UK facing an “epidemic of scams”

The Martin Lewis Money Show this week reported that the UK is currently facing an epidemic of scams with online ads featuring high profile individuals, including Martin Lewis himself, being used to dupe £millions from the unsuspecting public.

The programme described the current climate as “the Wild West” with scammers using increasingly complex and sophisticated means to successfully carry out significant fraud highlighting that the Advertising Standards Authority (ASA) has no powers to stop this type of activity.

Kingsley Hayes, managing director at data breach and cybercrime specialist Hayes Connor Solicitors, said: “This really highlights the extent of the problem facing consumers today. The ease with which scammers can obtain public trust – and access to the public’s purse – is painfully breathtaking.

“The Authorised Push Payment (APP) Scam Code came into effect on 28th May 2019 providing individuals with greater protection. Under the code, individuals can receive a full reimbursement of authorised payments made in fraudulent circumstances.

“This is a good start however, the APP Scam Code is voluntary so some may find that their bank is not signed up to it, and therefore they are not protected. In order to receive a full reimbursement, the affected individual also needs to show that their actions meet with the code’s criteria.

“Scammers now have infinite avenues with which to target unsuspecting victims. Individuals, and businesses, need to be one step ahead at all times to prevent an incident which will inevitably be devastating.”

Hayes Connor Solicitors is a data breach and cybercrime specialist firm representing thousands of claimants with current data breach actions against British Airways, Dixons Carphone, Equifax, Marriott International, OnePlus, The Police Federation of England and Wales, TeamSport and Ticketmaster.

 

gdpr fine
,

Pharmacy data breach results in first ever GDPR fine

A London-based pharmacy has been fined £275,000 by the Information Commissioner’s Office (ICO) for a significant data breach failure. This is the first fine issued for breaching General Data Protection Regulation (GDPR) rules.

What happened in this case?

Doorstep Dispensaree Ltd left approximately 500,000 documents in unlocked crates, disposal bags and a cardboard box at the back of its premises in Edgware. The data had been there for some time. The documents were “not secure and they were not marked as confidential waste”.

Following its investigation, the ICO accused the pharmacy – which supplies medicines to thousands of elderly care home residents – of having a “cavalier attitude to data protection”.

According to the ICO penalty notice:

“The data subjects can be very readily identified and linked to data concerning their health.

 “Given the nature of Doorstep Dispensaree’s business supplying medicines to care homes, it appears likely that a high proportion of the affected data subjects are elderly or otherwise vulnerable.”

Thousands of people may have been affected

The number of people affected by the breach cannot be confirmed. However, the documents relate to around 78 care homes. The ICO has said:

“Regardless of the exact number of care homes involved, given the volume of documentation and size of Doorstep Dispensaree’s business, it appears likely that hundreds and possibly even thousands of data subjects have been affected”

What data was put at risk in this pharmacy data breach?

The documents included in this breach included:

  • Names
  • Addresses
  • Dates of birth
  • NHS numbers
  • Medical information
  • Prescriptions

The mishandled information was dated between June 2016 and June 2018. As well as not being appropriately secured, many of the documents were not protected against the elements. As a result, they were soaking wet.

In the UK, data must be handled in a way that protects against unauthorised or unlawful processing, accidental loss, destruction or damage. A failure to do this is an infringement of the GDPR.

Special category data

The data exposed in this privacy failure is classed as ‘special category data’. Special category data is personal data that needs more protection because it is sensitive. For example, health data, information about sexuality, religion or political beliefs.  You can find out more about special category data here.

Several conditions must be adhered to when processing special category data. It is highly unlikely (if not impossible) that any pharmacy wouldn’t know about their obligations under the UK’s data protection laws. So, it is right that the ICO has fined Doorstep Dispensaree.

What has the ICO said about this pharmacy data breach?

The ICO is the UK’s independent regulator for data protection law. Among other things, the ICO helps to uphold and protect our information rights as individuals.

When setting the fine, the ICO only considered the violation from 25 May 2018. This is when the GDPR came into effect. This allowed the ICO to issue a larger fine that would have been possible under old data protection legislation.

