Posts

data breach

Credit card details hacked in Vision Direct data breach

Cybercriminals have compromised the contact information and financial details of Vision Direct customers in a recent data hack.

Both personal and financial information has been put at risk, including full name, address, phone number, email address, and password details, as well as sensitive credit card numbers, expiry dates and CVV security codes. This information could be used to carry out financial fraud and data theft, so customers are understandably worried.

Earlier this week, the UK retailer informed its customers that their data was stolen in a five-day hack between 3rd and 8th of November. It is understood that a bogus Google Analytics script added to Vision Direct’s website let hackers breach the company’s security defences.

Should you be worried?

The breach affects customers who logged into their Vision Direct account or updated their personal details during the period in which the hack took place. At present, 16,300 customers are thought to be at risk.

In a letter to its customers, Vision Direct has admitted that this “information could be used to conduct fraudulent transactions”.

It continues: “Vision Direct has taken steps to prevent any further data theft, the website is working normally and we are working with the authorities to investigate how this theft occurred.”

Vision Direct will contact any customers who it believes have been affected by the data breach. The company has also asked all users to review their bank statements and change their passwords on the site as soon as possible.

Is Vision Direct responsible for the data breach?

Even where cybercriminals target a business, in the eyes of the law it is still responsible for the data it holds. And, if found to be (even partially) responsible for a data breach, under the new General Data Protection Regulation (GDPR), it could be liable for millions of pounds in fines and compensation.

In this case, questions have been raised over whether or not Vision Direct had been storing CVV codes as it is not permitted to keep verification codes after payments are authorised. If this is found to be the case, the regulator is likely to come down hard on the business.

If you have suffered damage or distress caused by an organisation breaching its data protection responsibilities, you also have a right to claim compensation.

At Hayes Connor Solicitors, we have considerable experience helping individuals whose data has been breached and would also recommend some additional steps to keep users safe.

This includes looking out for fraudsters who attempt to gather more personal information (phishing), informing the Information Commissioner’s Office (ICO) about your concerns and reporting any suspected phishing attempts to the police and relevant authorities.

You can also check websites such as Haveibeenpwned.com to see if your details have been compromised in a data breach.

Starwood Guest Reservation Database Security Incident – have you had this email?

UK customers affected by the Starwood Hotels & Resorts data breach are now receiving an email from Marriott International (which owns the hotel group).

The Starwood brands affected by the data breach include W Hotels, St. Regis,Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels,Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels& Resorts, Four Points by Sheraton and Design Hotels. Starwood branded time share properties are also affected.

The email confirms that:

“On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. Marriott quickly engaged leading security experts to help determine what occurred.

“Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.

“Marriott has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property. For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken. For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information.

“Marriott reported this incident to law enforcement and continues to support their investigation. The company is also notifying regulatory authorities.

“Marriott deeply regrets this incident happened. From the start, we moved quickly to contain the incident and conduct a thorough investigation with the assistance of leading security experts. Marriott is working hard to ensure our guests have answers to questions about their personal information with a dedicated website and call center. We are supporting the efforts of law enforcement and working with leading security experts to improve. Marriott is also devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.”

The email also sets out some steps that Marriott has taken since discovering the breach. These include:

  • Establishing a dedicated call centre to answer questions you may have about this incident. The call centre is open seven days a week, and is available in multiple languages
  • Sending emails on a rolling basis to affected guests whose email addresses are in the Starwood guest reservation database  
  • Providing guests with the opportunity to enrol in WebWatcher free of charge for one year. WebWatcher monitors internet sites where personal information is shared and generates an alert to the consumer if evidence of the consumer’s personal information is found.       

Marriott has also provided some additional security steps victims of the breach cantake. This includes:

  • Monitoring your SPG account for any suspicious activity
  • Changing your password regularly
  • Not using easily guessed passwords
  • Not using the same password for multiple accounts
  • Reviewing your payment card account statements for unauthorised activity
  • Immediately reporting any unauthorised activity to the bank that issued your card.
  • Being vigilant against third parties attempting to gather information by deception (“phishing”), including through links to fake websites
  • Contacting the relevant authorities if you believe you are the victim of identity theft or your personal data has been misused.

