Home / News & Resources / News & Updates / December Data Breach Roundup

December Data Breach Roundup

  • Posted on

The festivities of December didn’t bring a halt to data breaches, as various incidents took place in various industries, leaving businesses in hot water and personal data out in the open.

This is our short roundup of the recent work we have been carrying out to support victims of data breaches, as well as a closer look at some of the most significant data breaches that took place in December and important updates to the wider data breach industry.

Have you had your personal data exposed in a data breach? Looking for expert advice and support? Please get in touch today.

Our recent work supporting victims of data breaches

Simplify Group suffer cyber-attack exposing customer data

A cyber-attack that targeted Simplify Group, who own a large number of conveyancing sub-brands, left thousands of homebuyers in limbo as they were unable to complete their purchases.

Simplify was forced to take down several of its online systems in November, affecting sub-brands, including:

  • My Home Move
  • Move with us
  • Premier Property Lawyers
  • JS Law
  • DC Law
  • Advantage Property Lawyers

Concerns have been raised by individuals who have pointed out that Simplify has not confirmed exactly how the incident occurred and whether any personal data was exposed.

Richard Forest, Legal Director at Hayes Connor, commented on the matter, saying: “We have already been contacted by a number of people who are worried about the impact this could have on them at a time when they are already under a significant amount of stress. This obviously has added to that and just before Christmas as well.

“Home moves involve a huge amount of personal data which can be very valuable to the wrong sort of people so Simplify have a duty to all of their customers to let people know what has happened, why and how exactly they have been affected, and to do so immediately.”

The biggest data breaches uncovered in December 2021

Gumtree suffer data leak through simple security flaw

In December, it was reported that classifieds site Gumtree suffered a data leak, which was only discovered after security researcher Alan Monie found that he was able to access personally identifiable data of advertisers – simply by pressing F12 on his keyboard.

F12 opens the developer tools console, which subsequently allows you to view a website’s source code, monitor network requests and view error messages.

Monie found that, by simply viewing the HTML source code, he could see the following information for registered advertisers:

  • Full name
  • Username
  • Account registration date
  • Account type
  • Email address
  • Postcode or GPS coordinates

All of these issues were rectified on December 6, but sellers on Gumtree are likely to have had their personal information exposed for almost a month, if not longer.

Read more about this story here.

Private medical files dumped outside GP surgery

Hundreds of patients’ confidential details were found dumped in a filing cabinet, which was left outside an unused doctors’ surgery. Files were reference cards that included names, dates of birth, addresses and NHS numbers.

The files were left abandoned for days in a doorway of the former Priory Medical Centre in Warwick. A regional commissioning group is said to be investigating how the data breach may have taken place.

A spokesperson for NHS Coventry and Warwickshire Clinical Commissioning Group said: “This data has been recovered and secured, according to information governance procedures, and we are working with the practice to understand this data breach and any potential impact on patients.”

Read more about this story here.

NHS Trust Apologies after leaking details of participants in Covid vaccine trial

The Midlands Partnership NHS Trust was forced to apologise after it previously sent an email to recipients who could all see each other’s addresses. The email was sent to people who were taking part in a Covid vaccine trial.

The Trust claim that, after an investigation, it was concluded that the incident was the result of human error, where the carbon copy – or cc – field was used instead of blind carbon copy.

While the trust tried to recall the email, a letter sent to recipients noted that it could not be sure no-one had opened the email.

Read more about this story here.

Ubisoft admits to Just Dance data breach

Video game publisher Ubisoft disclosed a data breach in December, which exposed certain information about players of Just Dance.

In a post to the Just Dance 2022 community forums, the incident was caused by a misconfiguration that made it possible for unauthorised individuals to access and copy player data, such as GamerTags, profile IDs, Device IDs and Just Dance videos that are shared with the in-game community and on social media.

Ubisoft claims that Just Dance players whose data was exposed will be notified about the exposure of their information via email.

Read more about this story here.

Sainsbury’s payroll hit by Kronos attack

Sainsbury’s was one of the major businesses in both the UK and the US that were affected by a cyber-attack on the payroll system provider Kronos. Sainsbury’s relies on Kronos to log, store and process the hours employees have worked.

The supermarket chain was said to have lost a week’s worth of data for around 150,000 employees.

A Sainsbury's spokeswoman said: "We're in close contact with Kronos while they investigate a systems issue.

"In the meantime, we have contingencies in place to make sure our colleagues continue to receive their pay."

Read more about this story here.

The latest data breach news and announcements

Cabinet Office receive £500,000 fine from Information Commissioner’s Office

The Information Commissioner’s Office (ICO) fines the cabinet office £500,000 for disclosing postal addresses of the 2020 New Year’s Honours recipients online.

The ICO found that the Cabinet Office had failed to put appropriate technical and organisational measures in place which would have otherwise prevented the unauthorised disclosure of people’s information.

Read more about this story here.

ICO launches consultation into its powers

The ICO launched a consultation to collate the views of stakeholders and the public on how it regulates the laws it monitors and enforce.

Three documents have been issued, all of which are designed to give direction and focus to the organisations the ICO regulates.

Chief Regulatory Officer James Dipple-Johnstone said: “Information rights have never been more important or impactful. Now more than ever, we support innovation and economic growth, but both require the public to have trust in the way their personal information is used.”

Read more about this story here.

Speak to our legal experts about a data breach

If you have been a recent victim of a data breach, it may be possible for you to make a compensation claim. This is even if you have not suffered any specific or financial loss. Any company that handles your personal data has a legal obligation to keep it secure, and failing to do so could lead to substantial damages.

At Hayes Connor, we have one of the largest dedicated teams of data breach specialists in the country. We have a wealth of combined experience representing a wide range of clients with various types of data breaches.

Our expert team can work alongside you to help clarify whether you have a claim, how the claims process works and the level of compensation you may be able to receive.

We strive to ensure that anyone affected by a data breach can access the compensation they deserve, making the claims process as straightforward as it can be for our clients.

You can find out more about our expertise and how we handle data breach claims here.

To start a claim, you can use our online claim form.