Commenting on its investigation into Doorstep Dispensaree, Steve Eckersley, Director of Investigations at the ICO said:

“The careless way Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss. This falls short of what the law expects, and it falls short of what people expect.”

The pharmacy has also been ordered to improve its data protection practices within three months. Failure to do this could result in further action.

What can you do if this data breach impacted you?

While the ICO has the power to impose hefty fines on organisations who fail to meet their data protection obligations, it does not award compensation to victims. But, once an organisation has been found guilty of a breach by the ICO – as in this case – you can use that information to support a data protection compensation claim.

Experts in helping people who have suffered a medical data breach violation, at Hayes Connor Solicitors, we have all the experience needed to help people who have been affected by the Doorstep Dispensaree data breach.

Why choose Hayes Connor Solicitors?

We are an established and trusted firm that has been helping people to claim compensation for over 50 years.

Our solicitors are true specialists in data protection law. Unlike other firms, it is all we do, and we have been doing it for longer than most. As such, we lead the way when it comes to understanding the complexities involved. We are confident that our team will get the best possible result for you.

Just as important, by making sure you are fully informed at all times, we ensure a stress-free experience from start to finish.

Your data rights matter

Crucially, at Hayes Connor, we are committed to upholding your data rights. As such, you do not need to have suffered any financial loss or emotional distress to make a claim against Doorstep Dispensaree. The fact that you have suffered a privacy violation gives you the right to claim compensation.

Furthermore, claiming compensation isn’t just in your best interests; it is often the only way organisations are persuaded to take their responsibilities seriously and make the necessary improvements.

Contact Hayes Connor Solicitors today for a free, confidential assessment of your case.

If you are worried that you or someone you love, had their data breached by Doorstep Dispensaree, contact us to speak to us about your experience.

If you have a reasonable chance of winning, we will act for you on a NO WIN, NO FEE basis. That means, if your compensation claim is unsuccessful, you’ll have absolutely nothing to pay. There is nothing to lose by getting in touch, and there’s never any obligation to make a claim.

CONTACT US TO FIND OUT MORE

yahoo breach
, ,

Do you have a Yahoo email address? If so, your privacy could have been breached

If you have a Yahoo email address, you could be due data breach compensation. Here’s everything you need to know about making a Yahoo data breach claim.

What happened in the Yahoo data breach case?

Due to systemic errors in its cybersecurity systems, between 2012 and 2016, Yahoo suffered a series of system hacks by organised crime groups. In particular, in 2014, a Russian state-sponsored cyber-attack saw personal data stolen from over 500m Yahoo user accounts worldwide. Despite evidence that the firm knew about the hack soon after it happened, it did not report it until September 2016.

The data protection hack led to user’s names, email addresses, telephone numbers, passwords and encrypted security questions and answers falling into the hands of cybercriminals.

What happened in the investigation?

Following the Yahoo data breach, the Information Commissioner’s Office (ICO) investigated the privacy violation. While people in many different countries were involved, the ICO investigation focused on UK accounts that were co-branded Sky and Yahoo, and which the London-based branch of Yahoo had responsibility for.

Following its inquiry, the ICO found that Yahoo had “failed to prevent” the hack. It condemned “inadequacies” at Yahoo. Inadequacies that had existed for some time without being “discovered or addressed”. The investigation also found that:

  • The firm failed to ensure that its data processor complied with the appropriate data protection requirements
  • The firm failed to ensure that the credentials of employees with access to customer data were monitored
  • There was a lengthy period before the flaws which led to the breach were discovered or addressed.

As a result, the ICO imposed a £250,000 fine on Yahoo. However, this represents less than 0.4% of Yahoo UK’s 2016 gross profit.

Were you affected by the Yahoo data breach?

The Yahoo data breach affects people who had a Yahoo account between January 1, 2012 and December 31, 2016. According to the ICO, Yahoo has informed those affected.

These people can now make a compensation claim.

Crucially, you do not need to have suffered any financial loss or emotional distress to make a claim. If you have suffered a privacy violation caused by an organisation breaching any part of the Data Protection Act, you have a right to claim compensation.

