Posts

cybercrime claims
, ,

Cybercrime losses up 24% in just six months

According to the police, £34.6 million was reported stolen from UK victims of cybercrime between April and September 2018. That’s a whopping 24% increase on the previous six months.

What do the latest statistics reveal?

  • More than £190,000 a day is lost in the UK by victims of cybercrime
  • Over a third of the victims affected had either their social media or email accounts hacked
  • People hacked via their social media and email accounts lost a total of £14.8 million
  • 13,357 people in the UK reported cybercrimes over six months.

According to a police spokesperson, cybercriminals were targeting people’s social media accounts “in a bid to make money and steal personal details”. This could leave victims “at risk of identity theft”.

The City of London Police, which runs Action Fraud, has warned people to:

  • Keep separate passwords for each of their online accounts
  • Make sure that they use the latest software and app updates
  • Be suspicious of unsolicited requests for personal or financial information (phishing)
  • Never call numbers or follow links provided in unsolicited texts or emails.

What is Action Fraud?

Action Fraud is the UK’s national reporting centre for fraud and cybercrime[1]. Victims of online offences such as scams and financial/identity fraud should contact Action Fraud to report their loss. You can do this online or via telephone. For any other form of cybercrime such as online stalking, harassment, or fears about sexual grooming, you should contact the police directly.

What else is Action Fraud saying?

In addition to the sixth-monthly figures, reports on Action Fraud’s website also warn us that:

  • A staggering £50,766,602 was lost to romance fraud in 2018 with an average of £11,145 per victim and a 27% increase on the previous year. Action Fraud is warning people to be aware of romance scams in the run-up to Valentine’s Day
  • Fraudsters are targeting the growing over 55 population because they are more likely to have money to invest. Traditionally scammers cold-call but contact can also come from online sources (e.g. email or social media)
  • Fraudsters are sending the public fake TV licensing emails to steal their personal and financial information.

What can happen if you are scammed?

Cybercrime can result in both financial and/or identity theft. And, with enough information, cybercriminals can apply for credit in your name, set up fraudulent bank accounts and access your existing accounts.

We all worry about what could happen if scammers get access to our bank accounts. But the impact of data breaches goes much further than financial losses.

According to Victim Support, the effects of crime can last for a long time. We’ve seen cases where experiencing a data breach has resulted in adverse life events such as having to move house or area, losing a job, relationship stress and separation, and dislocation from friends and family. All of which can lead to a diagnosable psychological injury.

How to protect yourself from cybercriminals

In addition to the advice provided by Action Fraud, here are a few additional steps to help protect your personal information:

  • If you are worried that your financial details have been exposed, contact your bank/credit card provider immediately and ask them to keep a close eye on your account and request a new card
  • Report any suspected phishing attempts to the police and relevant authorities (Action Fraud)
  • Look out for any bills or emails showing goods or services you haven’t ordered, or any unfamiliar transactions on your account and alert your bank or card provider immediately if there is any suspicious activity
  • Keep an eye on your credit score for any unexpected dips (register for updates)
  • Let the credit reference agencies know of any activity that was not down to you
  • Register with the Cifas protective registration service. This will slow down credit applications made in your name with additional verification checks made to ascertain that the applicant is actually you
  • Register with a suitable fraud prevention service
  • Regularly change your passwords on all your accounts (you might want to use a password security tool to help you to do this).

 

Leading by example

At Hayes Connor, we want to stop cybercriminals in their tracks. To do this, we are helping to raise awareness of this issue and educating people to prevent similar crimes from happening.

For more advice on how to keep your data safe, follow us on Twitter and Facebook.

Alternatively, if you have been the victim of cyber fraud, find out how we can help you to recover any losses or give us a call on 0151 363 5895 to discuss your case in more depth.

[1] England, Wales and Northern Ireland

data breach solicitors
, , ,

What can happen when medical information falls into the wrong hands?

The world is rapidly going digital. And, this online information revolution has seen most organisations move away from paper record keeping. However, over the last few years, such information has proved a lucrative target for hackers.

