data breach

Credit card details hacked in Vision Direct data breach

Cybercriminals have compromised the contact information and financial details of Vision Direct customers in a recent data hack.

Both personal and financial information has been put at risk, including full name, address, phone number, email address, and password details, as well as sensitive credit card numbers, expiry dates and CVV security codes. This information could be used to carry out financial fraud and data theft, so customers are understandably worried.

Earlier this week, the UK retailer informed its customers that their data was stolen in a five-day hack between 3rd and 8th of November. It is understood that a bogus Google Analytics script added to Vision Direct’s website let hackers breach the company’s security defences.

Should you be worried?

The breach affects customers who logged into their Vision Direct account or updated their personal details during the period in which the hack took place. At present, 16,300 customers are thought to be at risk.

In a letter to its customers, Vision Direct has admitted that this “information could be used to conduct fraudulent transactions”.

It continues: “Vision Direct has taken steps to prevent any further data theft, the website is working normally and we are working with the authorities to investigate how this theft occurred.”

Vision Direct will contact any customers who it believes have been affected by the data breach. The company has also asked all users to review their bank statements and change their passwords on the site as soon as possible.

Is Vision Direct responsible for the data breach?

Even where cybercriminals target a business, in the eyes of the law it is still responsible for the data it holds. And, if found to be (even partially) responsible for a data breach, under the new General Data Protection Regulation (GDPR), it could be liable for millions of pounds in fines and compensation.

In this case, questions have been raised over whether or not Vision Direct had been storing CVV codes as it is not permitted to keep verification codes after payments are authorised. If this is found to be the case, the regulator is likely to come down hard on the business.

If you have suffered damage or distress caused by an organisation breaching its data protection responsibilities, you also have a right to claim compensation.

At Hayes Connor Solicitors, we have considerable experience helping individuals whose data has been breached and would also recommend some additional steps to keep users safe.

This includes looking out for fraudsters who attempt to gather more personal information (phishing), informing the Information Commissioner’s Office (ICO) about your concerns and reporting any suspected phishing attempts to the police and relevant authorities.

You can also check websites such as to see if your details have been compromised in a data breach.

Hayes Connor shortlisted for two Modern Law Awards

Modern Law Awards 2019

We are delighted to announce that Hayes Connor Solicitors, (part of the Forster Dean Solicitors group of companies) has been shortlisted for two Modern Law Awards.

Now in their sixth year, the Eclipse Proclaim Modern Law Awards were launched to celebrate and identify sparkling talent and success in entrepreneurship, market development, business management and best practice in the modern legal services arena. The event organisers were overwhelmed with nominations this year, receiving more submissions than ever, so it is a significant achievement to be shortlisted.

Hayes Connor has been shortlisted in two categories in the 2019 awards: Boutique Law Firm of the Year and Marketing and Communication Strategy of the Year.

Commenting on the accomplishment, Kingsley Hayes, managing director at Hayes Connor said: “Through an almost entirely online approach,Hayes Connor Solicitors has fast become one of the most recognised names in the sector when it comes to helping clients to get the support they deserve following data protection breaches, cybercrime, and other online offences.

“Indeed, over the past 12 months, we have marketed, assessed and processed all our work to a successful conclusion; establishing ourselves as a major player in this developing and niche area of law.

 “As consumers, we all want a fast, efficient, no-nonsense service. And this is just as true when it comes to technically complex legal services. So this is precisely what we deliver to our clients; using new technologies as we strive to ensure continued innovation.

“We have also established our position as a thought-leader, using content to provide value to claimants. We have invested heavily in client education to demonstrate our expertise in this area. The ability to provide clear and concise information about our clients’ rights is key. The nature of the work undertaken is complex and sensitive; so consumers need to understand exactly what redress they can seek.

“While our core strategy is to inform and educate consumers on their rights, this also allows us to market our services across multiple online platforms. We are one of the very few established and well-known law firms that adopt this methodology.

“We are also working with Victim Support to help those affected by cybercrime and data breaches. The partnership sees us provide the charity with regular expertise and advice on its legal content. Together we also create resources that raise awareness of the growing threat of cybercrime and data breaches. We believe that this helps us to exceed the expectations of client care and professionalism, as ultimately, the more people are aware of the risk, the better protected everyone will be.

“Ultimately, we believe that our approach will ensure long-term business success for us, while supporting those we serve, and we are thrilled that we are being recognised for our achievements.”