The data breaches at Yahoo happened because of a failure to implement reasonable and robust processes. So, Yahoo has failed to uphold your privacy rights. Furthermore, claiming compensation isn’t just in your best interests; it is often the only way organisations are persuaded to take their responsibilities seriously and make the necessary improvements.

What has happened since then?

In September 2019, Yahoo emailed its users saying it was nearing a $117.5 million settlement. This settlement would end a massive class-action lawsuit related to a series of data breaches that took place between 2012 and 2016. However, the money available is only for people who live in the US and Israel.

If you had a Yahoo account and live in the UK, what can you do?

At Hayes Connor Solicitors, we are launching a representative action claim to help UK victims of the Yahoo data breach to claim the compensation they deserve. A representative action is a type of group action.

If you are concerned that your data was treated negligently by Yahoo, contact Hayes Connor Solicitors immediately. The settlement reached in the US, and the result of the ICO’s investigation in the UK means that you could have a powerful case.

Why should you choose Hayes Connor Solicitors?

As the UK’s leading data breach law firm, we are helping people in the UK to hold Yahoo to account for its failure to protect their personal data (as it is legally obliged to do). We are doing this because we believe that your data protection rights are important. Here’s are some other reasons why it’s essential to use our specialist data privacy lawyers to claim Yahoo data breach compensation.

  • Hayes Connor is an established and trusted firm. Our solicitors have been helping people to claim compensation for over 50 years
  • We have been winning data protection cases longer than most other solicitors, and we are more experienced when it comes to understanding the complexities involved. A lack of understanding about data breach law can leave victims open to advice and representation below the standard expected. And this could see you lose out financially as a result
  • All too often, claims management companies are more concerned about making fast cash than helping victims. So, while they might help you get some money back for a data breach, they are less concerned about ensuring you get compensated for the long-term and often psychological effects of a breach. When you appoint us, we get you the maximum compensation possible
  • We have the legal expertise needed to take on big players such as Yahoo. In fact, our experience in data breach group actions is unmatched in the UK
  • We provide regular emails to all our Yahoo data breach clients to ensure they always know what is happening with their case.

How can you make a no-win-no-fee Yahoo data breach compensation claim?

At Hayes Connor, we always provide a free consultation to make sure we can help you. If you want to make a Yahoo data breach compensation claim with us, we can advise you on whether you have a valid claim, answer any questions you might have and go through your options with you. We will do all this without charging you a penny.

We are also providing no-win, no-fee funding arrangements for anyone that wants to join our Yahoo representative action. And there are no hidden costs or admin expenses.

If you want to join our Yahoo UK Representative Action contact Hayes Connor Solicitors immediately. There are no costs to join our group action, and there is no obligation to proceed.

START YOUR CLAIM

, ,

Just how bad were Dixons Carphone’s security processes?

Earlier this year, The Information Commissioner’s Office (ICO) fined Dixons Carphone half a million pounds for “systemic failures” in the way it safeguarded its customers’ personal data. As a result of this lack of care, an attacker was able to install malware on 5,390 cash registers at Dixons Travel and Currys PC World stores – putting at least 14 million people at risk. But you might be surprised at just how bad Dixons Carphone’s security processes were. Here’s a list of what the ICO found during its investigation into the Dixons data breach.

Dixons data breach failures

1. Dixon’s network segregation was insufficient

At the time of the incident, Dixons’ Point of Sale (POS) system was not segregated from the broader corporate network. If sufficient internal network segmentation had been in place, this could have contained the compromise to a particular section of the network. And it’s not as if Dixons wasn’t warned. The company used Microsoft operating systems for its POS systems, and guidance published by Microsoft in 2014 suggested that organisations implement a security boundary between systems.

2. There was no local firewall configured on the POS terminals

If a local firewall had been in place, this could have prevented unauthorised access to the POS system, and the illegal movement of customer data.

Dixons did have firewalls enabled and running on its wider system, and the company argued that the presence of a local firewall would not have averted this attack because the attacker had domain admin-level access and so could have reconfigured the rules. However, the ICO felt that, just because the attacker could have done this, that did not make the control any less appropriate. It argued that the hack would have been more challenging had a local firewall been in place, and this would have increased the likelihood of detection.

