recognised for our client-focused approach to marketing. In particular, we were praised for our use of technology to simplify the enquiries process and increase the speed of response, alongside our commitment to raising awareness of consumer data protection rights.

“Our approach has helped consumers to feel informed and confident when starting a claim. But it’s just as important that we make it easy for individuals to claim following a data breach which may have an impact on them financially and psychologically, either now or in the future. And we have also invested heavily in this area. We are delighted to be recognised amongst our peers for our efforts and commitment to our customers.”

Kingsley Hayes, Hayes Connor Solicitors

October 2019

It was Cybersecurity Awareness Month

October marked Cybersecurity Awareness Month, an annual reminder for businesses and individuals that cybersecurity risks are ever-present,  and that data protection is everyone’s responsibility. However, according to cyber risk experts IT Governance, a staggering 421 million personal data records were confirmed breached in October 2019. Shockingly, that was considered a good month for data security.

The UK-specific incidents which took place in October 2019 included:

A data breach at Bolton NHS Foundation Trust which saw the personal details of 425 pupils from two Greater Manchester secondary schools ‘misplaced’. The privacy violation occurred when the school nursing service transferred records of children moving from primary to secondary school.

A data breach at Norfolk and Norwich University Hospital which resulted in the personal details of 11 patients being sent to the wrong address.

A data breach at North Devon District Hospital which saw a patient’s voicemail message, containing personal patient details, becoming the hospital’s answerphone message. Because she had provided her phone number in her message, she was subsequently inundated with calls from patients giving details about their health problems.

A data breach at money-saving websites used by over 3.5 million which leaked sensitive information onto the dark web. This affected British website PouringPounds.com and Indian sister site CashKaro.com. The data exposed includes bank details, full names, mobile phone numbers, email addresses, plain-text passwords and usernames, IP addresses, and more.

Data leaks at recruitment sites Authentic Jobs (US) and Sonic Jobs (UK) which exposed 250,000 CVs online.

A breach at Home Group which provides homes to people in England and Scotland. The breach – which affected 4,000 customers – involved names, addresses and contact information.

A privacy violation at West Berkshire Council after it sent a leisure survey to 1,107 recipients who could all see each other’s email addresses.

An alleged theft of data at UKIP after certain individuals were accused of stealing data from the party. In response, the party has suspended its leader and three other members.

A breach at Preston Police force after a receptionist illegally used her force’s confidential database to help her best friend find out about relatives who had been arrested.

The Court of Appeal made a ground-breaking ruling on data protection

A data protection case against Google resulted in a huge win for individuals and their data privacy rights. The legal action [Lloyd v Google] related to events that took place nearly a decade ago. The result of this case made it much easier for people to make a data breach claim.


What happened in Lloyd v Google?

Between 2011 and 2012, Google used cookies on Apple’s Safari web browser to collect data about its users. This included information on health, race, ethnicity, sexuality and finance. It is alleged that this happened even if someone changed their setting to “do not track”. In response, a group action was launched to help people challenge the big technology company over this data privacy violation. But, in October 2018, the case was thrown out.

However, this case was taken to appeal. And, in a “ground-breaking” ruling, the Court effectively reformed the data breach claims process.


The Court of Appeal decided that data breach claims are valid, even if someone hasn’t suffered financial or emotional damage as a result. If a company does not protect your data in the way it is legally obliged to do, you can claim for this data privacy failure.


People can now seek compensation even if the only personal information breached was their email address. Everyone has the right to the protection of their personal data. Especially when such data has an economic value (e.g. it can be sold).


There are now different ways to join a group action claim, depending on how you have been affected. This made the group action claims process easier. The type of action required for each case will depend on the exact breach.

“This is a very significant development which recognises that personal information has a value and when that private data is compromised, the individual has a right to compensation whether or not they have suffered actual, or potential, financial loss or psychological injury.

“The ruling rightly adds further weight and consequence to any breach of personal data, even if a breach only involves an individual’s email address. This is likely to open the floodgates as consumers become increasingly proactive about protecting their privacy rights and seeking legal redress.

“Businesses who are not already taking their data protection obligations seriously will have to step up their data protection practices or face legal action and hefty costs.

“The development is fair and right providing robust clarity that the law sits firmly behind the rights of individuals to have full control of all their personal information and how, when and where this is stored, processed or shared.”