The award ceremony, which showcases and sets the benchmarks for best practice in the ever diverse, challenging and exciting legal landscape takes place on Thursday 31st January in Manchester.

Starwood Guest Reservation Database Security Incident – have you had this email?

UK customers affected by the Starwood Hotels & Resorts data breach are now receiving an email from Marriott International (which owns the hotel group).

The Starwood brands affected by the data breach include W Hotels, St. Regis,Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels,Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels& Resorts, Four Points by Sheraton and Design Hotels. Starwood branded time share properties are also affected.

The email confirms that:

“On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. Marriott quickly engaged leading security experts to help determine what occurred.

“Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.

“Marriott has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property. For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken. For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information.

“Marriott reported this incident to law enforcement and continues to support their investigation. The company is also notifying regulatory authorities.

“Marriott deeply regrets this incident happened. From the start, we moved quickly to contain the incident and conduct a thorough investigation with the assistance of leading security experts. Marriott is working hard to ensure our guests have answers to questions about their personal information with a dedicated website and call center. We are supporting the efforts of law enforcement and working with leading security experts to improve. Marriott is also devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.”

The email also sets out some steps that Marriott has taken since discovering the breach. These include:

  • Establishing a dedicated call centre to answer questions you may have about this incident. The call centre is open seven days a week, and is available in multiple languages
  • Sending emails on a rolling basis to affected guests whose email addresses are in the Starwood guest reservation database  
  • Providing guests with the opportunity to enrol in WebWatcher free of charge for one year. WebWatcher monitors internet sites where personal information is shared and generates an alert to the consumer if evidence of the consumer’s personal information is found.       

Marriott has also provided some additional security steps victims of the breach cantake. This includes:

  • Monitoring your SPG account for any suspicious activity
  • Changing your password regularly
  • Not using easily guessed passwords
  • Not using the same password for multiple accounts
  • Reviewing your payment card account statements for unauthorised activity
  • Immediately reporting any unauthorised activity to the bank that issued your card.
  • Being vigilant against third parties attempting to gather information by deception (“phishing”), including through links to fake websites
  • Contacting the relevant authorities if you believe you are the victim of identity theft or your personal data has been misused.

In the UK, Action Fraud is the national fraud reporting service, and is the starting point for any police investigation into your loss. UK residents should also in form the Information Commissioner’s Office (ICO).

Committed to helping victims of data breaches and cybercrime, Hayes Connor Solicitors can also help you to claim compensation following the Starwood Hotels & Resorts data breach. And we can do this on a no-win, no-fee basis. Our initial assessment is always free. We’ll ensure that you are fully informed on this matter and will notify you about the investigation and your legal rights when making a claim.

If you have received an email from Marriott letting you know that your details have been put at risk, get in touch. We’ll let you know if and when you can claim. You can also read our step by step guide to making a data breach claim here. 


data breach solicitors

What you need to do following the Marriott data breach

The Marriott data hack is already being called one of the most serious data breaches of its kind. So much so that two US-based law firms have already filed class action lawsuits against Marriott International.

But if you are a UK customer worried about how the hack will affect you, what should you do to protect yourself?

What happened in the Marriott data breach?

On September 8, 2018, Marriott became aware that hackers had managed to access its Starwood guest reservation database. However, when investigating the breach it was uncovered that cybercriminals had enjoyed access to this database since 2014.

During this time the hackers accessed, copied and removed the private data of around 500 million customers.

Marriott is still working with cybersecurity experts to determine the scope of the breach.

What data has been put at risk due to the Marriott data breach?

Marriott has admitted that the stolen information includes names, mailing addresses, phone numbers, email addresses, passport numbers, dates of birth, gender, guest account information, reservation dates, and more.

Worse, Marriott has said that it has not been able to rule out that credit card information has also been exposed. And, while Marriott used an encrypted credit card system, it admits that the hackers could have stolen the encryption keys needed to decrypt this financial data.

Security experts have widely criticised Marriott for its “lacklustre” response following the data breach. For example, while the company has sent out millions of emails warning of the massive data breach, the email sender’s domain “” doesn’t load, and doesn’t look like it comes from Marriott (it also has no identifying HTTPS certificate). So there is no easy way to check that the domain is real.

Should you be worried?

If you are a Marriott customer who has made a reservation at one of the affected hotels between 2014 and September 2018, then unfortunately yes.