But, when it comes to information falling into the wrong hands, in most cases, it is human error rather than cybercrime that is the biggest cause of data breaches. And, these errors are just as likely to happen offline.

In a recent case, our solicitors saw the impact of what can happen when sensitive medical information was sent to the wrong address by mistake.

What happened in this case?

In this data breach, HM Courts & Tribunals Service (HMCTS) sent a copy of a confidential medical report to a person’s former partner by mistake. The report from a doctor said that the man (our client) was depressed and suicidal.

Once our client’s ex read the report – a document that she should never have had access to – she used its contents in an application to reduce his contact with his children. This application was successful (the court was not aware how this information was obtained).

As a direct response of the admin error, this data breach has had a devastating impact on our client. Having reduced contact with his children has caused him considerable distress and upset as well as aggravating his mental health problems.  So, in this case, the consequences have been particularly severe.

What can you do to stop this from happening to you?

When handing over your postal address to an organisation, it is vital that you check that these details have been taken down correctly.  You are completely within your rights to ask for a copy of the data an organisation holds about you. This is called making a subject access request (SAR). This won’t guarantee that an error doesn’t result in information going to the wrong address, but it is a good safety precaution to take. Find out more about making a SAR.

You should also ask any organisation that has access to your medical records about what type of information they share and with who.

You can also choose not to have your medical information shared or used for any purpose beyond providing your own treatment or care. This choice is known as a national data opt-out. Find out more about the national data opt-out.

Of course, there may be instances (as in this case) where you need or want to share this information. Likewise, your confidential patient information may still be used when there is a legal requirement to provide it.

Lessons learned

The duty of confidentiality goes beyond undertaking not to divulge confidential information; it includes a responsibility to make sure that written patient information is kept securely.

If you are an employee of a medical organisation or a government agency or department and you want to make sure that you don’t make a similar mistake, talk to your employer about any processes that can be put in place to make sure that the addresses of your customers are correct. This is especially important if you deal with sensitive information such as medical reports. Such steps could include things like additional data protection training, and checks and balances on systems generating correspondence.

For more advice on how to keep your data safe, follow Hayes Connor on Twitter or give us a like on Facebook. Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to recover any losses or give us a call on 0151 363 5895 to discuss your case in more depth.

data breach claims
, ,

The impact of data breaches are often being felt months after the initial violation

A data breach can result in both financial and/or identity theft. And the result of either of these can be devastating. Not least because, with enough information, cybercriminals can apply for credit in your name, set up fraudulent bank accounts and access your existing accounts.

In response, at Hayes Connor Solicitors, we help our clients to make compensation claims after their data has been put at risk by the organisations they trust to look after it.

Dealing with hundreds of different types of data breach cases, one thing that has become apparent to our solicitors is that the full impact is often not felt until months after the initial violation.

What are we seeing?

Over the last six months, we have received more than 2,500 enquiries from customers who have suffered as a direct result of a data breach. These cases saw breaches of personal, financial and sensitive data. But it is becoming increasingly clear that the impact and losses people sustain following a data breach are not always immediately obvious.

Indeed, at Hayes Connor, we have seen cases where the financial losses only start to occur three to six months later. This is often because data stolen is used in batches over time.

For example, some nine months after Ticketmaster data breach, we have discovered that:

  • 63% of all the clients we took on have suffered multiple fraudulent transactions on their payment cards
  • 31% of all clients involved in this case suffered from distress and/or psychological trauma as a result of having their card details stolen and used in fraudulent activity.

Not just financial

We all worry about what could happen if scammers get access to our bank accounts. But the impact of data breaches goes much further than financial losses.

According to Victim Support, the effects of crime can last for a long time. We’ve seen cases where experiencing a data breach has resulted in adverse life events such as having to move house or area, losing a job, relationship stress and separation, and dislocation from friends and family. All of which can lead to a diagnosable psychological injury. And, like financial losses, this is often happening months after the initial breach was revealed.

With major breaches now occurring weekly, we expect this situation to escalate. As such, more must be done to protect customers following a data breach – and this cannot be a short-term fix.