Kingsley Hayes, Managing Director, Hayes Connor Solicitors

Hayes Connor issued a landmark £100 million data breach claim against Equifax

In October 2019, Hayes Connor Solicitors was the first in the UK to serve a data breach claim in the High Court. The action could see Equifax ordered to pay up to £100 million in compensation to its estimated 15 million UK customers affected by its 2017 data breach.

To make it easy for people affected by the breach to join this action, we also launched a bespoke Equifax data breach claims website.


British Airways data breach group action got the go-ahead

British Airways customers were given permission to launch compensation claims against the airline following a huge data breach in 2018. At the High Court, Mr Justice Warby granted a group litigation order, paving the way for the group action against BA.

Twitter banned political ads

Twitter announced that it would ban all political ads. The move came in advance of the 2019 UK General Election.

An agreement was reached between Facebook and the ICO

An agreement was finally reached between Facebook and the data protection regulator (ICO). This came after Facebook was accused of failing to protect the personal data of its users. As part of this agreement, Facebook agreed to pay a £500,000 fine but made no admission of liability.


What happened in the Facebook data breach?

In 2018, a whistle-blower revealed how Facebook data was harvested to target American voters on behalf of Donald Trump’s election team. Speaking to journalists, Christopher Wylie, an ex-employee of data analytics firm Cambridge Analytica, said that millions of Facebook profiles were harvested and used by his then employer to influence the US presidential election. There were also concerns over whether illegally acquired data was used to target voters and influence the EU referendum result.

Furthermore, while Facebook found out about the breach in 2015, the social media giant failed to alert its users, and did not take adequate steps to recover and secure the private information. In response, the ICO launched an investigation into the activities of Facebook and the retention, sharing and distribution of data illegally in the UK. As part of that investigation, on 24 October 2018, the ICO issued a penalty of £500,000 against Facebook. However, rather than paying the ICO fine, Facebook filed an appeal.

Hayes Connor featured on a GDPR podcast

In October 2019, Hayes Connor featured on The GDPR Weekly Show podcast with news of our client’s successful data breach claim against his local NHS Trust after it shared confidential details from his medical records without consent (listen from 11 minutes, 13 seconds).

The podcast also featured news of our team’s landmark representative action against Equifax worth an estimated £100 million (listen from 28 minutes, 14 seconds).

November 2019

Hayes Connor saw a surge of interest in British Airways data breach claims

In good news for consumer-rights, the Court gave its permission for official legal action to be launched against the airline. In November 2019, we reported that, since this decision, lots of new clients had contacted us to join our BA group action case.

Two attempted cyber-attacks on the Labour Party were exposed

Robust cybersecurity was front of stage again as news of two attempted cyber-attacks on Labour were exposed. The party claimed that no personal data has been breached in what was described as “large scale and sophisticated” attacks.

OnePlus admitted to a data breach

OnePlus emailed customers to let them know that their personal information was at risk. Worse, OnePlus confirmed that the hack had resulted in customer order information falling into the hands of an unauthorised third-party.

It was clear that OnePlus had neglected to protect its customers’ privacy rights. So, in response, we looked to launch a no-win, no-fee action for everyone who had their data privacy violated in the OnePlus data breach. We also set out how customers could protect themselves following the OnePlus data breach.

Over a million T-Mobile customers were hit in data breach

T-Mobile suffered a severe data breach. Over a million pre-paid customers were believed to be affected.

Hayes Connor appointed another expert barrister to our Ticketmaster team

As our case against Ticketmaster moved forward, we appointed another barrister to our Ticketmaster data breach team.

Morrisons began a new appeal over data breach fine

Supermarket Morrisons began another attempt to exonerate itself after it was found legally responsible by the High Court and the Court of Appeal for a large-scale data breach. The appeal was heard before the senior justices of the Supreme Court, including the president of the Supreme Court, Lady Hale.

What happened in the Morrisons data breach?

In 2014, a disgruntled employee at Morrisons, published the payroll data of almost 100,000 Morrisons staff online.

The employee was sentenced to eight years in prison for the criminal act. But he wasn’t the only one to face the consequences of his actions. In 2015 – in the first group litigation of its kind in the UK – 5,518 people brought a claim against Morrisons for misuse of private information and breach of confidence.