Customers who have been affected should soon know if their data has been put at risk (if you haven’t been told already). If you are a Marriott International customer and you haven’t received an email make sure that you check your junk mail folder.

If you haven’t received an email but are still worried you should call the dedicated call centre Marriott has established to answer questions you may have about this incident. You can find out more about this here.

The theft of personal and financial information could lead to identity and financial fraud which has the potential to turn a person’s life upside down. And, as we don’t yet know what has been done with this data, or who has managed to get their hands on it, it is vital that you do everything you can to protect yourself.

What can you do to protect yourself?

Those affected by the Marriott data breach should do the following as soon as possible:

  • Inform the Information Commissioner’s Office (ICO)about your concerns. The ICO is the independent authority charged with upholding data protection rights in the UK. The ICO is currently making enquiries into the data breach. While it does not award compensation, if the ICO believes that Marriott International was negligent when looking after your data you can use this information in court to help prove your claim
  • Read our handy step-by-step guide to making a data breach claim
  • If you are worried that your banking details have been exposed, contact your bank immediately
  • Beware of fraudsters who attempt to gather personal information (phishing)
  • Report any suspected phishing attempts to the police and relevant authorities
  • Look out for any bills or emails showing goods or services you haven’t ordered, or any unfamiliar transactions on your account and alert your bank or card provider immediately if there is any suspicious activity
  • Keep an eye on your credit score for any unexpected dips. Call Credit, Experian and Equifax to ensure credit isn’t taken out in your name
  • Beware of any unsolicited communications that refer you to a web page asking for personal data
  • Register with a suitable fraud prevention service
  • Change your passwords on all your accounts
  • If you are offered any form of compensation or free services it’s important to check the small print. For example, it is thought that Marriott is offering a free subscription to the Webwatcher service to monitor for evidence of customers’ details being used online. Be careful that in accepting any offer you are not giving away your rights to pursue a separate data breach compensation claim at a later date.

Can you claim compensation following the Marriott data breach?

If you are a Marriott International customer and you have suffered financial loss or distress because of the data breach you could be entitled to compensation. Many people suffer anguish, anxiety and stress after a data breach and this can have a significant impact on you mentally and physically. Effects can include a lack of sleep, feeling ill, unsettled or confused. Stress can also affect your friends, your family and your job.

To date, Marriott has offered no monetary reparation. This is despite calls in the US for Marriott International to cover the cost of replacing passports for consumers impacted by the breach. However, even if compensation is offered, it’s vital that you are not fobbed off by a low amount.

Committed to helping victims of data breaches and cybercrime to achieve the justice they deserve, at Hayes Connor Solicitors we are now considering launching a group action to compensate UK victims of the Marriott data breach. We can take on your claim on a no-win, no-fee basis. Our initial assessment is always free. We’ll ensure that you are fully informed on this matter and will notify you about the investigation and your legal rights when making a claim.

If you have received an email from Marriott letting you know that your details have been put at risk, get in touch. We’ll let you know if and when you can claim. You can also read our step by step guide to making a data breach claim here. 


hayes connor solicitors

Claiming compensation for distress following a data breach

At Hayes Connor Solicitors, we have launched compensation claims against a number of high-profile companies that have failed to keep your personal data safe. We believe that these companies must be held to account for their failure to protect your information.

The General Data Protection Regulation (GDPR) places strict obligations on businesses to keep our data safe. And you could be entitled to compensation if an organisation fails to meet these. But did you know that you can also claim for GDPR distress as well as financial losses?

What the law says

If you have suffered damage or distress caused by an organisation breaching any part of the Data Protection Act (the UK’s interpretation of the GDPR), you have a right to claim compensation.

Crucially, you can make a compensation claim if you have struggled emotionally following a data breach, even if you have not experienced any financial loss.

When making a compensation award, the court will look at the specific circumstances of your case. This includes things like the sensitivity of the data compromised and the nature of the disclosure. However, in order to be entitled to compensation for GDPR distress you must show that you have suffered emotionally because of the breach.

A personal data breach is a 21st-century version of being burgled. If a criminal came into your home and stole your private letters you would be distressed. So why should you feel any less upset at having your online data taken; particularly when these companies gave the burglar the keys?

Why shouldn’t you seek compensation for a failure to look after your information correctly?

