Posts

ticketmaster data breach claim
,

Ticketmaster data breach could be tip of the iceberg

Ticketmaster was affected by a significant data protection breach after cybercriminals hacked the company’s website. However, it now looks like the number of people impacted by the theft is significantly worse than first thought.

What has happened so far?

A hacker group has accessed thousands of Ticketmaster customers’ payment details. Some customers of the ticket sales company have had their cards used fraudulently.

Investigating the Ticketmaster data breach, cybersecurity analysts RiskIQ have now identified the hacker group responsible for the malicious code placed on the Ticketmaster websites.

However, RiskIQ not only states that Magecart – a malicious hacking group – perpetrated the Ticketmaster attack, but that was also undertaking a massive credit card skimming operation that has affected over 800 e-commerce websites.

Worse, it appears that this hacking operation has been active since December 2016.

What is the extent of the problem?

It now looks likely that the Ticketmaster data theft was part of a larger credit card scheme. In fact, we could be looking at the biggest theft of credit card details to date.

According to RiskIQ, the hackers behind the attack “seem to have gotten smarter,”. And “rather than go after websites, they’ve figured out that it’s easier to compromise third-party suppliers of scripts and add their skimmer {code}. In some cases, compromising one of these suppliers gives them nearly 10,000 victims instantly.”

Put simply, Magecart could have stolen the credit card information of thousands of people across various websites, by merely targeting only a few companies. Some of the third-party companies allegedly compromised by Magecart include SocialPlus, PushAssist, Clarity Connect and Annex Cloud.

Ticketmaster uses SocialPlus. So, while Inbenta (a third-party software provider) has been established as the entry point for the malicious attack on its systems, at least one other source containing the skimmer had access to the Ticketmaster websites.

So, there could be a lot more to the recent Ticketmaster data breach than first thought.

What does this mean?

Because many shops use these third-parties, RiskIQ claims to have “identified nearly 100 top-tier victims, mainly online shops of some of the largest brands in the world.” It’s not yet clear which e-commerce sites have been affected.

Cyberthreat expert Ross Brewer has said that: “Third party data breaches are a growing problem for businesses. Hackers are persistent. They’re redirecting their attention to smaller, third-party suppliers that can act as a gateway to more lucrative targets. As the saying goes, you’re only as strong as your weakest link, which means if one of your third-party partners doesn’t have the same commitment to data protection, any tools you have in place are essentially rendered useless.”

What now?

There is more to this story than victims were initially told. And, while early estimates predict that 40,000 people in the UK have had their payment details swiped. It now looks likely that this number is much, much higher.

However, regardless of who was behind the attack, Ticketmaster was responsible for keeping your data safe, and this is something it has failed to do.

The Ticketmaster data protection breach has compromised customer names, addresses, email addresses, phone numbers, payment details and Ticketmaster login details. Data that can be used by cybercriminals to steal money from you, apply for credit in your name, set up fraudulent bank accounts and more.

So, if you have suffered damage or distress caused by this hack, you have a right to claim compensation. Ticketmaster has said that it has informed those involved, so if you have received this email let us know!

Data breaches often have severe consequences for those affected so you could be entitled to around £5,000 in compensation.

With data breaches on the rise, something has to be done to make big companies accountable for data losses, so claiming compensation isn’t just in your best interests, it could be the only way to ensure that businesses everywhere implement more secure processes.

REGISTER NOW

Data protection compensation
,

Facebook data breach investigation latest. What’s happening and how can you make a compensation claim?

The Information Commissioner’s Office (ICO) is set to fine Facebook £500,000 for data breaches. That is the maximum financial penalty possible and reflects the severity of the data protection scandal. The ICO also intends to bring criminal action against SCL Elections, the now-defunct parent company of Cambridge Analytica.

If you are a Facebook user and are concerned that your data has been accessed and exploited, get in touch. We’ll let you know if and when you can claim.

GET IN TOUCH

What happened in this case?