Leading by example

At Hayes Connor, we want to reduce the number of data violations taking place across the UK. To do this, we are helping to raise awareness of this issue and educating people and businesses to prevent similar mistakes from happening.

Ways to check if someone has stolen your identity include:

  • Checking your credit record to see if there are any searches that you don’t recognise
  • Keeping an eye on your bank and credit card statements to see if there is anything you don’t recognise
  • Making sure you read your credit card statements and other letters that come from your bank.

For more advice on how to keep your data safe, follow our #notjusthackers campaign on Twitter and Facebook.

Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to recover any losses or give us a call on 0151 363 5895 to discuss your case in more depth.

data breach compensation
, , ,

How has the British Airways data breach hurt passengers?

At Hayes Connor Solicitors, we’re helping victims of the British Airways data breach to claim compensation after their personal information was put at risk by the airline. An organisation they trusted to look after it.

But all too often, we hear accusations that the people trying to recover from the BA data breach are “trying to get something for nothing”.

However, data privacy breaches can have a severe and often lasting impact on those affected. As such, we believe it is vital that organisations like BA are held to account for their failure to protect our personal information.

Brand loyalty is all well and good, but it’s vital that we don’t put the needs of big companies above the rights of customers.

Here’s why we believe it’s essential that people are able to hold businesses like BA to account.

The financial impact of cybercrime can be very harmful

Cybercrime can result in financial fraud and identity theft. And the result of either of these can be devastating. With enough information, cybercriminals can apply for credit in your name, set up fraudulent bank accounts and access your existing accounts.

Despite claims from BA that it had not received reports of fraud resulting from the attack on its systems, in November last year it was reported that Russian hackers might have made millions selling credit card details stolen from BA customers.

And, even if nothing has been done with that information as yet, it doesn’t mean the stolen data is safe.

Working exclusively on data breach and cybercrime cases, it has become clear to our solicitors that the impact and losses people sustain following a data privacy violation are not always immediately apparent. Indeed, in the Ticketmaster data breach, we are starting to see cases where the impact only became clear months later. This is often because data stolen is used in batches over time.

To date, 63% of all the clients we took on in the Ticketmaster data breach case suffered multiple fraudulent transactions on their payment cards.

So, as yet it’s impossible to say how many people have been impacted by the BA data breach, and to what extent.

Certainly, according to an article in The Metro, at least one BA customer is reported to have suffered fraudulent activity on their credit card, which was used to book a BA flight during the time the data was at risk.

Your mental health matters

Even if you haven’t lost out financially after a data breach, this doesn’t mean that there is “no harm done.”

Being the victim of a crime can have a sizable and lasting impact on you mentally and physically. Everyone copes differently, but for some the effects can include a lack of sleep, feeling ill, unsettled or confused. Stress can also affect your friends, your family and your job. Some data breach victims become paranoid and oversensitive about their personal privacy and can go on to develop depression.

Thankfully, over the last few years, people are waking up to the reality of mental health, and there is a greater awareness about the lasting effects of physiological suffering and anguish.

For example, following last year’s Ticketmaster data breach, 31% of all our clients involved in this case suffered from distress and/or psychological trauma as a result of having their card details stolen. And, like the financial losses, often the full impact wasn’t felt until much later.

“The effects of crime can also last for a long time, and it doesn’t depend on how ‘serious’ the crime was. Some people cope really well with the most horrific crimes while others can be very distressed by a more minor incident”.

Victim Support

Despite this, the emotional impact of data breaches is still not being taken seriously by those organisations we trust to look after our sensitive information. And we believe this to be true in this case.

Following the BA data breach, the airline said that compensation claims would be discussed on an ‘individual basis’. However, it is not up to the airline to dictate the terms of any compensation payments. And it is certainly not clear how (or indeed if) BA intended to evaluate the emotional impact the data breach had on its customers.

“As a result of increased volumes of data breach incidents, lawyers and experts are using their respective skills to assess the psychological and social consequences, symptoms and ‘injuries’ in reliable and valid ways. Structured interviewing, psychometric assessment and perusal of medical and occupational records are all part of this process”.