The emotional impact of data breaches

Some people would have us believe that claiming for GDPR distress is an overreaction. That your physiological suffering and anguish doesn’t matter. You might hear friends and family saying that, while it is acceptable to claim compensation for any financial losses, you should put up with any anxiety caused by having your information stolen.

But according to Victim Support: “The effects of crime can also last for a long time, and it doesn’t depend on how ‘serious’ the crime was. Some people cope really well with the most horrific crimes while others can be very distressed by a more minor incident”.

The sheer scale of the information we share online is enough to leave victims open to the threat of fraud. For example, with enough information, cybercriminals can steal your identity, apply for credit in your name, set up fraudulent bank accounts and access your existing accounts.

So we should all be very worried about what could happen if our data gets into the wrong hands.

What’s more, being the victim of a crime can have a substantial impact on you mentally and physically. For some people, the effects can include a lack of sleep, feeling ill, unsettled or confused. Stress can also affect your friends, your family and your job. So being told to “get over it” isn’t helpful.

Crucially, the law understands the damage that can be caused by worry and upset. So you are 100% within your rights to make a compensation claim.

Claiming for GDPR distress following a data breach

At Hayes Connor Solicitors, we are committed to helping those affected by data breaches and cybercrime. And, we believe that the best way to make big companies pay for their failures is to use an expert lawyer to make a data breach compensation claim.

In addition, we also work with, and refer our clients to, other organisations and partners such as Victim Support. The leading independent victim’s charity in England and Wales for people affected by crime and traumatic incidents, last year Victim Support offered help to nearly a million victims of crime across the UK.

If you need assistance after a data breach, there are many resources on the Victim Support website to help you cope.

Don’t let them get away with it!

Something has to be done to make companies accountable for not looking after our information correctly. Claiming compensation isn’t just in your best interests, it could be the only way to ensure that businesses everywhere implement more secure processes.

If you want more help or advice about making a claim then contact us today

data breach

Medical breaches hit the headlines

The issue of medical data breaches has hit the news again due to the actions of two medical workers.

Medical data breach due to inappropriate use of patient information

In the first case, a medical worker has been suspended from a hospital in Kilmarnock after it was alleged that he inappropriately accessed patient records and contacted some female patients using the information he stole.

With medical data breaches often having severe consequences for those affected, patients of Crosshouse Hospital in Kilmarnock may now have a claim for compensation.

It is claimed that the man used the information to contact a number of women who attended the X-ray department at Crosshouse Hospital. The breach occurred between April and September this year.

One of the women affected told BBC Scotland that she had “received a couple of messages saying ‘hello’ from an unknown number a few months ago” but that she didn’t know who the messages were from as she didn’t respond. However, she has since received a letter from the NHS, telling her about the breach.

She has said that she is “absolutely livid that someone had done this, and that it was allowed to happen”. She also says that she has “no faith in the hospital, especially with confidentiality.”

Police Scotland have confirmed they are investigating the claims and NHS Ayrshire and Arran are looking into the breach.

Commenting on the alleged incident, a spokeswoman for the hospital said: “NHS Ayrshire & Arran has been made aware of a member of staff inappropriately accessing patient records. This individual is currently excluded from work.

“We are currently investigating and are contacting a number of patients to ascertain the extent of this breach. We wish to apologise to anyone affected by this. We take patient confidentially extremely serious and will ensure a full investigation is conducted.

“We are working closely with Police Scotland and the Information Commissioner’s Office (ICO). As this is an ongoing police investigation, we are not able to confirm any further details.”

Medical data breach due to employee reading patient information without consent

In the second case, the ICO has fined a former GP surgery secretary for reading the medical records of 231 patients without any good reason or consent.

The former trainee secretary has admitted unlawfully reading the records of patients of Fakenham Medical Practice in Norfolk for two years; despite having been trained in the legal and ethical requirements for patient confidentiality.

An investigation into the data breach by the surgery found that the woman had accessed the records of colleagues and their families, her own relatives, friends and acquaintances and members of the public.

Due to breaching the Data Protection Act the woman was fined £350 and was also ordered to pay costs of £643.75 and a victim surcharge of £35.

What are we seeing?

At Hayes Connor, we have noticed an increase in enquires from clients who have been the victim of a health care data breach. Worryingly, while these breaches are avoidable the health authorities and their legal advisers do not understand the considerable distress and harm caused by such violations.

In our experience, in three out of five cases psychological trauma is caused by the data breach which requires the victim to undergo treatment such as counselling. What’s more, in two out of fives case there is a significant knock-on effect which results in family members also becoming affected.

