GDPR Weekly Show – Episode 62 – 20th October 2019

Hayes Connor featured on this week’s GDPR podcast with news of our client’s successful data breach claim against his local NHS Trust after it shared confidential details from his medical records without consent (listen from 11 minutes, 13 seconds).

The podcast also features news of the team’s landmark representative action against Equifax worth an estimated £100 million (listen from 28 minutes, 14 seconds).

bank data breach
, , ,

What can you do if you are the victim of a bank data breach?

Financial data breaches and cyber attacks are on the rise. Not only did retail banking see 2400% more data breach reports last year than the year before, but breaches in a whole range of companies are putting our financial data at risk. For example, following the Ticketmaster data breach, over 60% of all our clients went on to suffer multiple fraudulent transactions on their payment cards.

What is causing financial data breaches and cyber attacks?

In 2018, seven UK retail banks, including Santander, Royal Bank of Scotland, Barclays and Tesco Bank suffered sustained attacks. These attacks cost them hundreds of thousands of pounds. Furthermore, over £500m was stolen from British banking customers in the first half of 2018.

Cryptocurrency is also being targeted by criminals. In fact, each year, the equivalent of millions of pounds is being stolen from cryptocurrency holdings. As such, cryptocurrency fraud is a very serious crime.

There are a few reasons why data breaches and hacks are happening. These include:

Cyber attacks

 A cyber-attack can take many forms including financial data hacks, financial phishing attacks, bank and credit card takeover fraud and push payment scams.

To make matters worse, cybercriminals are becoming increasingly sophisticated. For example, AI-assisted imposters are set to become an increased threat. With machine-learning and the Internet of Things (IoT) helping to make existing cyber-attack efforts faster, more formidable, and more effective.

Inadequate security processes

In many cases, financial data breaches happen because of a failure to implement reasonable and robust processes.

This can include things like not implementing or updating secure firewalls, password controls, operating systems, anti-virus and anti-malware software or reliable encryption. Also, companies that fail to establish regular and robust backup processes or don’t take steps to identify, record and secure personal data are putting this information at risk.

 Human error

It is human error rather than cybercrime that is the biggest cause of financial data breaches. In fact, in the UK, 88% of data breaches caused by human error, not cyberattacks.

Typical examples of such errors include:

  • Sending sensitive data to the wrong recipient (via email, post or fax)
  • The loss of paperwork
  • Forgetting to redact data
  • Storing data in an insecure location
  • Losing devices such as laptops, phones and tablets
  • Staff deliberately ignoring data protection policies
  • Managers not training staff on data protection
  • Leaving sensitive information online without any password restrictions.

How can you protect yourself following a financial data breach or cyber attack?

To protect yourself following a financial data breach you should:

  • Contact your bank/credit card provider immediately
  • Consider a credit freeze until the matter is resolved
  • Report the scam to the police and contact Action Fraud for advice on what to do next
  • Keep an eye on your bank and credit card statements to see if there is anything you don’t recognise
  • Let the credit reference agencies know of any activity that was not down to you
  • Register with the Cifas protective registration service. This will slow down credit applications made in your name with additional verification checks made to ascertain that the applicant is actually you.

For more advice on how to keep your data safe, follow us on Twitter and Facebook. Alternatively, if you have been the victim of a financial data breach or cyber fraud give us a call to discuss your case in more depth.

Making a financial data breach claim

If you want to claim compensation for a financial data breach case, our professional, friendly team will advise you on whether you have a valid claim. Our process is fully compliant with ICO guidance, and we never put your details at risk. We will NEVER pass your details onto anyone without your permission.


How to get your money back after push payment fraud

Push payment fraud is the fastest-growing type of fraud in the UK. In 2017, there were 43,875 cases involving push payment fraud, with total overall losses of £236 million to customers and only £60.8 million repaid[1].  And, in the first half of 2018 alone, push payment scams saw £145 million stolen by cybercriminals.

So, it’s essential that victims of push payment fraud know what to do to help them get their money back.