In the UK, Action Fraud is the national fraud reporting service, and is the starting point for any police investigation into your loss. UK residents should also in form the Information Commissioner’s Office (ICO).

Committed to helping victims of data breaches and cybercrime, Hayes Connor Solicitors can also help you to claim compensation following the Starwood Hotels & Resorts data breach. And we can do this on a no-win, no-fee basis. Our initial assessment is always free. We’ll ensure that you are fully informed on this matter and will notify you about the investigation and your legal rights when making a claim.

If you have received an email from Marriott letting you know that your details have been put at risk, get in touch. We’ll let you know if and when you can claim. You can also read our step by step guide to making a data breach claim here. 

TAKE ACTION NOW!

hayes connor solicitors
,

Claiming compensation for distress following a data breach

At Hayes Connor Solicitors, we have launched compensation claims against a number of high-profile companies that have failed to keep your personal data safe. We believe that these companies must be held to account for their failure to protect your information.

The General Data Protection Regulation (GDPR) places strict obligations on businesses to keep our data safe. And you could be entitled to compensation if an organisation fails to meet these. But did you know that you can also claim for GDPR distress as well as financial losses?

What the law says

If you have suffered damage or distress caused by an organisation breaching any part of the Data Protection Act (the UK’s interpretation of the GDPR), you have a right to claim compensation.

Crucially, you can make a compensation claim if you have struggled emotionally following a data breach, even if you have not experienced any financial loss.

When making a compensation award, the court will look at the specific circumstances of your case. This includes things like the sensitivity of the data compromised and the nature of the disclosure. However, in order to be entitled to compensation for GDPR distress you must show that you have suffered emotionally because of the breach.

A personal data breach is a 21st-century version of being burgled. If a criminal came into your home and stole your private letters you would be distressed. So why should you feel any less upset at having your online data taken; particularly when these companies gave the burglar the keys?

Why shouldn’t you seek compensation for a failure to look after your information correctly?

The emotional impact of data breaches

Some people would have us believe that claiming for GDPR distress is an overreaction. That your physiological suffering and anguish doesn’t matter. You might hear friends and family saying that, while it is acceptable to claim compensation for any financial losses, you should put up with any anxiety caused by having your information stolen.

But according to Victim Support: “The effects of crime can also last for a long time, and it doesn’t depend on how ‘serious’ the crime was. Some people cope really well with the most horrific crimes while others can be very distressed by a more minor incident”.

The sheer scale of the information we share online is enough to leave victims open to the threat of fraud. For example, with enough information, cybercriminals can steal your identity, apply for credit in your name, set up fraudulent bank accounts and access your existing accounts.

So we should all be very worried about what could happen if our data gets into the wrong hands.

What’s more, being the victim of a crime can have a substantial impact on you mentally and physically. For some people, the effects can include a lack of sleep, feeling ill, unsettled or confused. Stress can also affect your friends, your family and your job. So being told to “get over it” isn’t helpful.

Crucially, the law understands the damage that can be caused by worry and upset. So you are 100% within your rights to make a compensation claim.

Claiming for GDPR distress following a data breach

At Hayes Connor Solicitors, we are committed to helping those affected by data breaches and cybercrime. And, we believe that the best way to make big companies pay for their failures is to use an expert lawyer to make a data breach compensation claim.

In addition, we also work with, and refer our clients to, other organisations and partners such as Victim Support. The leading independent victim’s charity in England and Wales for people affected by crime and traumatic incidents, last year Victim Support offered help to nearly a million victims of crime across the UK.

If you need assistance after a data breach, there are many resources on the Victim Support website to help you cope.

Don’t let them get away with it!

Something has to be done to make companies accountable for not looking after our information correctly. Claiming compensation isn’t just in your best interests, it could be the only way to ensure that businesses everywhere implement more secure processes.

If you want more help or advice about making a claim then contact us today

personal data
,

High street stores and personal data: know your rights

Most of have been there. We’re in a shop, just about to pay for our purchases, or sort a refund, when the assistant asks for “a few details”; usually our full name, our home address, and our email. Even if we’re only buying a pair of shoes, or returning a scented candle, many of us will hand over this information without understanding why it is needed.