  • Social media giant Facebook and controversial data firm Cambridge Analytica are at the centre of a dispute over the harvesting and use of personal data
  • Questions were raised over whether this data was used to influence the outcome of the US 2016 presidential election and the Brexit referendum
  • In March 2017, the ICO began looking into whether personal data had been misused

What is happening now in the Facebook data breach investigation?

Yesterday, the Information Commissioner Elizabeth Denham, published a detailed update of her office’s investigation into the use of data analytics in political campaigns.

The report reveals that the ICO plans to fine Facebook £500,000 for breaches of the Data Protection Act.

The ICO has also said that it is taking steps to bring a criminal prosecution against SCL Elections Limited. While Cambridge Analytica has shut down, the ICO has already said that its directors can still be held liable and possibly criminally prosecuted.

Crucially, the ICO believes that in addition to breaching its own rules, Facebook also failed to ensure Cambridge Analytica had deleted its users’ personal data when requested. What’s more, while the ICO noted that Facebook had been the biggest recipient of digital advertising by political parties and campaigns to date, it said that the company had not done enough to explain to users they were being targeted as a consequence, or given people enough control over how their sensitive personal data was used. As a result, it seems that Facebook is guilty of two breaches of the Data Protection Act.

So, does this mean Facebook will be held to account?

No. The social media giant still has time to make any representations to the ICO before a final decision is made. However, by publishing a Notice of Intent, it is clear that the ICO is taking this matter very seriously. In fact, based on the evidence so far it looks likely that the ICO will issue Facebook with the maximum fine allowed under British law.

However, Facebook could still get away lightly, because if it had been fined under the new GDPR (General Data Protection Regulation), it could have been hit with a penalty of £479m. Indeed, the £500,000 fine is tiny when stacked up against the firm’s value of £445bn.

The impact on political parties

In its report, the ICO raised concerns about political parties buying personal information from data brokers.

Worryingly, Elizabeth Denham has said that: “We are at a crossroads. Trust and confidence in the integrity of our democratic processes risk being disrupted because the average voter has little idea of what is going on behind the scenes.

“New technologies that use data analytics to micro-target people give campaign groups the ability to connect with individual voters.

“But this cannot be at the expense of transparency, fairness and compliance with the law.”

She also said that the impact of behavioural advertising in elections, was significant and has called for a code of practice to fix the system.

The ICO has also written to all the main political parties in the UK pressing them to have their data protection practices audited.

Who else is involved?

 Aggregate IQ

The ICO has said that Aggregate IQ (AIQ), a Canadian company which worked with the Vote Leave campaign in the run-up to the EU Referendum must stop processing UK citizens’ data. AIQ had access to UK voters’ personal data provided by Vote Leave and this information may have been transferred and accessed outside the UK. If so, this would be a breach of the Data Protection Act.

Emma’s Diary

The ICO also named Emma’s Diary; a company that gives medical advice and free baby-themed goods to parents who download an app. It appears that the company may have handed over data which was then used by the Labour Party to campaign to people. As a result, the ICO is about to take regulatory action against Lifecycle Marketing, the owner of the service.

With potentially one million people affected, if you have downloaded and used Emma’s Diary and are concerned that you have been targeted in this way, contact us today to find out more about making a compensation claim.

CONTACT US NOW

Eldon Insurance Services

It has been alleged that the Leave campaign used the personal information of people on the Eldon Insurance and GoSkippy database on the run-up to the Brexit referendum. If true, this is a shocking misuse of private information and anybody affected is likely to have a claim for compensation.

Find out more here.

Vote Leave

The ICO is looking into to what extent Vote Leave transferred the personal data of citizens outside the UK. It is likely that this was in a breach of the Data Protection Act.

Remain campaign

The ICO is investigating the collection and sharing of personal data by the official Remain campaign (Britain Stronger in Europe) and a linked data broker. In particular, it is examining inadequate third party consents and the fair processing statements used to collect personal data.

The University of Cambridge

The Psychometrics Centre at the University of Cambridge carries out research into social media profiles. As part of its investigation, the ICO is considering whether Cambridge University has “sufficient systems and processes in place to ensure that data collected by academics for research is appropriately safeguarded in its use and not re-used for commercial work.”