Professor Hugh C. H. Koch visiting professor in law and psychology at Birmingham City University School of Law and clinical psychologist

Loyalty works both ways

Should a data breach happen, we would expect the organisation in question to do everything in its power to keep its customers safe and prevent further damage. But this doesn’t seem to be the case following the BA data breach.

Some customers have complained that they have not been contacted by British Airways about the data breach, despite having seen fraudulent activity on their payment cards. Others have complained about BA advising customers to go to their bank for advice, rather than issuing its own instructions to help travellers stay protected.

 Speaking to The Telegraph, one BA customer said: “I saw the tweet, that was the first I knew of it.” He added: “I’ve not heard anything from them on this and I’ve just had to cancel the card I used. They’re a shambles.”

Another customer said she had been left vulnerable after being forced to cancel her bank card while travelling alone in the middle of Vietnam. She tweeted that she was “furious” with the airline and that she only found out about the data breach from news; before BA had the decency to her that she was likely affected.

She went on to tweet: “All companies have problems, some of them will affect their customers. That is a simple fact of business. How the company reacts, communicates & cares, is everything.

“British Airways are failing badly on this. I can’t even get a team manager in their call centre to call me.”

 While another BA customer told the BBC: “I have six cards linked to my BA account. I have no idea how much of my data information has been stolen. I will have to go to each of my credit card providers, cancel the cards, and all the direct debits, etc., related to those cards. This will take a long time, something I have to do with no help from BA”.

 Make a British Airways compensation claim with Hayes Connor Solicitors

At Hayes Connor, we want to reduce the number of data violations taking place across the UK.

To do this, we are helping to raise awareness of data breaches and cybercrime, and educating people and businesses to prevent similar infringements from happening. For more advice on how to keep your data safe, follow us on Twitter and Facebook.

But, where a breach has already occurred, it’s vital that you can recover your losses. We could be talking about one of the most severe data breach cases to hit the UK, so it’s critical that people can get the help they need.

To join our British Airways data breach group action compensation claim, you will need to register with us. We’ll let you know what is happening in this case and if and when you can make a BA data breach compensation claim.

 REGISTER NOW

notjusthackers
, , ,

Woman threatened after her gym shared her home address with another customer

Data breaches are never out of the news. But while most of us worry about getting our identity or money stolen after a hack, we don’t tend to consider the possibility of physical threats. But, in a recent case, our solicitors saw the impact of what can happen when a woman’s address was handed to an angry customer by mistake.

What happened in this case?

In this data breach, a gym provided a woman’s personal details (our client) to another customer who shared her name.

This other person had received emails from the gym intended for our client. The emails were sent chasing missed payments. Confused as to why she was receiving the emails, the other woman became concerned that she had become the victim of identity theft. And, when she questioned the outstanding payments with the gym, a member of staff supplied her with our client’s home address.

Following this, the woman’s father went to our client’s home and banged on her door, accusing her of attempting to “clone” his daughter’s identity. Our client was at home with her two young children, one of who is disabled, and she found this experience both frightening and upsetting.  She then contacted the gym to find out what was going on and received an apology for the mix-up.

However, the other woman’s father still did not understand that our client was not at fault. And, when our client returned from holiday, she received three letters from him, all of which contained threats. As a result, she reported the incident to the Police and Action Fraud.

It seems despite becoming aware of the situation, the gym continued to send emails to the wrong woman demanding payment. These emails also disclosed some of our client’s bank card number.

As a direct response of poor systems, and a failure to cross-reference their systems to identify distinguishing features between both customers, this data breach has caused our client considerable distress, upset and even fear. As such the consequences of the error were particularly upsetting.

Have you been in a similar situation? Contact us today.

What can you do to stop this from happening to you?

There are a few lessons that can be learned from this case. For example, when handing over your email address to an organisation, it is vital that you check that these details have been taken down correctly.

You are completely within your rights to ask for a copy of the data a business (or any other organisation) holds about you. This is called making a subject access request (SAR). Find out more about making a SAR.