3. Dixon’s approach to software patching was inadequate

Evidence provided by Dixons in its defence confirmed that its POS terminals were not compliant with its own patching policy at the time of the hack.

In this case, it is suspected the attacker exploited an unpatched vulnerability. This was a known vulnerability that Microsoft released a patch for in 2014. Dixon’s did not fully implement this patch which meant that the vulnerability remained exploitable for four years. During this time, the hacker was able to compromise personal data held on the POS terminals.

Also, the investigation uncovered that there were multiple instances of missing patches in some of the POS terminals.

4. Vulnerability scanning was not performed regularly

The ICO’s investigation also revealed that vulnerability scanning of the compromised environment was not performed habitually. Had this been done, Dixons should have been able to identify weaknesses in its network and fix them before it was compromised. Thus preventing the Dixons data breach.

5. Dixons failed to manage application whitelisting

Whitelisting protects computers and networks from potentially harmful applications. However, Dixons failed to correctly manage application whitelisting across its full fleet of POS terminals. In fact, only one out of two terminals were correctly configured with application control.

In its defence, Dixons argued that the hacker would likely have been able to surpass its whitelist blocking mechanisms, even if they had been in place.  However, here again, the ICO found that application whitelisting was one of a number of security measures which should have been used to prevent the Dixons data breach from succeeding.

6. Dixons did not have an effective monitoring system

The ICO found that Dixons did not have an effective method of logging and monitoring to identify and respond to incidents promptly. This failure created a security risk and may have hindered the detection and investigation of the Dixons data breach.

7. Dixons POS software was outdated

The affected hosts were running versions of java many years out of date (eight years in the case of the Dixons POS terminal). The Commissioner believes that this placed the POS terminals at increased risk of compromise.

8. Dixons POS system did not support Point to Point Encryption (P2Pe)

P2Pe protects payment card data from the point of capture ( e.g. when the card is read by a card payment terminal), until it reaches the secure decryption endpoint. However, while P2Pe was being deployed at the time of attack (at a high cost to the business), it wasn’t in place.

The ICO accepted that the cost of P2Pe implementation is high, but felt that this should be weighed against the level of harm that might result from unauthorised processing of personal data. In this case, the cost of implementation of P2Pe was proportionate to the size of the business, the nature and volume of personal data being processed by it, and the standards of security at the time.

9. Dixons failed to effectively manage the security of its domain administrator account effectively

In another error, according to the ICO, Dixons failed to assess the addition of user accounts to the domain administrator group, and it did not adhere to its own policies in respect of access permissions and passwords.

10. Dixons failed to implement standard builds for all system components

The ICO report states that Dixons also failed to confirm with industry-standard hardening guidance which would have seen it apply standard builds for all system components. Had this been in place, this would have reduced likelihood of compromise.


Did Dixons Carphone get off lightly?

While the ICO’s fine of £500,000 is significant, Dixons dodged a much bigger financial penalty. Because, had the attack happened now, the punishment would inevitably have been much higher under new data protection regulations (GDPR). And of course, victims of the Dixons Carphone data breach won’t get a penny. That’s because, while the ICO has the power to issue fines to organisations that breach the Data Protection Act, it doesn’t have any authority when it comes to compensating victims.

What’s more, despite the catalogue of security failures at Dixons, the company is contesting the findings of the ICO.

How may you have been affected?

The ICO findings show that it was not just people who made purchases with Dixons Retail Group (DRG) in the breach period that were affected.

The data stolen also included details of individuals who had either service plans or had made finance purchase enquiries before the breach occurred. DRG stored data on those transactions to include both passed and failed credit checks and over two million of those records were accessed and obtained by the hackers.

It may be, therefore, if you made or attempted to make a purchase with DRG from 2015 onwards, that your details were taken.

Making a Dixons data breach compensation claim

At Hayes Connor, we believe that it’s important that people hold the retailer to account by making a Dixons data breach compensation claim. Not least because:

  • This data breach left customers vulnerable to financial theft and identity fraud
  • The careless loss of data is likely to have caused distress to many people since the data breach left them exposed to increased risk of fraud
  • This is not the first time the company has failed to protect its customers’ data. In fact, there is a history of data negligence at the company. It’s essential to hold Dixons Carphone to account if data security is to improve.