In this quick guide, we provide some expert help on what you need to do to get push payment compensation.

Push payment fraud

Push payment fraud – also called authorised push payment (APP) – happens when cybercriminals trick people into sending them money. Because the individual thinks the cybercriminal is genuine, they authorise the handover of cash.

This money is then swiftly transferred to different accounts, often abroad, which makes getting it back almost impossible. So, it’s vital that people have someone to turn to so they can get push payment compensation.

Types of push payment fraud

Push payment fraud is carried out in many different ways, but ultimately fraudsters are looking to trick you into believing that you are making a payment to someone you can trust.

Typical push payment scams include:

  • Where criminals send fake invoices that look exactly like ones you are expecting (e.g. from your child’s school or a legitimate tradesperson)
  • Where fraudsters convince you to transfer money to them by pretending to be someone official, such as a solicitor (e.g. when buying a house) or the police
  • Where push payment scammers send emails pretending to be from a friend or family member asking for money.

Ultimately it’s about conning you into transferring your cash into fraudulent bank accounts.

The impact of push payment fraud

The money lost because of authorised push payment fraud can be devastating.

For example, a mother and daughter in Kent were tricked out of their life savings after unknowingly transferring £113,665 to a criminal, rather than their solicitor.

Another woman was conned into losing her mother’s care-home fees after a criminal claiming to be from her bank’s fraud team flagged up unusual transactions on her bank account. She was asked to move her balance to a new “protected” account. However, when she called her bank to check the transfer had gone through, they knew nothing about it.

Why were you targeted?

In some cases, the criminals involved might have called hundreds (or even thousands) of people in the hope of deceiving someone.

But often these scams are highly targeted and happen because your data has already been violated because of a data breach (or other cybercrime such as an email hack).

A data breach could have occurred at any organisation that holds your personal information. Criminals often use data breaches to access data and sell it on the dark web.

According to a report by The Independent[2], the personal data of UK citizens is selling for as little as £10 on the dark web. The data offered provides more than enough information for push payment fraudsters to convince you that they are genuine and defraud you.

In addition, some criminals will target the customers of banks that have poor security processes. This is because they know that inadequate practices can make it easy to trick customers into handing over money. This includes where banks fail to:

  • Keep their internal telephone/text/email systems secure
  • Keep their internal security protocols safe and secure, allowing fraudsters to easy access to them to commit fraud
  • Undertake proper checks on large transactions from clients who don’t normally transfer large sums
  • Undertake proper checks on transactions to accounts where there is no history of transactions
  • Stop transfers and freeze accounts when they are informed that fraud might be happening
  • Liaise with the fraudsters’ banks to chase down the money and/or find out who the money has gone to.

Protecting yourself from push payment fraud

There are steps you can take to protect yourself from push payment fraud. For example, you should never disclose your security details such as your PIN or full banking password to anyone (not even your bank). Likewise, you should never transfer money without being 100% sure who you are sending it to. Just because someone knows some personal information about you (i.e. your mother’s maiden name), that doesn’t mean they are genuine.

But this doesn’t help if you have already been conned.

How to get push payment compensation

There are a few ways to get your money back after a push payment fraud.

Firstly, if someone is convicted of a cybercrime against you, the court may order them to pay you compensation. Where the authorities are not interested in pursuing compensation, or where you do not want to make a criminal case, we can assist with a private prosecution. However, this isn’t always possible. First and foremost the scammer has to be caught, and that is rarely the case.

Secondly, you can ask your bank to compensate you after a push payment fraud. Historically, banks have avoided paying push payment scam compensation to victims unless there was a fault in their processes. They argued that they made it very clear that customers should never make a payment at the request of someone over the phone or email. So, because you authorised the payment, it was your responsibility, and they could not be held liable.

However, stronger protections have been introduced to help protect victims of push payment fraud. This means that your bank or credit card provider can only refuse to reimburse stolen funds where you have shown a very significant degree of carelessness.