Of course, this won’t guarantee that an error doesn’t result in an email going to the wrong address, but it is still a good safety precaution to take.

What’s more, if you do find yourself in a similar situation to our client, like her you should report the incident to the Police and Action Fraud. Action Fraud is the UK’s national reporting centre for fraud and cybercrime in England, Wales and Northern Ireland.

Find out more about Action Fraud here.

Alternatively, if you are an employee of a gym or any other business and you want to make sure that you don’t make a similar mistake, talk to your employer about any processes that can be put in place to make sure that the information you hold on your customers is correct. Such steps could include things like additional data protection training, and checks and balances on systems generating correspondence.

For more advice on how to keep your data safe, follow Hayes Connor on Twitter or give us a like on Facebook. Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you recover any losses or give us a call on 0151 363 5895 to discuss your case in more depth.

cyber hack
, ,

York council app hacked. What to do if you have been affected

According to reports, almost 6,000 people could have had their data breached after a City of York Council app was hacked.

In a letter sent to those potentially affected by the latest data breach, the council states that it has been contacted by a hacker who claims that they have found a way to access the personal data of residents using the One Planet York app. The app allows users to check their bin collection dates, and other information regarding recycling.

The compromised data includes phone numbers, encrypted passwords and addresses. It is not yet clear what the hackers have done with, or plan to do with the data. However, it has been suggested that the hackers could be someone who looks for data vulnerabilities in the public interest. This is because those responsible have not yet requested anything in return for the personal data.

The letter from the City of York Council says: “We value your privacy and deeply regret this incident occurred. We have conducted a thorough review of the One Planet York app, we have deleted all links with the app and as a result, will no longer support it going forward.

“We have deleted it from our website and asked for it to be removed from the app stores and ask that you now delete it from your device.

“We cannot say for certain what the third party responsible has done with the data.”

The incident has been reported to North Yorkshire Police.

App users have been advised to delete the app and change their passwords. However, at Hayes Connor Solicitors, we have considerable experience helping individuals whose data has been breached and would also recommend some additional steps to keep users safe.

This includes contacting your bank and credit card providers immediately if you suspect your financial data may be compromised and looking out for fraudsters who attempt to gather more personal information (phishing).

Furthermore, we would always recommend that you inform the Information Commissioner’s Office (ICO) about your concerns. The ICO is the body which undertakes investigations on behalf of individuals into suspected data breaches. You should also report any suspected phishing attempts to the police and relevant authorities. Also, if you need support following the data breach, Victim Support is on hand to help you.

Find out more about our partnership with Victim Support.

The public sector is privy to a wide range of our sensitive information and this data is regularly shared between organisations as part of modern governance and the delivery of public services. And, if you have suffered damage or distress caused by an organisation breaching any part of the Data Protection Act, you have a right to claim compensation.

But, at Hayes Connor, we don’t just focus on compensation. In today’s digital world, your personal data is a valuable commodity. So, we want to do all we can to keep you, and your sensitive information as safe as possible.

 

cybercrime
, ,

Five cybersecurity trends to watch in 2019

Scrutinising the cybersecurity landscape, here are some of the key trends you can expect in 2019.

  1. Cybersecurity is now a threat to every organisation

Cybersecurity has been brought into the mainstream. Modern criminals are no longer content with targeting banks and other financial institutions. Instead, they are affecting all kinds of organisations from hospitals to law firms, local authorities to businesses.

Common threats include ransomware, phishing and malware.

You can check out the latest data security incidents by sector on the ICO’s website.

  1. Hefty fines are coming

Since the introduction of the GDPR, the ICO has taken a proactive stance when it comes to commenting on large-scale breaches. But, as yet it is still focused on supporting organisations to take appropriate action in the immediate aftermath of any privacy violation. And helping to prevent breaches from happening in the first place.

So, we haven’t yet seen the enormous fines promised for those that don’t look after our data properly. But you can be sure they are coming. And, according to data protection lawyers, the Ticketmaster data breach could be a real test to see if the legislation will hold companies to account.