Hayes Connor Solicitors has received a large number of queries from people concerned that their information is at the mercy of cybercriminals following the Dixons Carphone data breach.

In response, we have launched a group action register to help people claim Dixons Carphone breach compensation.

Why use Hayes Connor Solicitors to make a Dixons data breach claim?

  • We have an expert legal and cybersecurity team to help in this case. So we are confident that our team will get the results our clients deserve
  • We are collating a group action case against Dixons Carphone. A group action allows people with the same type of claim to bring it together on a collective basis to strengthen their overall position and make a big organisation take the matter seriously. This increases their chances of settlement or success in litigation
  • We are data breach and cybercrime experts. A relatively new and evolving area of law, this is all we do, and we have become a true specialist in data breach law. As such, we lead our field when it comes to understanding the complexities involved.
  • We are taking on this case on a no-win, no-fee basis
  • We have over 50 years’ experience helping our clients secure the justice they deserve
  • Our solicitors work tirelessly to ensure the best possible outcome for you
  • We can help you claim for loss of privacy, financial loss and emotional distress
  • We know that making a claim can be difficult. Particularly where your sensitive information has already been breached or another online offence made against you. So, when you work with us, we make sure you are fully protected
  • We remove the jargon from the compensation process, so you always know just what’s happening.

To become part of this group action, we need you to register with us. We can take on your claim on a no-win, no-fee basis, so you have nothing to lose.

REGISTER NOW

Business as usual on data protection post Brexit – for now

The UK has left the European Union however, GDPR, an EU regulation, still applies during the transition period which is due to end in December 2020.

The Information Commissioner’s Office (ICO) has advised that organisations who hold, process and share personal information should continue to adhere to data protection obligations under GDPR.

Kingsley Hayes, managing director at data breach and cybercrime specialist Hayes Connor Solicitors, said: “It is still unknown what, if any, significant changes will be made to data protection laws after December 2020 as much depends on negotiations taking place during this year. Until then, the advice from the ICO is very much ‘watch this space’.

“It creates a lot of uncertainty for organisations, particularly those who handle and manage large volumes of confidential information. Businesses are advised to continue to ensure practices and systems comply with GDPR which is likely to be incorporated into UK law from January 2021.

“The complexity comes in for organisations operating in Europe or those that are receiving and sharing confidential data with EU countries. Since GDPR came into effect, consumers are more aware of their data protection rights, and increasingly taking steps to seek redress if their personal information is not adequately protected.

“Regardless of what the data protection scenario may be from January 2021, consumers will rightly still expect organisations to treat their personal data in a responsible manner.”

Hayes Connor Solicitors is a data breach and cybercrime specialist firm representing thousands of claimants with current data breach actions against British Airways, Dixons Carphone, Equifax, Marriott International, OnePlus, The Police Federation of England and Wales, TeamSport and Ticketmaster.

 

data breaches
, , ,

Data breaches – should you even care?

In 2019, The ICO was still owed 42% of the total amount of fines it has handed out for data breaches, spam, and nuisance calling since 2015. This demonstrates the difficulty the data protection regulator has when it comes to enforcing the punishments it hands out to companies.

Data obtained by The SMS Works via a freedom of information request found that:

  • 152 fines have been issued since 2015
  • 30% of these remain unpaid.

This unpaid amount does not include the £183m and £99m fines facing British Airways and Marriott Hotels. These are under appeal and not yet owed to the ICO.

The sheer amount of unpaid fines shows a complete lack of responsibility and care from offending organisations.

Companies are demonstrating a history of data protection failures

At the same time, it has been discovered that Marriott has suffered another data breach. On this occasion, rather than customers, it is employees who have had their privacy violated due to a third-party. It is astonishing that, even in the face of a £99m fine, Marriot still doesn’t seem to be taking its data protection responsibilities seriously.

But it’s not alone.