The ICO said that it expects the next stage of its investigation to be complete by the end of October.

How to make a compensation claim

What’s emerged so far is looking increasingly like just the tip of the iceberg. We could be talking about one of the largest ever group actions of its kind in the UK courts. As such, Hayes Connor Solicitors has launched a group action against Facebook and has appointed Barrister Ian Whitehurst to help in this case.

Having developed a practice in the field of data breach claims for individuals and companies who have had their personal and sensitive data breached by third parties, we are confident that together our team will get the results our clients deserve.

We believe that a group action is the best way forward for data breach claims of this nature. It allows people with the same type of claim in principle to bring it together on a collective basis to strengthen their overall position and increase their chances of settlement or success in litigation.

Furthermore, with a group action claimants often share the legal fees. And, while the cost of pursuing small claims can be a barrier to justice, by grouping cases together, solicitors are often able to run group actions on a no win-no fee basis.

What should you do now?

Contact Hayes Connor Solicitors ASAP. We’ll ensure that you are fully informed on this matter and will notify you about the investigation and your legal rights when making a claim.

REGISTER NOW

hayes connor solicitors
,

Can you make a data breach claim against Yahoo?

Yahoo has been fined £250,000 after 515,000 UK accounts were compromised. This comes following a sophisticated and persistent attack in 2014. The data protection hack led to user’s names, email addresses, telephone numbers, passwords and security information being stolen by cybercriminals.

Following the fine by the Information Commissioner’s Office (ICO), those affected should now consider a data breach claim against Yahoo.

What happened in this case?

In 2014, a Russian state-sponsored cyber-attack resulted in personal data being stolen from over 500m Yahoo user accounts worldwide. Despite evidence that the firm knew about the hack soon after it happened, the data breach wasn’t reported until September 2016.

What was the result of the investigation?

The investigation focused on UK accounts that were co-branded Sky and Yahoo, and which the London-based branch of Yahoo had responsibility for.

Following its inquiry, the ICO found that Yahoo had “failed to prevent” the hack. The ICO also condemned “inadequacies” that had been in place at Yahoo for some time without being “discovered or addressed”.

The investigation also found that:

  • The firm failed to ensure that its data processor complied with the appropriate data protection requirements
  • The firm failed to ensure that the credentials of employees with access to customer data were monitored
  • There was a lengthy period before the flaws which led to the breach were discovered or addressed

According to an ICO spokesperson:

“The failings our investigation identified are not what we expect from a company that had ample opportunity to implement appropriate measures, and potentially stop UK citizens’ data being compromised.”

As a result, the watchdog imposed a £250,000 fine. However, this represents less than 0.4% of Yahoo UK’s 2016 gross profit.

What can you do?

The ICO has said that cyber-attacks are a fact of life, and that companies have to make it as difficult as possible for them to get in. That it is “no good locking the door if you leave the key under the mat.”

But, while the ICO has the power to impose fines on organisations who fail to meet their data protection obligations, it does not award compensation to victims. However, once an organisation has been found guilty by the ICO – as in this case – you can use that information to support a data protection compensation claim.

What’s more, it doesn’t matter if there is no evidence that the data has been used to carry out identity theft or fraud. If the data breach has caused you stress or anxiety (in a way that could be diagnosed by a psychologist), then the law agrees that you are entitled to compensation.

According to the ICO, Yahoo has informed those affected. If you are concerned that your data was treated negligently by Yahoo, contact Hayes Connor Solicitors immediately. We can help you to claim the maximum amount of compensation in the minimum amount of time, on a no-win, no-fee basis.

Following massive data breaches, companies often set aside funds to pay compensation, so you have nothing to lose.

IF YOU THINK YOU MAY HAVE A CLAIM THEN COMPLETE OUR CONTACT FORM.

With strict-time limits in place for making most compensation claims, it’s essential to act now.

dixons data breach
,

Dixons Carphone admits huge data breach

Dixons Carphone has admitted a huge data breach following a prolonged hacking attempt. The data hack involves 5.9 million payment cards and 1.2 million personal data records. The breach occurred following a number of attacks – carried out over a period of 12 months.