  1. Methods of attack are becoming increasingly more sophisticated

While the majority of attackers are still going after easy “low-hanging fruit” there are signs that cybercriminals are becoming increasingly sophisticated.

For example, last year two friends were jailed after breaching the TalkTalk website in 2015 as part of a group of hackers. During the raid, the pair managed to get away with the names, addresses and dates of birth of 1.6 million customers, before sharing much of the data online. And while TalkTalk was fined £400,000 by the Information Commissioner’s Office (ICO) for not appropriately securing the data, the “significant, sophisticated systematic hack” is thought to be one of the biggest data breaches in history.

AI-assisted imposters are also set to become an increased threat. With machine-learning helping to make existing cyber-attack efforts like identity theft, denial-of-service attacks and password cracking faster, more formidable, and more effective.

Furthermore, as we move deeper and deeper into the Internet of Things (IoT), more and more devices and data are going to be connected to the internet. Keeping these safe from hackers is going to be an ongoing challenge.

  1. The law is still evolving when it comes to data protection

 In 2019, it is much easier to bring compensation claims for distress, rather than as an add-on to a financial loss claim. What’s more, the courts are looking at a wider-range of factors when deciding on appropriate compensation.

There is also more emphasis on the relationship between privacy rights and data protection from a legal perspective. This is good news for individuals as it means they can start a claim based on more than one ground (i.e. for the misuse of private information and for breach of data protection obligations).

  1. Cybersecurity is now political

We’ve all read about how Facebook was allegedly used to corrupt our democratic process following the Cambridge Analytica scandal. With questions raised over whether our data was used to influence the outcome of the Brexit referendum.

What’s more, a recent parliamentary committee warned that our critical national infrastructure is at risk from cyber attackers. And, The National Cyber Security Centre (NCSC) cautioned that hostile states are likely to target British infrastructure.

For example, experts are predicting that smart energy meters could leave householders vulnerable to cyber-attacks and higher bills. Perhaps even more concerning, in March 2018 the National Grid was put on alert amid fears of a Russian cyber-attack, and given advice on how to boost its defences to prevent power cuts and avoid a catastrophic attack.

Awareness is crucial

At Hayes Connor, we believe that raising awareness of the growing cybersecurity threat will help organisations across the UK improve their data protection processes. But it’s also vital that we all do our bit to protect ourselves as individuals.

For more advice on how to keep your data safe, follow us on Twitter and Facebook. Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to recover any losses or give us a call on 0151 363 5895 to discuss your case in more depth.

 

 

notjusthackers
, , ,

Are hospitals doing enough to protect patient confidentiality?

One in 13 patients will have their records stolen after a healthcare provider data breach[1]. However, despite the headlines, fraudsters don’t just use the internet to get their hands on our sensitive information. So, while hospitals are looking at what they can do to protect our online data, they must also look at improving security measures to prevent unauthorised physical access to sensitive medical records.

In an unusual case, our solicitors saw just how one fraudster was able to get his hands on sensitive medical information by impersonating a member of the hospital’s medical team.

What happened in this case?

In this data breach, a woman (our client), was a patient in hospital having just given birth. However, while she was there a fraudster impersonated a doctor to obtain information about her personal medical situation.

A student nurse provided the highly sensitive information to the imposter, which included details about a disease which our client had recently been diagnosed with, and with which she was struggling to come to terms with.

To date, nothing untoward has happened to our client following this incident, and there has been no contact from the person who obtained her medical records. But as she still does not know who accessed her data, and what might be done with, this situation is incredibly disturbing, and understandably this uncertainty has caused the woman considerable distress.

Lessons learned

Hospitals and other healthcare organisations need to do more to protect sensitive patient data.

All too often employees are involved in healthcare data breaches, and as such, employee training and awareness must form a core part of any security strategy and measures.

In this case, the hospital in question subsequently investigated the incident and agreed to improve their security systems and internal practices. Just simple steps such as ensuring that all members of staff wear ID at all times can make a big difference.