Just a few weeks after the ICO announced plans to fine British Airways a whopping £183.93 million for its 2018 data breach, a vulnerability with the airway’s check-in procedures, once again, exposed passenger information.

Also, in November 2019, T-Mobile suffered a severe data breach with over a million pre-paid customers believed to be affected. But this wasn’t the first time T-Mobile had suffered a security failure. In August last year, the company admitted to a data breach which affected around two million customers.

And the list goes on.

In early 2020, Dixons Carphone Warehouse was fined £500,000 by the Information Commissioner’s Office (ICO). The Dixons Carphone data breach resulted in 10 million customer records being accessed from Currys PC World and Dixons Travel stores. The details were stolen by cybercriminals. But that breach was not the first time that the company had failed to protect its customers. The Carphone Warehouse, which merged with Dixons, was previously fined £400,000 following another cyber-attack. At that time, the huge fine was one of the biggest ever handed out by the Information Commissioner’s Office.

So, at best, we could argue that big companies are not learning from their security mistakes. At worst they just don’t care.

Is there any point in making a complaint?

Here at Hayes Connor Solicitors, we help our clients to claim compensation for breaches of their data privacy rights. And it’s a job we take very seriously. Not least because we understand the full and often traumatic effect a data breach can have on an individual. But, in light of these findings – and with breaches happening on an almost daily basis – is there any point even trying to stand up for your data privacy rights?

Absolutely!

Certainly, where there is a pattern of breaches, there are likely more significant security issues at play. In fact, we would argue that in many cases these organisations are lucky that they haven’t suffered more attacks. Because when you adopt a reactive “break-fix” approach rather than a proactive security-first approach, it’s only a matter of time before something else goes wrong.

But just because some organisations aren’t prioritising data security doesn’t mean you shouldn’t.

Cybercrime can result in both financial and/or identity theft. And the result of either of these can be devastating. With enough information, cybercriminals can apply for credit in your name, set up fraudulent bank accounts and access your existing accounts. Even if you haven’t lost out financially after a data breach, this doesn’t mean that there is “no harm done.” A personal data breach is a 21st-century version of being burgled. If a criminal came into your home and stole your private information, you would be distressed. So why should you feel any less upset at having your online data taken?

Even if a privacy violation doesn’t cause you damage or distress, that doesn’t mean you shouldn’t do anything about it. Your data has value and organisations are legally obliged to look after it.

Something has to be done to make companies accountable for their data protection failures. And, in many cases, taking action against these organisations is the only way to make them improve their security processes.

Is it really their fault?

Cybercriminals are becoming more and more sophisticated. But even where a company has come under attack, this doesn’t let them off the hook. If they have done everything in their power to protect your data and have robust security processes and procedures in place, it is unlikely that they would be found guilty by the ICO.

Also, where a third-party has been involved in a breach (e.g. in the Ticketmaster data breach), this doesn’t mean the company that collected your data isn’t to blame. It is their responsibility to put adequate checks and processes in place to secure vendor access. So, implicating the third party as the bad actor is both dishonest and legally neither here nor there.

The reality is that in most cases, data breaches happen because of a failure to implement reasonable and robust processes. These organisations must be made to get their houses in order. But it’s essential to get specialist legal help to tackle these offenders head-on.

If the ICO can’t do anything, what can you do?

The scale of unpaid fines begs the question of whether the ICO has the powers it needs to be fit for purpose. But that doesn’t mean there is nothing you can do. Because, while the ICO investigates and fines companies for data protection failures, it does not award compensation to victims.

That’s where we come in.

Hayes Connor Solicitors is a law firm operating in the data breach and protection sector. We help our clients to claim data breach compensation following data protection violations, GDPR breaches and other cyber offences. Our firm has established itself as the leading niche provider of legal services in this area. A relatively new and evolving area of law, this is all we do. Consequently, we have become a specialist in data protection law and data breach compensation claims. As a result, we lead our field when it comes to understanding the complexities involved.

In larger cases, we work alongside expert data protection barristers. This means you will get the very best level of legal support available.

With all the experience and expertise needed to win against even the biggest of companies, we work with you to protect your rights and hold organisations to account for their failures.

ticketmaster
, , ,

Is Ticketmaster really not to blame for its data breach?