Thirdly you can also complain to the bank that received your money (the bank that the fraudster used). This is a new rule that has been introduced to encourage banks to do more to identify when a fraudster is using their services.

It is expected that banks will reimburse somewhere between £30million and £40million more in push payment compensation in 2019 as compared to last year.

What if your bank refuses to give you push payment compensation?

Despite the new measures, the banks are still trying to limit their liability for push payment compensation. So, if you’re not happy with the response from your bank, you should refer your complaint to the Financial Ombudsman.

The Ombudsman understands that cybercriminals are becoming increasingly sophisticated and harder to spot. It knows that people are often manipulated into thinking that their money is at risk. So they will think carefully before deciding whether you have acted in a way that goes beyond what might be described as careless.

However, even where you do have a claim for reimbursement, fraud victims whose banks refuse to refund their losses can see the appeal process drag on for months. The average wait for those taking their case to the Financial Ombudsman Service is a staggering 215 days.

What if the Financial Ombudsman doesn’t help?

If you have been the victim of a push payment scam and the banks are refusing to help, you should contact Hayes Connor solicitors to find out if we can help you to recover any losses.

We are also considering a group action claim against banks who have failed their clients after they have lost money through no fault of their own. A group action is where a group of people, all affected by the same issue, collectively bring their cases to court. Group actions can be a powerful tool and can have a bigger impact than a single claim.

 The current banking system makes it all too easy for scammers to trick people into sending them money so it’s vital that you have someone you can turn to for help.


What should you do now?

 If you have been the victim of an attempted push payment scam, you must contact Action Fraud ASAP if you haven’t already done so. Action Fraud is the national fraud reporting service. However, if you have lost money as a result of the scam, you must also report it as a crime.

If you live in Scotland, you should call the Police on 101.

There are also some security measures you should take after a financial data breach to stop yourself from falling victim to further crime. These include:

  • Contacting your bank/credit card provider immediately
  • Freezing your card right away via your banking app if available
  • Changing your passwords and other security details
  • Implementing a credit freeze until the matter is resolved
  • Keeping an eye on your bank and credit card statements to see if there is anything you don’t recognise (and reporting these to your financial provider immediately)
  • Letting the credit reference agencies know of any activity that was not down to you
  • Registering with the Cifas protective registration service. This will slow down credit applications made in your name with additional verification checks made to ascertain that the applicant is actually you.

If you have been the victim of a push payment scam and the banks are refusing to help, contact us to find out how we can help you to recover any losses and to discuss your case in more depth. We can also help you if you became the victim of a bank scam as a direct result of a data breach.


For more advice on how to keep safe, follow us on Twitter and Facebook.

[1] UK Finance

[2], 17th October 2019

Kingsley Hayes featured on with news that Hayes Connor had issued a claim worth an estimated £100,000 million against Equifax in the High Court on behalf of all affected individuals. The landmark legal action is the first time that a law firm has issued a representative data breach claim which could see the Court ordering Equifax to pay compensation to all its affected UK customers to Hayes Connor to distribute accordingly.

Hayes Connor issues landmark £100 million data breach claim against Equifax

North West based data breach and cybersecurity specialist Hayes Connor Solicitors is the first in the UK to serve a representative data breach claim in the High Court. The action could see Equifax ordered to pay up to £100 million in compensation to its estimated 15 million UK customers affected by its 2017 data breach.

The action follows the Court of Appeal’s decision on the Lloyd v Google case on 2nd October which ruled that a law firm could bring a claim for compensation for just one affected individual following a data breach and be awarded compensation for the entire affected population.

Kingsley Hayes, managing director at data breach and cybersecurity specialist Hayes Connor Solicitors, said: “We are delighted to be the first firm to issue proceedings following the Court of Appeal’s recent ground-breaking ruling which allows us to pursue the total amount of compensation due to Equifax’s 15 million affected UK customers.

“We estimate the total value of the claim to be £100 million which, if won, Hayes Connor would distribute to all affected individuals. Equifax was found by the ICO to have failed in its data protection obligations on multiple levels including failing to comply with how customers’ personal information can be processed and stored and how that private data should be secured.