In December 2017, despite acknowledging that Morrisons had taken all the appropriate steps to prevent a breach, the High Court found that the company was primarily liable for its own acts and omissions (such as not ensuring the proper security measures to protect the data). The judge also ruled that Morrisons was “vicariously liable” for their employee’s actions. The Court granted Morrisons permission to appeal the vicarious liability decision, but in 2018, The Court of Appeal upheld the original decision against the supermarket.

December 2019

Hayes Connor talked to the Sunday Times

Kingsley Hayes spoke to the Sunday Times about the Hayes Connor data breach action against Ticketmaster. You can read this article in full here.

Equifax filed its defence

Equifax filed its defence and we began studying this in detail with our expert barristers.

The Court put a Group Litigation Order in place for the BA data breach

This Order allowed us to manage the British Airways claims collectively (group action).

1,000 New Year Honours recipients suffered a data breach

While most of us were enjoying a well-earned break, the home addresses of 1,000 people were posted online. In this case, the impact of the data breach could have far-reaching repercussions as those affected included high-profile individuals such as Sir Elton John and Olivia Newton-John. Politicians (including former Tory leader Iain Duncan Smith) and serving police officers were also impacted by the breach.

Hayes Connor Solicitors in 2019

Key developments in 2019

In 2019, we celebrated a number of significant wins and developments at our firm. We’d like to share some of these with you.

8 new people joined the Hayes Connor team.

We opened over 4,500 data breach cases.

We won over £500,000 in damages for our clients.

We were highly commended in two legal awards and shortlisted for two 2020 awards.

We reviewed the look and flow of our website to make sure clients could find everything they needed as quickly as possible.

We were the only UK legal firm to launch a multi-party action against Ticketmaster.

We were appointed as Data Protection Supplier to Communication Workers Union.

We issued a landmark £100 million data breach claim against Equifax.

We were appointed to the Modern Law magazine editorial board.

We manged in excess of £5 million worth of claims.

75% of our claims were concluded in under 9 months.

We secured the largest amount of compensation for an individual claimant. In this case the client was awarded £100,000.

We saw the average amount recovered for clients increase by over 25%. We are anticipating further growth in 2020.

We were kept busy with a 125% increase in claims received and processed for clients compared to 2018.

About Hayes Connor Solicitors

The UK’s leading data breach law firm

At Hayes Connor, we are true experts in data breach law. This is all we do, and we have been doing it longer than most other solicitors. We lead our field when it comes to understanding the complexities involved. What’s more, we have been working to defend consumer rights for over 50 years.

As well as our experienced lawyers, our team also includes some of the UK’s best data breach barristers. This ensures our clients get the very best level of legal support available.

A lack of care and understanding about data breach law can leave victims open to advice and representation below the standard expected. And this could see people lose out financially as a result.  But, despite being the most experienced data protection solicitors around, we also provide no-win, no-fee funding arrangements. So our clients don’t have to worry about costs. There are no hidden charges or administration fees.

Importantly, while we are experts in group actions, we also deal with smaller individual cases. And we understand that for those involved the experience can be devastating. So, regardless of the details, we never belittle anyone’s experience.

And, because making a data breach claim is stressful enough without having to chase your solicitor, we provide regular updates, so our clients always know what’s happening.

Together, this experience and expertise ensures that our data breach solicitors are unmatched in the UK.

2019 Group Actions


Contact Hayes Connor Solicitors today for a free, no-obligation, initial assessment of your case

You can call us on 0330 041 5137.
Or email us enquiries@hayesconnor.co.uk

If you would like to speak to us about your data breach or computer crime experience and find out how much compensation you could be entitled to, contact Hayes Connor Solicitors today for a free, no-obligation, initial assessment of your case.

If you have a reasonable chance of winning, we will act for you on a NO WIN, NO FEE basis. That means, if your compensation claim is unsuccessful, you’ll have absolutely nothing to pay. So, there is nothing to lose by getting in touch.

Your call is completely confidential, and there’s never any obligation to make a claim. What’s more, our process is fully compliant with ICO guidance and we never put your details at risk. We will NEVER pass your details onto anyone without your permission.

Media enquiries

For media enquiries, please contact the Hayes Connor PR team by email here.
Or for urgent enquiries, call our PR team on 0151 363 5859.