The personal data records compromised by the hackers includes information such as names, addresses and email addresses. All of which can be used to carry out data theft and fraud.

Also, while most of the cards had chip and pin protection, some105,000 non-EU issued cards did not have this technology. While the company has said there is no evidence that any of the cards had been fraudulently used, a full police investigation is now underway. The regulators have also been informed and it is thought that the breach could leave the company open to a large fine.

Alex Baldock, chief executive at Dixons Carphone said:

“We are extremely disappointed and sorry for any upset this may cause.

“The protection of our data has to be at the heart of our business, and we’ve fallen short here.

“We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously.”

A history of data protection failures

Earlier this year, the Carphone Warehouse, which merged with Dixons, was fined a whopping £400,000 following another cyber-attack. The fine is one of the biggest ever handed out by the Information Commissioner’s Office (ICO). In that breach, the personal data of over three million customers and 1,000 employees were put at risk. Including the historical payment card details for some 18,000 customers.

Find out more about the Carphone Warehouse breach here.

While Dixons Carphone claims that the two incidents are unrelated, the Information Commissioner (ICO) will now be looking very carefully at this latest failing.

What can you do?

Data breaches often have severe consequences for those affected. So, customers and employees of the Carphone Warehouse and the merged Dixons Carphone should now be looking to claim compensation.

The company has said that it will be contacting those affected to advise them of the breach. We would urge anyone contacted to let us know and start a data protection compensation claim; particularly as there is a history of data negligence at the company. Something must be done to hold them to account.

If you are affected you could be entitled to up to several thousand pounds in compensation, so it’s important to act now.

IF YOU THINK YOU MAY HAVE A CLAIM THEN COMPLETE OUR CONTACT FORM.

data breach compensation

Does an organisation have to be fined by the ICO before you can make a data breach compensation claim?

The Information Commissioner’s Office (ICO) is an independent authority. Part of its job is to make sure that organisations across the UK keep our data safe. Every year, the ICO imposes fines on all kinds of businesses, government bodies and other parties that fail to do this. The ICO can also ensure that these organisations take steps to protect our data in future better.

But, while the ICO has the power to impose hefty fines, it does not award compensation to victims. That being said, you do have the right to ask the ICO to assess if an organisation has breached data protection legislation. And, once an organisation has been found guilty by the ICO, you can use that information to support a data protection compensation claim.

However, what many people don’t understand is that they can proceed with a data breach compensation claim even if the ICO has not investigated a breach, or found an organisation guilty of negligence.

This is important because, following the introduction of the GDPR (the latest EU-wide data protection legislation), the ICO is going to be busier than ever.

Data protection under the GDPR

Under the new rules, organisations have a greater responsibility towards protecting our data than ever before. And, experts predict that this could lead to an increase in data breach complaints. So the burden on the ICO is going to make it difficult for its officers to investigate every complaint as quickly as you might hope.

In fact, even before the legislation came into play last month, the ICO tweeted: “Sorry, we are extremely busy in the run up to GDPR & are experiencing unprecedented demand across all our services”. And, over the last few weeks, the ICO has also apologised for the “considerable” wait time on its helpline due to “high demand for our services”.

Making matters worse, according to reports, the ICO has only collected half of the data breach fines it has issued since 2010. Often because it doesn’t have the power it needs to enforce payment. So often these organisations are going unpunished for their failures.

So, what can you do if an organisation has failed to protect your data, but you don’t have the weight of the ICO behind you?

Making a private data breach compensation claim

You can make a compensation claim against a company without going to the ICO. When you make a private complaint, your case goes before a judge in a civil trial to seek recovery of any losses and the payment of compensation. Often these cases are settled out of court. Proceedings can be started quickly, without the uncertainty associated with whether the ICO will investigate the incident.

What’s more, even if you have already contacted the ICO about a potential breach, Hayes Connor Solicitors can still investigate your claim. We will work with the ICO to gather as much evidence as possible to help you succeed. But, where we don’t feel things are moving fast enough, or where we don’t agree with the findings of the ICO, we can still help you to pursue a private claim.