 For some, it’s about not making a scene. The assistant is friendly, and they appear to be in no doubt as to why they are asking for our personal information. Also, there’s often a growing queue of people who aren’t going to be happy with a customer kicking up a fuss and holding up the line. So, what should you do?

What should you do if a store asks for your personal information?

 Put simply; the shop doesn’t NEED your details. Even television retailers, who previously had to request these to send to TV Licensing when they sold or rented out equipment, no longer require this info from you.

And with stringent data protection laws now in place following the introduction of the General Data Protection Regulation (GDPR), you are entirely within your rights not to hand this over.

 Do shops need personal data for a refund?

 If you’ve challenged why the shop needs this information, you might have been met with a vague response; “to process the return”, “for our records”…that sort of thing. However, we all have a statutory right to return faulty goods and, should you wish to change your mind about a purchase you simply need to do two things:

  • Keep hold of the receipt
  • Check out the shop’s returns policy before you buy.

Unless the return policy states explicitly that you have to hand over this information (and most of them don’t), then they cannot force you to. If the policy does state that it needs your personal information, you should still query why with a manager as this is not a legal obligation.

 Why do retailers want this information?

 Stores use your details for different purposes, most often for security, for marketing, and to improve the customer experience. You might like the shop retaining information about your shopping habits to help improve their service to you. For example, if you buy a particular shade of lipstick but can never remember the name, with access to the right info the shop assistant can find out that your preferred shade is ‘Frosted Pink.’ Also, most of us like it when we are offered discounts on our favourite buys.

 That’s fine. It’s your choice. But even if you are happy with this, to protect your sensitive information, you should still care about how your personal details are stored.

What are retailers allowed to do with your information?

Any personal data we provide (e.g. email addresses collected at the point of sale) is protected by UK data protection regulations. This means that it must be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.”

For example, if an email address is given so that you can receive an e-receipt, then your data can only be used for this specific purpose. There is no issue with a shop offering an e-receipt, but if your email address is then used to send you marketing emails without your consent they might also be breaching electronic marketing rules. You also do not have to give your email details to a retailer, and you can ask to receive your receipt in the normal way.

If a shop does want your data to market to you, then they must make it clear that this is why they are asking for your information, and you have to give your consent before they can do this.

How is your data protected?

 With more and more shops using computers to store and process personal information, The Data Protection Act (the UK’s interpretation of the GDPR) sets out how it can be used; and how it can’t. The basic things you need to know is that:

  • Your personal data should be processed fairly and lawfully
  • It must be obtained only for a specified reason and can’t be handled in a way that is incompatible with that purpose
  • The information held must be adequate, relevant and not excessive when compared with the purpose for which it is to be used
  • It must be accurate and, where necessary, kept up to date
  • It must not be kept for longer than is necessary for the intended purpose
  • It must be processed in accordance with the Data Protection Act. This means that it must be kept safe and secure, and that appropriate measures will be taken against unauthorised or unlawful processing of this information, as well as against accidental loss, destruction, or damage. So, businesses must keep the information backed up and away from any unauthorised access
  • No company can sell or give away your information without your explicit consent.

 You can find out more about these principles on the Information Commissioner’s Office (ICO) website.

 What should you do if asked to hand over your details?

 In most cases, we trust these retailers. Why wouldn’t we? They are high street shops, with familiar names, big shiny signs above their windows and friendly authoritative staff. So, it can be easy to assume that they wouldn’t ask us for our address if they weren’t allowed to do so. We also trust them to hold our information safely once given.

 However, in 2018, high street chemist Superdrug was held to ransom by hackers. The cybercriminals contacted Superdrug claiming to have accessed the details of 20,000 customers.

The compromised data included names, addresses, dates of birth, phone numbers, and point balances. And, while no bank or payment card details were believed to have been accessed, the information stolen is already enough to cause severe distress to those affected. And this is just one example of a high street retailer being hit by a data breach.

Today’s cybercriminals don’t just care about our financial details. They can also cause havoc with our personally identifiable information. In fact, with enough data, cybercriminals can apply for credit in your name, set up fraudulent bank accounts and access your existing accounts.