At Hayes Connor, we have issued a claim for damages of up to £5 million against ticketing giant Ticketmaster following its 2018 data breach. This is the first high profile action to be launched on behalf of multiple claimants in the UK since GDPR came into force.

But, to date, Ticketmaster is refusing to accept any blame for the breach. Despite the fact that, almost a year after the hack:

  • 63% of all the clients we took on have suffered multiple fraudulent transactions on their payment cards
  • 31% of all clients involved in this case suffered from distress and/or psychological trauma.

Instead, Ticketmaster claims that all responsibility for the data breach rests with Inbenta – a software provider that supplied Ticketmaster with chatbot software. It is this software that was compromised in the data breach incident.

Lawyers for the event ticket sales website said that Ticketmaster “is of the belief that it is not responsible for the Potential Security Incident”. That’s despite the fact that it was Ticketmaster that put the third-party Javascript on a payment page.

What actually happened in the Ticketmaster data breach?

Malicious hacking group Magecart was able to gain access to thousands of Ticketmaster’s customer payment details via a “customer support product hosted by Inbenta Technologies”.

The malware used compromises webpage elements – typically Javascript – to gain access to customer payment cards and other sensitive details.

However, Inbenta has refuted that it is responsible, stating that:

“Upon further investigation by both parties, it has been confirmed that the source of the data breach was a single piece of JavaScript code… Ticketmaster directly applied the script to its payments page, without notifying our team. Had we known that the customized script was being used this way, we would have advised against it.”

Is Ticketmaster right?

Our data protection experts don’t think so. In fact, we strongly disagree with this defence and are currently collating evidence to prove that Ticketmaster was liable for the breach.

In addition, according to RiskIQ, Ticketmaster also used SocialPlus  – another company allegedly compromised by Magecart. So, while Inbenta has been established as the entry point for the malicious attack on its systems, at least one other source containing the skimmer had access to the Ticketmaster websites. This indicates a failure in security at Ticketmaster.

Indeed, where a third-party has been involved in a breach (e.g. in the Ticketmaster data breach), this doesn’t mean the company that collected your data isn’t to blame. It is their responsibility to put adequate checks and processes in place to secure vendor access. So, implicating Inbenta as the bad actor is both dishonest and legally neither here nor there.

In our expert opinion, Ticketmaster is using Inbenta as a scapegoat for this breach. And in doing so, it trying to stop fair and right reparation being paid to its victims. But, having seen the evidence supplied by Inbenta, we are more confident than ever that Ticketmaster is guilty of severe data protection failures, and that it will be made to compensate victims.

Ticketmaster data breach group action

At Hayes Connor, we are registering people who are interested in making a compensation claim because of the Ticketmaster data breach. Once you register with us, we will be in touch to find out more about how the breach affected you.

Our first group action is ready to be heard in the High Court. But, because of the number of people affected by the Ticketmaster security breach, we are now registering people who want to join a second wave of claimants. We will then progress your claim once our first group action has been decided in court.

Crucially, you do not need to have suffered any financial loss or emotional distress to make a claim. If you have suffered a privacy violation caused by Ticketmaster’s breach of the Data Protection Act, you have a right to claim compensation.

REGISTER NOW

YAHOO
, ,

What does the US Yahoo data breach settlement mean for people in the UK?

In October 2019, a US class action settlement allowed Yahoo users to file a claim for compensation. Under this deal, anyone who had a Yahoo account between January 1st, 2012 and December 31st, 2016 became eligible to seek a payout from the fund. But the agreement only applies to residents of the United States or Israel. So, what does the US Yahoo data breach settlement mean for people in the UK?

Yahoo has been found guilty by the ICO

In June 2018, the UK’s Information Commissioner’s Office (ICO) fined Yahoo £250,000 after investigating failures at the company. In particular, the ICO focused on a Russian state-sponsored cyber-attack which resulted in the breach of 515,121 UK Yahoo accounts.

The ICO’s investigation found that:

  • Yahoo failed to ensure that its data processor complied with the appropriate data protection requirements
  • Yahoo failed to ensure that the credentials of employees with access to customer data were monitored
  • There was a lengthy period before the flaws which led to the breach were discovered or addressed.