While each case will be judged on its merits, as experienced data breach lawyers, we can advise you on what you can include in your compensation claim and your chances of success. In most cases, the minimum level of damages to be sought at settlement stage would be between £750 and £1,000.

IF YOU THINK YOU MAY HAVE A CLAIM THEN COMPLETE OUR CONTACT FORM.

data breach solicitors
, ,

Can you make a data breach claim against the Crown Prosecution Service?

In May this year, the Information Commissioner’s Office (ICO) issued a £325,000 fine following the loss of recorded police interviews by the Crown Prosecution Service (CPS). The DVDs contained interviews with 15 victims of child sex abuse and were to be used at trial.

Shockingly, the recordings were also unencrypted, and the failure to protect such sensitive information has led to concerns that a “loss in trust could influence victims’ willingness to report serious crimes”.

Such data breaches could also have severe consequences for those affected. So, victims should now be looking to make a data breach claim against the Crown Prosecution Service.

What happened in this case?

In November 2016, the DVDs were sent by tracked delivery from Guildford to Brighton for a trial. But, because the delivery was made outside of office hours, they were left at an office reception in a shared building.

The recordings, which were not sent in tamper-proof packaging, contained highly intimate and sensitive details of the victims, as well as the personal data of the perpetrator, and identified information about other individuals.

It was over a week before the loss was discovered and while the building’s entry doors were locked, deliveries that were left there could be accessed by anyone with admission to the building.

The DVDs and the information contained on them have not been found, so it is unclear what has happened to them and whether anyone has watched them.

To make matters worse, this is the second time that the CPS has failed to take necessary steps to protect sensitive data. In 2015, the CPS was fined £200,000 by the ICO after the theft of laptops containing videos of police interviews uncovered serious security failures by the government body.

What was the result of the latest investigation?

In its judgement, the ICO found that the CPS was negligent by failing to ensure that the videos were kept safe. The CPS was also accused of not taking into account the substantial distress that would be caused if the videos were lost.

Astonishingly the investigation also revealed that while encryption software is available to the CPS, it is not routinely used to protect such evidence.

As a result, as well as the £325,000 fine, the ICO ruled that, due to a lack of proper processes across the organisation, staff training within the CPS was needed immediately.

Stephen Eckersley, head of enforcement at the ICO, said:

“The CPS failed to take basic steps to protect the data of victims of serious sexual offences. Given the nature of the personal data, it should have been obvious that this information must be properly safeguarded, as its loss could cause substantial distress.

“The CPS must take urgent action to demonstrate that it can be trusted with the most sensitive information.”

What can you do?

While the ICO has the power to impose hefty fines on organisations who fail to meet their data protection obligations, it does not award compensation to victims. But, once an organisation has been found guilty by the ICO – as in this case – you can use that information to support a data protection compensation claim.

The latest breach by the CPS is particularly worrying as many of the victims were already vulnerable and had already endured significant distress during their interviews with the police. As such, the loss of these recordings is likely to cause considerable emotional anguish.

What’s more, while the CPS has said that it has now strengthened arrangements to prevent further incidents, its failure to do so following the last data protection breach highlights a shocking disregard for those people it should be protecting. The CPS simply did not make sure that appropriate care was taken to avoid similar breaches re-occurring.

The CPS was aware of the graphic and distressing nature of the personal data contained in the DVDs, but it was complacent in caring for that information and those it is supposed to protect. So it must be held to account.

Victims who had their data accessed were informed about the breach. And, while the CPS has offered to meet victims’ families to apologise, this does not cancel the right to proper compensation.

If you are one of those affected and are concerned that your data was treated negligently, contact Hayes Connor Solicitors immediately. We can help you to make a data breach claim against the Crown Prosecution Service and claim the maximum amount of compensation in the minimum amount of time, on a no-win, no-fee basis.

With strict-time limits in place for making most compensation claims, if you want to achieve maximum recompense in the minimum amount of time, it’s essential to act now.