For more advice on how to keep your data safe, follow Hayes Connor on Twitter or give us a like on Facebook. Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to recover any losses or give us a call on 0151 363 5895 to discuss your case in more depth.


[1] Accenture

data breach
, , ,

Should you hold British Airways responsible for its data breach?

At Hayes Connor Solicitors, we’re helping victims of the British Airways data breach to claim compensation after their personal information was put at risk by the airline.

However, in our work we often hear people talking about how companies like British Airways (BA) should not have to pay for the acts of unscrupulous hackers. And it’s true that cybercriminals are becoming increasingly sophisticated. But this doesn’t let negligent organisations off the hook.

The truth is that in most cases, data breaches happen because of a failure to implement reasonable and robust processes. We believe that this was the case at BA.

As such, claiming compensation isn’t just in your best interests. The only way big organisations will be persuaded to take their data privacy responsibilities seriously and make improvements is by hurting their bottom line.

Brand loyalty is all well and good, but it’s vital that we don’t put the needs of big companies above the rights of their customers.

Crucially, if BA had done everything in its power to protect its customers’ data, and had robust security processes in place, it is unlikely that a claim for compensation would be successful. This is why we usually wait for the results of an investigation by the Information Commissioner’s Office (ICO) before starting a group action.

So, was BA responsible for the data breach? Let’s look at the facts.

  1. British Airways didn’t spot the data breach for two weeks

In September last year, it was revealed that almost 400,000 BA customers had their bank card details stolen in one of the most severe cyber-attacks in UK history.

Worryingly, the hack went undetected for two weeks before BA told its customers about the breach and reported the incident to the police. BA has admitted that the hackers spent more than a fortnight accessing data online and we believe that this is a significant failure by BA – one that increases the risk to passengers substantially.

With 12 days between the BA data breach occurring and the incident being detected, questions have been asked as to whether poor systems made this cyber-attack worse.

  1. British Airways uncovered a second data breach when investigating the first

To make matters worse, when investigating this case, a second data breach was also spotted at the airline.

In this instance, 77,000 people had their names, addresses, email addresses and detailed payment information taken. This included card numbers, expiry dates, and card verification value (CVV) numbers. And, a further 108,000 people had their personal details stolen. This hack could have left customers exposed for months.

  1. Hackers could already have made millions from the British Airways data hack

Russian hackers may have made millions selling credit card details stolen from BA customers. Research has found that stolen data was put up for sale on the dark web about a week after the BA breach. Hackers were charging between £7 and £40 (approximately) for each card’s worth of information.

BA says it has not received reports of fraud resulting from the attack on its own systems.

  1. The British Airways hack might have been caused by the same hackers as Ticketmaster

According to reports, a cyber-criminal operation known as Magecart is behind the recent BA data breach. The group has been very active over the past three years. It is also thought to be behind the Ticketmaster data hack.

A report by RiskIQ states that clues link the same operation to the BA breach. The company said the code found on the BA site was very similar. However, the code was modified to suit the way the airline’s website had been designed. Crucially, if RiskIQ, is right about how the attack worked, a cybersecurity researcher has told the BBC that “BA should have been able to see this”. So the hack could have been very easily prevented.

Worryingly, in the Ticketmaster data breach case:

  • 63% of all the clients we took on suffered multiple fraudulent transactions on their payment cards, and
  • 31% of all our clients involved in this case suffered from distress and/or psychological trauma as a result of having their card details stolen and used in fraudulent activity.

What’s more, it is becoming increasingly clear that the impact and losses people sustain following a data breach are not always immediately apparent. Indeed, in the Ticketmaster data breach, we are starting to see cases where the impact occurred months later. This is often because data stolen is used in batches over time.

So, as yet it’s impossible to say how many people have been impacted by the BA data breach, and to what extent.

  1. British Airways has been accused of not taking its responsibilities seriously following the data breach

Following the BA data breach, the airline said that compensation claims would be discussed on an ‘individual basis’. However, it is not up to the airline to dictate the terms of any compensation payments.

In response, customers took to the media to share their fury at the airline’s handling of the privacy violation.

