September Data Breach Roundup

  • Posted on

September was as busy a month as ever in the world of data breaches, with plenty of high-profile incidents taking place in a number of different sectors.

This is our short roundup of the most significant data breaches that hit the news in September, as well as some notable updates related to the wider data breach industry.

Have you had your personal data exposed in a data breach? Looking for expert advice and support? Please get in touch today.

The biggest data breaches uncovered in September 2021

Ministry of Defence launches investigation into data breach involving details of Afghan interpreters

The Ministry of Defence (MoD) has launched an investigation into a data breach involving the details of 250 Afghan interpreters who are eligible to come to the UK. The majority of the individuals affected by the breach are still in Afghanistan, having been left behind following the withdrawal of UK troops in August.

An MoD spokeswoman has indicated that 250 email addresses are part of the breach, but it has not been clarified whether they contain the names or photos of the translators.

It has been reported that the breach stemmed from an email sent by the UK government to the interpreters, with all of their email addresses visible. The email was sent by the Afghan Relocations Assistance Policy (ARAP) team, which is led by the Home Office and MoD.

Read more about this story here.

61 million fitness tracking records exposed via unsecured database

An unsecured database containing over 61 million customer records related to wearable technology and fitness services was exposed online, leading to a significant data breach. Cybersecurity researchers found that the database belongs to GetHealth, a firm that pulls health-related data from sources such as Fitbit, Strava and Google Fit.

Researches have reported that the customer records contained in the data repository included a vast amount of user information, including names, dates of birth, weight, height, gender and GPS logs.

It is not clear how the records were exposed or who else may have had access to the dataset. Upon being notified of the breach, GetHealth responded quickly to secure the system.

Read more about this story here.

Personal details of French visa applicants exposed

The personal details of more than 80,000 people who have applied for French visas have been exposed following a reported cyber-attack, which struck a section of the France-Visas website.

The French Ministry of Foreign Affairs and Ministry of Interior announced in a statement that the attack had been neutralised, but details including names, dates of birth, nationalities and passport numbers were still exposed.

In line with the GDPR’s definitions, no ‘sensitive’ data was compromised in the breach.

Read more about this story here.

Data of 106 million visitors to Thailand breached

An unsecured database containing the personal details of more than 106 million international travellers to Thailand were left exposed online, with records dating back over 10 years.

The database included full names, passport numbers, arrival dates and more. It’s surmised that any foreign visitor to Thailand in the previous 10 years may have had their information exposed in the incident.

The Thai authorities were immediately alerted to the incident once it was discovered, acknowledged it and secured the data the following day.

Read more about this story here.

The latest data breach news and announcements

ICO announces fines totalling £495,000 to multiple companies for nuisance calls

We Buy Any Car, Sports Direct and Saga were issued separate fines by the ICO, after sending more than 354 million nuisance messages between them.

We Buy Any Car was fined £200,000 for sending 191 million emails and 3.6 million nuisance texts, Saga was fined £150,000, and £75,000 for instigating more than 157 million emails and Sports Direct was fined £70,000 for sending 2.5 million emails.

None of the three companies had permission to send these marketing emails or texts, explaining why the ICO took action.

Read more about this story here.

ICO call on G7 companies to tackle cookie pop-ups challenge

The ICO called on fellow G7 data protection and privacy authorities to work together to overhaul cookie consent pop-ups, in an attempt to provide meaningful protection for people’s privacy.

The ICO presented its vision for the future, where web browsers, software applications and device settings allow people to set lasting privacy settings of their choosing, rather than having to do that through pop-ups every time they visit an individual site.

Information Commissioner Elizabeth Denham said: “The cookie mechanism is also far from ideal for businesses and other organisations running websites, as it is costly and it can lead to poor user experience. While I expect businesses to comply with current laws, my office is encouraging international collaboration to bring practical solutions in this area.”

Read more about this story here.

ICO issue guidance to universities and colleges for sharing data in an emergency

Universities and colleges often handle very sensitive data belonging to their students but are often hesitant to share this data in emergency situations, citing data protection as the reason.

As noted by the ICO in a September blog post, universities and colleges should do whatever is necessary and proportionate to protect someone’s life. Data protection laws dictate that organisations can share personal data in an urgent situation, including to help them prevent loss of life or serious physical, emotional or mental harm.

Based on this, the ICO set out four key steps that universities should take to feel confident they can share someone’s data, which were to plan ahead, have a data sharing agreement in place, to invest in staff training and to refer to the ICO’s data sharing resources.

Read more about this story here.

Speak to our legal experts about a data breach

If you have been the victim of a data breach, it may be possible to make a claim for compensation. This is regardless of whether you have suffered and specific harm or financial loss. If a company has negligently handled your personal data and it has been compromised, you may be able to claim substantial damages.

At Hayes Connor, we have one of the largest teams of data breach specialists in the country, with a wealth of combined experience representing a wide range of clients of data breaches.

Our expert team can work alongside you to help clarify whether you have a claim, how the claims process works and the level of compensation you may be able to receive.

We aim to ensure that anyone affected by a data breach is able to access the compensation they deserve, making the claims process as straightforward as it can be for our clients.

You can find out more about our expertise and how we handle data breach claims here.

To start a claim, you can use our online claim form.