IF YOU THINK YOU MAY HAVE A DATA BREACH CLAIM COMPLETE OUR CONTACT FORM.

make a data breach claim
, ,

Can you make a data breach claim against the British and Foreign Bible Society?

This month, the British and Foreign Bible Society was fined £100,000 for failing to protect the personal data of 417,000 of its supporters. Following an investigation by the Information Commissioner’s Office (ICO), it was revealed that the Society exposed these supporters to possible financial or identity fraud.

While the Society was a victim of a cyber-attack, this does not negate the fact that it failed to take appropriate steps to protect the personal data it was entrusted with.

With data breaches often causing significant distress for those affected, victims of the British and Foreign Bible Society data breach may now want to claim compensation.

What happened in this case?

Between November and December 2016, criminals exploited the weakness of the Society’s computer network – which used an easy-to-guess password – to access the personal data of its supporters.

Using ransomware to encrypt almost one million files, the data compromised included names and contact details, as well as payment card and bank account details for some. Fortunately for the Society, the data had recently been backed up, so it could not be held to ransom. But, many of the files were transferred, copied and extracted by the attacker.

What was the result of the investigation?

During its investigation, the ICO found that supporter details were kept on an insufficiently secured internal network which offered inappropriate remote access rights.

Commenting on the case, Steve Eckersley head of enforcement at the ICO said:

“The Bible Society failed to protect a significant amount of personal data and exposed its supporters to possible financial or identity fraud.

 “Our investigation determined that it is likely that the religious belief of the 417,000 supporters could be inferred, and the distress this kind of breach can cause cannot be underestimated.

 “Cyber-attacks will happen, that’s just a fact, and we fully accept that they are a criminal act. But organisations need to have strong security measures in place to make it as difficult as possible for intruders.”

The British and Foreign Bible Society was fined £100,000 for breaching data protection legislation.

What can you do?

Today, many people choose to donate to charities and causes they care about. But, while you might support them in their aims, it is vital that they meet their obligations when it comes to protecting your sensitive data. Where they fail to do this, holding them to account is often the only way to ensure standards are improved. Often such organisations are insured against such data breaches, so you don’t have to worry about the impact of the good work you support.

In this case, the ICO found that the Society’s failure was likely to cause substantial damage or distress to those supporters who had their data stolen.

While the ICO has the power to impose hefty fines on organisations who fail to meet their data protection obligations, it does not award compensation to victims. But, once an organisation has been found guilty by the ICO – as in this case – you can use that information to support a data protection compensation claim.

The Society has notified victims who have had their payment details stolen, but it is not clear if those who had other personal data put at risk were informed. However, modern cybercriminals are increasingly sophisticated and such information can be used to carry out identity theft and fraud, so it is vital you are told.

What’s more, it doesn’t matter if criminals haven’t used your data. If the data breach has caused you stress or anxiety (in a way that could be diagnosed by a psychologist), then the law agrees that you are entitled to compensation.

If you are one of those affected and are concerned that your data was treated negligently, contact Hayes Connor Solicitors immediately. If you are not sure if your information was compromised, we can find this out for you. We can also help you to claim the maximum amount of compensation in the minimum amount of time, on a no-win, no-fee basis.

With strict-time limits in place for making most compensation claims, it’s essential to act now.

IF YOU THINK YOU MAY HAVE A DATA BREACH CLAIM COMPLETE OUR CONTACT FORM.

 

 

data breach compensation
, ,

Can you make a data breach claim against Nottinghamshire County Council?

Last year, Nottinghamshire County Council was fined £70,000 by the Information Commissioner’s Office (ICO). The fine came after the Council left the personal information of vulnerable people it was supposed to protect exposed for five years.

The sensitive data included the gender, addresses, postcodes and care requirements of 3,000 elderly and disabled people.

Such failures could have severe consequences for those affected. So, victims should now be looking to make a data breach claim against Nottinghamshire County Council. 

What happened in this case?

In 2011, Nottinghamshire County Council launched its Home Care Allocation System. This was an online portal which allowed social care providers to confirm that they were able to support a particular person.

