Home / News & Resources / News & Updates / 421 million personal records breached in October 2019

421 million personal records breached in October 2019

  • Posted on

According to cyber risk experts IT Governance, a staggering 421,103,896 data records were confirmed breached last month. Shockingly, that's considered a good month for data security as the figure only represents about 50% of the monthly average.

October was CyberSecMonth

October was CyberSecMonth. This is an annual campaign, run by the EU, which aims to raise awareness of cybersecurity threats and promote cybersecurity. It does this the same way we do at Hayes Connor - through education and the sharing of good practices.

However, despite the initiative, an IT Governance blog listed all the data breaches and cyber attacks carried out in October. Critically, there were "111 incidents, including several in which sensitive and financial information was compromised". The post also revealed that it was a "particularly bad month for the UK, with 9 confirmed breaches".

UK data breaches

The UK-specific incidents which took place in October 2019 included:

Bolton NHS Foundation Trust

A data breach at Bolton NHS Foundation Trust which saw the personal details of 425 pupils from two Greater Manchester secondary schools 'misplaced'. The privacy violation occurred when the school nursing service transferred records of children moving from primary to secondary school.

Norfolk and Norwich University Hospital

A data breach at Norfolk and Norwich University Hospital which resulted in the personal details of 11 patients being sent to the wrong address.

North Devon District Hospital

A data breach at North Devon District Hospital which saw a patient's voicemail message, containing personal patient details, becoming the hospital's answerphone message. Because she had provided her phone number in her message, she was subsequently inundated with calls from patients giving details about their health problems.


A data breach at money-saving websites used by over 3.5 million which leaked sensitive information onto the dark web. This affected British website PouringPounds.com and Indian sister site CashKaro.com. The data exposed includes bank details, full names, mobile phone numbers, email addresses, plain-text passwords and usernames, IP addresses, and more.

Sonic Jobs

Data leaks at recruitment sites Authentic Jobs (US) and Sonic Jobs (UK) which exposed 250,000 CVs online.

Home Group

A breach at Home Group which provides homes to people in England and Scotland. The breach - which affected 4,000 customers - involved names, addresses and contact information.

West Berkshire Council

A privacy violation at West Berkshire Council after it sent a leisure survey to 1,107 recipients who could all see each other's email addresses.


An alleged theft of data at UKIP after certain individuals were accused of stealing data from the party. In response, the party has suspended its leader and three other members.

Preston Police

A breach at Preston Police force after a receptionist illegally used her force's confidential database to help her best friend find out about relatives who had been arrested.

Organisations must do more to protect personal data

Commenting on these cases, our managing director and data protection expert Kingsley Hayes said: "Businesses who are not already taking their data protection obligations seriously must step up their data protection practices or face legal action and hefty costs.

He added: "This is particularly important as a recent Court of Appeal makes it possible for people to make a data breach claim, even if they haven't suffered financial or emotional damage as a result. If a company does not protect an individual's data in the way it is legally obliged to do, that person can claim for this data privacy failure. What's more, people can now seek compensation even if the only personal information breached was their email address."

Find out more about the recent changes.

Have you been affected by a UK data breach?

In the UK, organisations MUST tell you if they have breached your personal data. They are legally obliged to do this under the Data Protection Act.

But despite this, too often people still don't know that their data has been breached until they hear that a company has been fined by the ICO (or read about it in an article such as this one).

In such cases, it's worth finding out whether your data was put at risk. Because, if so, you may have a claim for compensation.

What can you do if you were affected by one of these data breaches?

If you have been the victim of a privacy violation due to an organisation breaching any part of the Data Protection Act, you have a right to claim compensation. At Hayes Connor Solicitors, we've been helping people to do just that for over 50 years. So, we know what it takes to make a successful data breach compensation claim.

A data breach can result in both financial and/or identity theft. And the result of either of these can be devastating. With enough information, cybercriminals can apply for credit in your name, set up fraudulent bank accounts and access your existing accounts.

But the impact of data breaches goes much further than financial losses. Many victims go on to suffer from stress, anxiety and distress. And, according to Victim Support, the effects of crime can last for a long time. Crucially, if an organisation has failed to protect your personal data, you have a right to claim compensation. Even if you haven't suffered as a result.

In most cases, data breaches happen because of a failure to implement reasonable and robust processes. So, claiming compensation isn't just in your best interests. The only way organisations will be persuaded to take their responsibilities seriously and make the necessary improvements is by hurting their bottom line.