What can you do?

The healthcare sector handles some of our most sensitive personal data, and, as patients, we have the right to expect this will be looked after. However, all too often this isn’t the case. The UK health sector accounts for nearly half of all data breaches, with the number of incidents rising year-on-year.

Where a breach occurs, the ICO can respond with actions such as financial penalties and prosecutions

Furthermore, if you have suffered damage or distress caused by this, or any other medical or other healthcare organisation breaching any part of the Data Protection Act, you have a right to claim compensation.

At Hayes Connor Solicitors we have extensive experience in this area and are currently working on another case in which a data breach occurred due to a third-party accessing medical records.

If you are in any way concerned that your data has been breached you should let the ICO know. You can report a personal data breach here.




personal data

High street stores and personal data: know your rights

Most of have been there. We’re in a shop, just about to pay for our purchases, or sort a refund, when the assistant asks for “a few details”; usually our full name, our home address, and our email. Even if we’re only buying a pair of shoes, or returning a scented candle, many of us will hand over this information without understanding why it is needed.

 For some, it’s about not making a scene. The assistant is friendly, and they appear to be in no doubt as to why they are asking for our personal information. Also, there’s often a growing queue of people who aren’t going to be happy with a customer kicking up a fuss and holding up the line. So, what should you do?

What should you do if a store asks for your personal information?

 Put simply; the shop doesn’t NEED your details. Even television retailers, who previously had to request these to send to TV Licensing when they sold or rented out equipment, no longer require this info from you.

And with stringent data protection laws now in place following the introduction of the General Data Protection Regulation (GDPR), you are entirely within your rights not to hand this over.

 Do shops need personal data for a refund?

 If you’ve challenged why the shop needs this information, you might have been met with a vague response; “to process the return”, “for our records”…that sort of thing. However, we all have a statutory right to return faulty goods and, should you wish to change your mind about a purchase you simply need to do two things:

  • Keep hold of the receipt
  • Check out the shop’s returns policy before you buy.

Unless the return policy states explicitly that you have to hand over this information (and most of them don’t), then they cannot force you to. If the policy does state that it needs your personal information, you should still query why with a manager as this is not a legal obligation.

 Why do retailers want this information?

 Stores use your details for different purposes, most often for security, for marketing, and to improve the customer experience. You might like the shop retaining information about your shopping habits to help improve their service to you. For example, if you buy a particular shade of lipstick but can never remember the name, with access to the right info the shop assistant can find out that your preferred shade is ‘Frosted Pink.’ Also, most of us like it when we are offered discounts on our favourite buys.

 That’s fine. It’s your choice. But even if you are happy with this, to protect your sensitive information, you should still care about how your personal details are stored.

What are retailers allowed to do with your information?

Any personal data we provide (e.g. email addresses collected at the point of sale) is protected by UK data protection regulations. This means that it must be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.”

For example, if an email address is given so that you can receive an e-receipt, then your data can only be used for this specific purpose. There is no issue with a shop offering an e-receipt, but if your email address is then used to send you marketing emails without your consent they might also be breaching electronic marketing rules. You also do not have to give your email details to a retailer, and you can ask to receive your receipt in the normal way.

If a shop does want your data to market to you, then they must make it clear that this is why they are asking for your information, and you have to give your consent before they can do this.

How is your data protected?

 With more and more shops using computers to store and process personal information, The Data Protection Act (the UK’s interpretation of the GDPR) sets out how it can be used; and how it can’t. The basic things you need to know is that:

  • Your personal data should be processed fairly and lawfully
  • It must be obtained only for a specified reason and can’t be handled in a way that is incompatible with that purpose
  • The information held must be adequate, relevant and not excessive when compared with the purpose for which it is to be used
  • It must be accurate and, where necessary, kept up to date
  • It must not be kept for longer than is necessary for the intended purpose
  • It must be processed in accordance with the Data Protection Act. This means that it must be kept safe and secure, and that appropriate measures will be taken against unauthorised or unlawful processing of this information, as well as against accidental loss, destruction, or damage. So, businesses must keep the information backed up and away from any unauthorised access
  • No company can sell or give away your information without your explicit consent.

 You can find out more about these principles on the Information Commissioner’s Office (ICO) website.

 What should you do if asked to hand over your details?