However, five years later, a member of the public informed the Council that the unprotected directory could be accessed via a simple online search. During this time the data could have been viewed by anyone. With no need to log in. And, although the service user’s names and house numbers were not included, it would have been possible to identify them.

This situation is particularly worrying as the data contained in the system could have been used by criminals to target vulnerable people. It could also have been used to alert criminals about when people were in hospital, and when their homes were sitting empty.

What was the result of the investigation?

The incident has been called a serious and prolonged breach of the law by the ICO. The investigation also found that, despite having the financial and staffing resources available, the Council overlooked the need to put robust measures in place to protect people’s personal information.

Calling the data protection breach “totally unacceptable and inexcusable”, the ICO said that the distress to services users was likely to be substantial. Particularly given the sensitive nature of the personal data and the vulnerability of the people involved. For example, the report into the breach states that “elderly and vulnerable service user may worry that a thief or burglar would use the information to prey on her whilst at home or in hospital.”

Furthermore, the ICO has agreed that such concerns are entirely justifiable, even if they never actually happen.

What can you do?

While the ICO has the power to impose hefty fines on organisations who fail to meet their data protection obligations, it does not award compensation to victims. But, once an organisation has been found guilty by the ICO – as in this case – you can use that information to support a data protection compensation claim.

Central and local government bodies handle some of our most sensitive personal data, and we have the right to expect this will be looked after and kept safe. As such, organisations such as Nottinghamshire County Council must start to look after our data as carefully as they would their own money or offices.

Very often, the only way to ensure they do this is by claiming compensation for data protection breaches and holding them to account.

What’s more, it doesn’t matter if there is no evidence that the data has been used to carry out identity theft or fraud. If the data breach has caused you stress or anxiety (in a way that could be diagnosed by a psychologist), then the law agrees that you are entitled to compensation.

While Nottinghamshire County Council informed the ICO as soon as the failure was uncovered, because it occurred before the General Data Protection Regulation came into force in May 2018, it was not obligated to tell individuals if their data was breached. So, you may not know if your sensitive information was put at risk. But if you are in any doubt, it’s worth finding out, and we can do this for you.

If you are one of those affected and are concerned that your data was treated negligently, contact Hayes Connor Solicitors immediately. We can help you to make a data breach claim against Nottinghamshire County Council and claim the maximum amount of compensation in the minimum amount of time. We can do this on a no-win, no-fee basis.

With strict-time limits in place for making most compensation claims, it’s essential to act now.

IF YOU THINK YOU MAY HAVE A DATA BREACH CLAIM AGAINST NOTTINGHAMSHIRE COUNTY COUNCIL COMPLETE OUR CONTACT FORM.

data breach solicitors
, ,

Can you make a data breach claim against the Carphone Warehouse?

Earlier this year, the Carphone Warehouse was fined a whopping £400,000 following a cyber-attack. The assault on the company’s computer systems compromised customer and employee data and uncovered severe failures in Carphone Warehouse’s data security systems.

The data protection breach put the personal data of over three million customers and 1,000 employees at risk. Including the historical payment card details for some 18,000 customers.

The £400,000 fine is one of the biggest ever handed out by the Information Commissioner’s Office (ICO).

Data breaches often have severe consequences for those affected. So, customers and employees of the Carphone Warehouse should now be looking to claim compensation.

What happened in the Carphone Warehouse data breach case?

In 2015, a Carphone Warehouse computer system fell victim to a cyber-attack. The data breach affected the company’s online division which operated the OneStopPhoneShop.com, e2save.com and Mobiles.co.uk websites.

The attack took place after the assailant made a scan of the system using a commonplace penetration tool. The tool looked for things such as outdated software and other vulnerabilities. Uncovering that such weaknesses did exist with a WordPress website, the scammer exploited this to access the system, and the customer and employee data.

While Carphone Warehouse did have processes in place to monitor cyber threats, staff were not alerted to the attack until 15 days after the system was first compromised. This timelapse further highlighted the lack of adequate security measures in place at the company. In fact, according to the ICO, the “number of distinct and significant inadequacies in the security arrangements for the System is striking”.