According to an article in The Metro, one BA customer said “They talk about compensation to be discussed on a case-by-case basis. To me, this seems incredibly unprofessional.”

He added: “They are trying to not take full responsibility for it”.

The same customer is reported to have suffered fraudulent activity on his credit card, which he used to book a BA flight during the time the data was at risk.

Some customers have complained that they have not been contacted by BA about the data breach, despite having seen fraudulent activity on their payment cards. Others have complained about BA advising customers to go to their bank for advice, rather than issuing its own instructions to help travellers stay protected.

One BA customer told the BBC: “I have six cards linked to my BA account. I have no idea how much of my data information has been stolen. I will have to go to each of my credit card providers, cancel the cards, and all the direct debits, etc., related to those cards. This will take a long time, something I have to do with no help from BA”.

Make a British Airways compensation claim with Hayes Connor Solicitors

At Hayes Connor, we want to reduce the number of data violations taking place across the UK.

To do this, we are helping to raise awareness of data breaches and cybercrime, and educating people and businesses to prevent similar infringements from happening. For more advice on how to keep your data safe, follow us on Twitter and Facebook.

But, where a breach has already occurred, it’s vital that you can recover your losses. We could be talking about one of the most severe data breach cases to hit the UK, so it’s critical that people can get the help they need.

To join our British Airways data breach group action compensation claim, you will need to register with us. We’ll let you know what is happening in this case and if and when you can make a BA data breach compensation claim.

 REGISTER NOW

data breaches
, ,

Sandwell Council suffers 500 data breaches in just five years

Following an investigation by The Express & Star, it has been revealed that almost 500 data breaches have occurred at Sandwell Council in the past five years.

According to the report, sensitive information has been either stolen, lost or incorrectly disclosed. And in some cases, people’s names and addresses were unintentionally shared.

Sandwell has classed all 499 data breaches as ‘low level’ incidents. However, with one data breach occurring every four days on average, this is sure to be worrying for people living in the area.

Sandwell Council is said to be reviewing its ‘information governance arrangements’, However, speaking about the findings, which were made available following a Freedom of Information request by the newspaper, a spokesperson, said: “The majority of these minor data breaches have occurred in cases where data is being transferred internally between council departments, rather than to outside organisations.

“These low-level data breaches will occasionally have included the unintentional sharing of, for example, a name or address.

“None of the breaches met the threshold requiring referral to the Information Commissioner.

“The council takes action in respect of every breach, however minor, and can in many cases recover the data immediately.

“It must be remembered that the council handles thousands of pieces of data every single day.”

Not good enough

These violations correspond with our experiences of data breaches at local authorities across the country. Where in most cases, its human error rather than cybercrime that is the biggest cause of data privacy violations.

However, we would argue that handling thousands of pieces of data every day is not a good enough excuse when it comes to data protection failures.

For example, some of the breaches involved staff accidentally sending emails or paperwork to the wrong people. And, while Sandwell Council might consider this to be a low-level data breach, the devastation such negligence can cause can’t be underestimated.

For example, in a recent case, our solicitors saw first-hand what can happen when a local authority sent a copy of a court order containing sensitive personal information about a father (our client) and his daughter to the wrong postal address.

This mistake saw the letter being sent to and read by a neighbour, before being divulged to other family members and neighbours. This caused considerable distress, upset and embarrassment to our client and his family. As such, the consequences of this “small” error were far-reaching.

What can you do to stop this from happening to you?

If you are concerned that your data might be at risk, either by Sandwell Council, or another local authority, you can ask for a copy of the data the council holds about you. This is called making a subject access request (SAR). Find out more about making a SAR.

This won’t guarantee that an error doesn’t result in information being sent to the wrong person, but it is a reasonable safety precaution to take. You can also ask the council for a copy of their acceptable use policy and data protection policy.

Not just hackers

Data breaches are not just caused by cybercriminals. For more advice on how to keep your data safe, follow our #notjusthackers campaign on Twitter and Facebook.

Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you recover any losses or give us a call on 0151 363 5895 to discuss your case in more depth.