So, should you hand over your details? Well, as with most things, you have a choice. A choice to ask questions, and a choice to exercise your own free will based on the answers that are provided to you.

While we have previously been content to hand out our personal information, with a huge jump in cyber fraud, it’s perhaps no wonder that consumer confidence is now lacking, and that data breach claims are on the rise.

Can you make a data breach compensation claim?

 When a breach happens, it’s vital that the Information Commissioners Office (ICO) investigates. If the company is found responsible, the ICO will then issue a fine.

However, such fines are little compensation for victims who have suffered financial loss and/or stress due to an organisation’s negligence. So, while the ICO does not award data breach compensation, our data breach solicitors can help you with that.

At Hayes Connor Solicitors, we’ve been helping people to get the compensation they deserve for over 50 years, so we know what it takes to make a successful data breach claim.

Data breaches often have severe consequences for those affected, and you could be entitled to thousands of pounds in compensation depending on your circumstances. And, because we offer no-win, no-fee funding arrangements, you have nothing to lose.

subject access request

How to make a subject access request following a data breach

Under the UK’s data protection legislation, you have the right to find out if an organisation is using or storing your personal data. To exercise this right, all you have to do is ask for a copy of this data. This is called making a subject access request (SAR).

You can also ask if your data is being shared with anyone else (and if so, why and how), how long the company plans to store your data, and the reasons for this decision, and information on where your data came from.

Do you have to pay to make a subject access request?

A copy of your personal data should be provided free, although if you ask for extra copies, or if you ask for information that is ‘manifestly unfounded or excessive’, the organisation might charge a reasonable fee for administrative costs.

When can you make a subject access request?

You can make a subject access request at any time. For example, you can make a SAR if you want to find out if information is being held about you and how it is being used. In addition, at Hayes Connor Solicitors, many of our clients make SARs to start the compensation claim process following a data breach.

How do you make a subject access request?

If you decide that you want to make a SAR, here are the steps you should take:

  1. Identify where to send your request. Under the GDPR this information should be available on an organisation’s website (check the privacy policy usually found in the footer)
  2. Decide what data you want access to. Do you want everything a company holds about you, or just a particular piece of information? It could take longer for an organisation to supply everything they have about you, so if you only need certain data and you want this quickly, it makes sense to be specific. For example, you could just ask for a copy of any emails between you and the company between particular dates
  3. Make your request directly to the organisation, stating clearly what you want. You can make a SAR in writing, in person or over the phone. At Hayes Connor Solicitors we always recommend that our clients put their requests in writing as this provides a clear evidence trail if we need this at a later date
  4. When making a SAR, you should also include your name and contact details as well as any account or reference numbers
  5. You should also specify what format you want the data in. Most companies will do this electronically, but if you need it in another format, you can ask if this is possible
  6. Keep a copy of your request as well as any proof of postage or delivery.

How long does an organisation have to respond to a subject access request?

Data protection law requires organisations to respond to a request for data within one calendar month. However, they might need extra time to consider your request and, if so, can take an additional two months to do this. The organisation must let you know within one month if it needs more time and why. If the requested information is not provided in the timeframe you can raise a complaint with the Information Commissioner’s Office.

Can an organisation refuse ae subject access request?

While you can make more than one SAR, the organisation can refuse a request if they believe it to be ‘manifestly unfounded or excessive’.

Depending on the circumstances, they may also refuse a SAR if your data includes information about another individual. Again, if you think your request has been rejected unjustly, you can raise a complaint with the organisation in question, and if you remain dissatisfied, the Information Commissioner’s Office.

At Hayes Connor Solicitors we are committed to upholding the data protection rights of our clients. With over 50 years’ experience helping our clients secure the justice they deserve, our solicitors work tirelessly to ensure the best possible outcome for you. Both in terms of damages achieved and service delivered.

,

What should you do immediately after a data breach?

In today’s digital world, your personal data is a valuable commodity. However, all too often negligent business processes, human error and cybercrime mean this sensitive data isn’t as protected as it should be. With warnings that consumer trust is “becoming more fragile” following a spate of high-profile data breaches, if you have been the victim of a breach or cyber-attack it is important that you know how to react.