What was the result of the investigation?

In its judgement, the ICO found that the Carphone Warehouse data breach significantly affected the privacy of those involved. It also said that if the data was misused, it was likely to cause substantial damage or distress.

“The real victims are customers and employees whose information was open to abuse by the malicious actions of the intruder.

“The law says it is the company’s responsibility to protect customer and employee personal information.

“Outsiders should not be getting to such systems in the first place. Having an effective layered security system will help to mitigate any attack – systems can’t be exploited if intruders can’t get in.

“There will always be attempts to breach organisations’ systems and cyber-attacks are becoming more frequent as adversaries become more determined.

“But companies and public bodies need to take serious steps to protect systems, and most importantly, customers and employees”.

In failing to do this, the ICO found that the severity of the Carphone Warehouse data breach merited a £400,000 fine.

What can you do?

While the ICO has the power to impose hefty fines on organisations who fail to meet their data protection obligations, it does not award compensation to victims. But, once an organisation has been found guilty by the ICO – as in this case – you can use that information to support a data protection compensation claim.

IF YOU THINK YOU MAY HAVE A CLAIM THEN COMPLETE OUR CONTACT FORM.

 

, , ,

Can you make a data breach claim against the Bayswater Medical Centre?

The Bayswater Medical Centre has been found guilty of a serious data protection breach. The London based GP and healthcare provider has been fined £35,000 by the Information Commissioner’s Office (ICO) after it left highly sensitive medical records, registration forms and repeat prescription information unsecured in an empty building for a year and a half. The data was left on decks, in unlocked cabinets, on windowsills, and in bins.

With medical data breaches often having severe consequences for those affected, patients of the Bayswater Medical Centre may now be able to claim compensation.

What happened in this case?

The breach occurred after the Bayswater Medical Centre vacated a practice but continued to use the building for storage. The failure to protect sensitive patient data was only discovered after another GP practice visited the site to take over the lease.

Perhaps most worryingly, despite repeated warnings from the new surgery and a local Clinical Commissioning Group, Bayswater Medical Centre did nothing to collect and secure the sensitive information.

Concerns were escalated to NHS England (NHSE). And, when officers investigated the building, they found that “it would have been apparent to anyone looking through the window that the premises were abandoned and patient files left littered throughout the premises with windows left ajar with potential access”. Medical records were also left on a windowsill, with the blinds not closed and the window not secure. NHSE also reported that the building was secured by a single lock, and had no other physical security measures such as an alarm. In fact, just one week after the records were eventually removed, the building was broken into.

What was the result of the investigation?

The ICO has called the breach a “serious contravention” of data protection legislation that could lead to serious damage and distress for victims. In fact, the ICO said that any concerns by patients went beyond mere irritation and that fears about data falling into the wrong hands were understandable – even if such fears didn’t actually happen. As such, the ICO found that the severity of the breach merited a £35,000 fine.

What can you do?

While the ICO has the power to impose hefty fines on organisations who fail to meet their data protection obligations, it does not award compensation to victims. But, once an organisation has been found guilty by the ICO – as in this case – you can use that information to support a data protection compensation claim.

What’s more, it doesn’t matter that the data remained secure in the building and didn’t fall into the hands of criminals. If the data breach has caused you stress or anxiety (in a way that could be diagnosed by a psychologist), then the law agrees that you are entitled to compensation.

If you registered with Bayswater Medical Centre before July 2015 (even if you have since moved to another practice), and are concerned that your data was treated negligently, contact Hayes Connor Solicitors immediately. We can help you to claim the maximum amount of compensation in the minimum amount of time, on a no-win, no-fee basis.

Before the General Data Protection Regulation came into force in May 2018, organisations were not obligated to tell individuals if their data was breached, so, you may not know if your medical records were put at risk. But if you are in any doubt, it’s worth finding out, and we can do this for you.

With strict-time limits in place for making most compensation claims, if you want to achieve maximum recompense in the minimum amount of time, it’s essential to act now.

IF YOU THINK YOU MAY HAVE A CLAIM THEN COMPLETE OUR CONTACT FORM.