 In most cases, we trust these retailers. Why wouldn’t we? They are high street shops, with familiar names, big shiny signs above their windows and friendly authoritative staff. So, it can be easy to assume that they wouldn’t ask us for our address if they weren’t allowed to do so. We also trust them to hold our information safely once given.

 However, in 2018, high street chemist Superdrug was held to ransom by hackers. The cybercriminals contacted Superdrug claiming to have accessed the details of 20,000 customers.

The compromised data included names, addresses, dates of birth, phone numbers, and point balances. And, while no bank or payment card details were believed to have been accessed, the information stolen is already enough to cause severe distress to those affected. And this is just one example of a high street retailer being hit by a data breach.

Today’s cybercriminals don’t just care about our financial details. They can also cause havoc with our personally identifiable information. In fact, with enough data, cybercriminals can apply for credit in your name, set up fraudulent bank accounts and access your existing accounts.

So, should you hand over your details? Well, as with most things, you have a choice. A choice to ask questions, and a choice to exercise your own free will based on the answers that are provided to you.

While we have previously been content to hand out our personal information, with a huge jump in cyber fraud, it’s perhaps no wonder that consumer confidence is now lacking, and that data breach claims are on the rise.

Can you make a data breach compensation claim?

 When a breach happens, it’s vital that the Information Commissioners Office (ICO) investigates. If the company is found responsible, the ICO will then issue a fine.

However, such fines are little compensation for victims who have suffered financial loss and/or stress due to an organisation’s negligence. So, while the ICO does not award data breach compensation, our data breach solicitors can help you with that.

At Hayes Connor Solicitors, we’ve been helping people to get the compensation they deserve for over 50 years, so we know what it takes to make a successful data breach claim.

Data breaches often have severe consequences for those affected, and you could be entitled to thousands of pounds in compensation depending on your circumstances. And, because we offer no-win, no-fee funding arrangements, you have nothing to lose.

data hack

Uber fined £385,000 for data breach

Uber has been fined £385,000 by the Information Commissioner’s Office (ICO) after a hack at the company resulted in the theft of personal information of almost three million users and 82,000 drivers in the UK.

The data protection regulator has criticised the company for its failure to alert these victims about the hack.

What happened in this case?

In November 2016, hackers managed to access Uber’s cloud servers and downloaded a number of files. This included the records of 35 million users and 3.7 million drivers worldwide. Passengers’ full names, phone numbers, and email addresses were all accessed.

Instead of reporting it, Uber hid evidence of the theft and paid a ransom to ensure the data wouldn’t be misused.

What was the result of the investigation?

Following an investigation into the breach, the ICO has said that a series of avoidable data security flaws allowed the personal details to be put at risk. The ICO also found that the situation was made worse by Uber US’s decision to not disclose the attack. None of the people whose personal data was compromised was notified of the breach at the time, and the company only began monitoring accounts for fraud 12 months later.

ICO Director of Investigations Steve Eckersley said: “This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”

While it is only right that Uber has been fined for the breach, there is less good news for any customers who were hoping to seek compensation.

Uber’s European branches were also not informed about the hack, and there was no legal duty to report data breaches under the old legislation. However, the ICO has said that paying the attackers and then keeping quiet about it was not an appropriate response to the cyber-attack.

The 2016 breach occurred under previous data protection legislation which has a maximum financial penalty of £500,000. Under the GDPR, the potential fine would be much higher.

If you have been the victim of a data breach then you can contact us about your case today


data breach

Amazon data breach – what do you need to know?

Amazon customers have had their names and email addresses put at risk in the latest high-profile data breach. The personal information was divulged on the online retailer’s website just two days before multi-billion pound shopping day Black Friday.

As yet, Amazon has not confirmed how many people have been affected or where they are based.

What caused the Amazon data breach?

Rather than being caused by a cyber-attack, the online retail giant has said that the data breach occurred because of a technical problem.

Neither its website nor any of its systems are thought to have been breached. Furthermore, according to Amazon, it has informed customers who may have been put at risk and the issue has now been fixed.

However, as yet, there’s no information about who was able to access the compromised data.

What should you do if you are worried about the Amazon data breach?

Amazon claims that there is no need for worried customers to change their passwords. In an email to affected customers Amazon said:

“Our website inadvertently disclosed your email address or name and email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action. The impacted customers have been contacted.”

It added: “Amazon takes all security-related matters very seriously and your account security is our top priority. We have policies and security measures in place to ensure that your personal information remains secure.”