In short, Yahoo failed to take appropriate measures to protect the data of its customers. And these inadequacies in data security had been in place for a long time.

According to an ICO spokesperson:

“The failings our investigation identified are not what we expect from a company that had ample opportunity to implement appropriate measures, and potentially stop UK citizens’ data being compromised.”

The watchdog imposed a £250,000 fine on Yahoo. However, this represents less than 0.4% of Yahoo UK’s 2016 gross profit. So, you could argue that Yahoo got off very lightly.

Find out more about the ICO’s investigation into the Yahoo data breach.

You can still make a UK claim against Yahoo

At Hayes Connor Solicitors we are launching a group claim to help UK victims of the Yahoo data breach to claim the compensation they deserve.

According to the ICO, Yahoo has informed those affected. If you are concerned that your data was treated negligently by Yahoo, contact Hayes Connor Solicitors immediately. The settlement reached in the US and the result of the ICO’s investigation in the UK means that you could have a very strong case.

START YOUR CLAIM

In the UK, you should join a representative action

A representative action is a type of group action. Representative actions are launched when a group of people are affected by the same issue and have experienced the same level of harm.

Representative actions tend to be used in straightforward mass data privacy scenarios. For example, where customers of a company have had their email addresses stolen and data privacy violated.

In representative actions, one member of the action will typically sue on behalf of themselves and the rest of the group. Once compensation has been agreed, each member of the representative action will receive the same amount.

One solicitor will represent all clients. A judge will decide who this solicitor is. Because of our unique experience in data breach group actions, we expect that Hayes Connor will be appointed as the representative in many future actions – including the Yahoo data breach.

If you want to join our Yahoo UK Representative Action contact Hayes Connor Solicitors immediately. There are no costs to join our group action and there is no obligation to proceed.

START YOUR CLAIM

council data breach
, ,

Council data breach after worker illegally accessed records 83 times in six months

A former reablement officer has been prosecuted for accessing social care records without authorisation. In this council data breach case, Dannyelle Shaw, who worked at Walsall Metropolitan Borough Council, inappropriately accessed the social care records of 7 adults and 9 children without any business need to do so.

According to reports, Ms Shaw illegally accessed the social care database without authority 83 times between April and September 2017. One of the adults affected later found out and made a complaint.

Ms Shaw had received training in data protection and confidentiality protocols. As a result, she was dismissed by the council before being prosecuted by the Information Commissioner’s Office (ICO).

Appearing before Wolverhampton Magistrates’ Court, Ms Shaw was sentenced to a fine of £450, ordered to pay costs of £364 and a victim surcharge of £45.

A price not worth paying

Speaking about this council data breach, Hazel Padmore, head of investigations at the ICO, said:

“People whose work allows them access to what can often be highly sensitive personal information need to know that the ICO will act to protect the legal rights of data subjects.

“This is another case where someone clearly knew the importance of confidentiality and protecting people’s personal information but decided to disregard all their training for their own reasons, and ended up paying a heavy price.

“Losing your job and ending up before the courts is not a price worth paying.”

Not Just Hackers

This case should remind people that they could face criminal prosecution and fines if they access or share personal data without a legal reason.

At Hayes Connor Solicitors, we see many different types of claims and understand how data breaches can affect people in different ways.

Helping to reduce the number of data violations taking place across the UK, we are sharing such real-life examples of data protection breaches to raise awareness of this issue and educate people to prevent similar instances from happening.

For more advice on how to keep your data safe, follow the Hayes Connor #NotJustHackers campaign on Twitter and Facebook.

Alternatively, if you have been the victim of a data breach, find out how we can help you to recover any losses or contact us to discuss your case in more depth.

 

The Telegraph, 10th February 2020

Hayes Connor featured in The Telegraph following news that Chinese military hackers have been charged with the 2017 Equifax cyber attack. The malicious incident affected 15 million people in the UK with 700,000 of those having sensitive personal data stolen. Hayes Connor filed a claim in the High Court in October 2019 seeking an estimated £100 million compensation for those affected.