“Following hackers successfully accessing its systems in America to steal the personal information of a reported 143 million individuals, the personal data of its UK customers was also exposed including email addresses, usernames, passwords, security questions, phone numbers and credit card details.

“This is the first time that a data breach claim has been issued in the UK on behalf of all affected parties. The Court of Appeal ruling has made it easier for all data breach victims to be fairly compensated.”

Equifax suffered significant financial losses following the data breach which was announced in March 2017 with US lawsuits resulting in the credit report giant fined $290 million and ordered to pay a further $1.4 billion to compensate affected American customers.

The ICO found that Equifax had failed on multiple counts in how it stored, processed and protected its UK customer’s personal information imposing a minimum £500k fine in September 2018 as the breach occurred pre GDPR.

Hayes Connor has instructed Louis Browne QC and Ian Whitehurst of Exchange Chambers in Liverpool in the landmark action.

Hayes Connor Solicitors was recently appointed as data protection supplier to the Communication Workers Union and is currently acting for thousands of claimants with data breach action against Ticketmaster, Equifax, Marriott International, TeamSport, Dixons Carphone and the Police Federation of England and Wales.


Southern Health NHS Trust pays settlement in data breach claim

Southern Health NHS Trust has admitted failing in its data protection obligations following an incident which involved a member of its staff accessing and sharing details of a patient’s confidential medical records without consent.

The breach took place in 2016 but was only discovered more than two years later following a Right of Access information request by Fordingbridge resident Robert Richardson.

Council files revealed that following his request for a more secure back door to be provided for his property following serious threats made against him, New Forest District Council had contacted the NHS to ask whether he was known to its mental health facility.

61-year-old operations administrator Robert Richardson said: “I asked the local council to replace my back door for added security for my family, but they were not forthcoming. I had concerns about what was happening internally at the Council in relation to my request. I proceeded to make a Right of Access request only to discover that they had contacted the NHS with the suspicion that I was suffering mental health issues.

“I was stunned and very upset to discover that this had taken place without my knowledge, or consent, and even more upset that the NHS had proceeded to access my private medical records to confirm to the Council that I had not been a mental health patient, again without my knowledge or consent.

“This followed a simple request to have the back door of my property replaced and at no point did the Council, or the NHS, ask permission to share my private information.”

Representing Mr Richardson, James Kelliher, litigation executive at data breach and cybersecurity specialist Hayes Connor Solicitors, commented: “The Trust admitted that a technical breach of the Data Protection Act had occurred. Our client discovered the breach purely by chance. It is concerning that private medical information was accessed and details shared without our client’s consent. Had he not made a Right of Access request the breach would have gone undetected.

“We pursued a successful data breach claim against Southern Health NHS Trust on behalf of Mr Richardson securing £1,500.

“GDPR came into force last year raising awareness of data privacy however, individuals’ private information has been protected by data protection laws for some time predating this, a fact that both the Council and NHS Trust should have been well aware of.”

Salisbury Journal, 13th October 2019

We were pleased to secure £1,500 for our client after he discovered that his local NHS Trust had breached his data protection rights. His confidential medical files were accessed and information shared with a third party without his knowledge or consent.

Liverpool Business News, 9th October 2019

Liverpool Business News featured news of Hayes Connor’s £multi-million data breach claim against British Airways following its 2018 data breach.  Affected individuals have a 15 month window to join the group litigation for compensation.

Today’s Legal Cyber Risk, 7th October 2019

In an increasingly digitised era, more and more of our personal information is stored, processed and shared online. Kingsley Hayes advises on simple tips to help prevent cyber-attacks and maintain robust data protection in Today’s Legal Cyber Risk.

Legal Futures, 4th October 2019

The Court of Appeal made a ground-breaking ruling on 2nd October 2019 reinforcing the value of personal data and adding further weight to action taken against organisations who fail in their data protection obligations. Kingsley Hayes talks about what this means for data breach claims in Legal Futures.