However, cybersecurity experts dispute this advice and are advising customers to change their passwords on Amazon, and on any other accounts that use the same password.

Richard Walters, chief technical officer of cybersecurity firm CensorNet, said: “If the reports are correct, the information leaked – names and email addresses – is less significant than some of these other breaches, which saw card details leaked”.

However, it would be wrong to assume that this makes the breach inconsequential. Cyber-criminals can do a lot of damage with a large database of names and emails.

“A large majority of people still use predictable passwords, and thanks to previous high-profile breaches many people’s passwords are also readily available on the dark web. For cyber-criminals, it then just becomes an exercise in joining the dots.”

Certainly, cybercriminals can do plenty of damage with this information, and at Hayes Connor Solicitors we would strongly advise you to change your password ASAP and set up two-factor authentication on your Amazon account if you haven’t done so already. You should also look out for an increase in spam or phishing emails.

What happens next?

The Information Commissioner’s Office (ICO) – which has the power to impose hefty fines on organisations who fail to meet the requirements of the Data Protection Act – is aware of the situation.

If Amazon has put your data at risk, we would advise you to contact them and ask them to assess what happened. If the ICO finds Amazon guilty of breaking data protection regulations, you can then use this information to support a data protection compensation claim.

Amazon data breach group action

At Hayes Connor Solicitors, we are now considering launching a no-win, no-fee group action to compensate victims of the Amazon data breach.

Find out more about group actions.

To become part of this group action, we need you to register with us. This guarantees that you will form part of the compensation claims that will be lodged by us.



subject access request

How to make a subject access request following a data breach

Under the UK’s data protection legislation, you have the right to find out if an organisation is using or storing your personal data. To exercise this right, all you have to do is ask for a copy of this data. This is called making a subject access request (SAR).

You can also ask if your data is being shared with anyone else (and if so, why and how), how long the company plans to store your data, and the reasons for this decision, and information on where your data came from.

Do you have to pay to make a subject access request?

A copy of your personal data should be provided free, although if you ask for extra copies, or if you ask for information that is ‘manifestly unfounded or excessive’, the organisation might charge a reasonable fee for administrative costs.

When can you make a subject access request?

You can make a subject access request at any time. For example, you can make a SAR if you want to find out if information is being held about you and how it is being used. In addition, at Hayes Connor Solicitors, many of our clients make SARs to start the compensation claim process following a data breach.

How do you make a subject access request?

If you decide that you want to make a SAR, here are the steps you should take:

  1. Identify where to send your request. Under the GDPR this information should be available on an organisation’s website (check the privacy policy usually found in the footer)
  2. Decide what data you want access to. Do you want everything a company holds about you, or just a particular piece of information? It could take longer for an organisation to supply everything they have about you, so if you only need certain data and you want this quickly, it makes sense to be specific. For example, you could just ask for a copy of any emails between you and the company between particular dates
  3. Make your request directly to the organisation, stating clearly what you want. You can make a SAR in writing, in person or over the phone. At Hayes Connor Solicitors we always recommend that our clients put their requests in writing as this provides a clear evidence trail if we need this at a later date
  4. When making a SAR, you should also include your name and contact details as well as any account or reference numbers
  5. You should also specify what format you want the data in. Most companies will do this electronically, but if you need it in another format, you can ask if this is possible
  6. Keep a copy of your request as well as any proof of postage or delivery.

How long does an organisation have to respond to a subject access request?

Data protection law requires organisations to respond to a request for data within one calendar month. However, they might need extra time to consider your request and, if so, can take an additional two months to do this. The organisation must let you know within one month if it needs more time and why. If the requested information is not provided in the timeframe you can raise a complaint with the Information Commissioner’s Office.

Can an organisation refuse ae subject access request?

While you can make more than one SAR, the organisation can refuse a request if they believe it to be ‘manifestly unfounded or excessive’.

Depending on the circumstances, they may also refuse a SAR if your data includes information about another individual. Again, if you think your request has been rejected unjustly, you can raise a complaint with the organisation in question, and if you remain dissatisfied, the Information Commissioner’s Office.

At Hayes Connor Solicitors we are committed to upholding the data protection rights of our clients. With over 50 years’ experience helping our clients secure the justice they deserve, our solicitors work tirelessly to ensure the best possible outcome for you. Both in terms of damages achieved and service delivered.