Steps to follow after a data breach

If you have suffered damage or distress caused by an organisation breaching any part of the Data Protection Act, you have a right to claim compensation. You should also:

  • Inform the Information Commissioner’s Office (ICO) about your concerns. While it does not award compensation, if the ICO believes that the organisation in question broke the law, you can use this information in court to help prove your claim
  • Read our handy step-by-step guide to making a data breach claim
  • If you are worried that your banking details have been exposed, contact your bank immediately
  • Beware of fraudsters who attempt to gather personal information (phishing)
  • Report any suspected phishing attempts to the police and relevant authorities
  • Look out for any bills or emails showing goods or services you haven’t ordered, or any unfamiliar transactions on your account and alert your bank or card provider immediately if there is any suspicious activity
  • Keep an eye on your credit score for any unexpected dips. Call Credit, Experian and Equifax to ensure credit isn’t taken out in your name
  • Beware of any unsolicited communications that refer you to a web page asking for personal data
  • Register with a suitable fraud prevention service
  • Change your passwords.
  • If you are offered any form of compensation or free services from the organisation that put your data at risk it’s important to check the small print. Be careful that in accepting any offer you are not giving away your rights to pursue a separate data breach compensation claim at a later date
  • Contact Hayes Connor Solicitors. Our expert, online fraud and data protection solicitors will advise you on whether you have a valid claim and will be pleased to answer any questions you might have. If you are not sure whether your information has been misused or mishandled, we can find this out for you. Our initial assessment is always free. We’ll ensure that you are fully informed on this matter and will notify you about the investigation and your legal rights when making a claim.

Can you claim compensation if you didn’t lose any money?

In short, yes. Many people suffer anguish, anxiety and stress after a data breach and this can have a significant impact on you mentally and physically. Effects can include a lack of sleep, feeling ill, unsettled or confused. Stress can also affect your friends, your family and your job.

Organisations have a duty to protect your sensitive data. And letting other people access this is a complete failure of this responsibility. So, why shouldn’t you seek compensation for this inability to look after your information correctly if it has caused you distress?

If you want to find out more about claiming for a data breach you can contact us here

hayes connor solicitors

Claiming compensation for distress following a data breach. Know your rights.

At Hayes Connor Solicitors, we are committed to making sure that people who have had their personal data stolen or otherwise put at risk know their rights. This is the only way to make sure that companies are held to account for their failure to protect your information.

What the law says

The General Data Protection Regulation (GDPR) places strict obligations on businesses to keep our data safe. And if you have suffered damage or distress caused by an organisation breaching any part of the Data Protection Act (the UK’s interpretation of the GDPR), you have a right to claim compensation.

But did you know that you can also claim for GDPR distress as well as financial losses? In the UK, you can make a compensation claim if you have struggled emotionally following a data breach, even if you have not experienced any financial loss.

When making a compensation award, the court will look at the specific circumstances of your case. This includes things like the sensitivity of the data compromised and the nature of the disclosure. However, in order to be entitled to compensation for GDPR distress you must show that you have suffered emotionally because of the breach.

A personal data breach is a 21st-century version of being burgled. If a criminal came into your home and stole your private letters you would be distressed. So why should you feel any less upset at having your online data taken; particularly when these companies gave the burglar the keys?

The emotional impact of data breaches

Some people would have us believe that claiming for GDPR distress is an overreaction. That your physiological suffering and anguish doesn’t matter. You might hear friends and family saying that, while it is acceptable to claim compensation for any financial losses, you should put up with any anxiety caused by having your information stolen.

But according to Victim Support: “The effects of crime can also last for a long time, and it doesn’t depend on how ‘serious’ the crime was. Some people cope really well with the most horrific crimes while others can be very distressed by a more minor incident”.

The sheer scale of the information we share online is enough to leave victims open to the threat of fraud. For example, with enough information, cybercriminals can steal your identity, apply for credit in your name, set up fraudulent bank accounts and access your existing accounts. So we should all be very worried about what could happen if our data gets into the wrong hands.

What’s more, being the victim of a crime can have a substantial impact on you mentally and physically. For some people, the effects can include a lack of sleep, feeling ill, unsettled or confused. Stress can also affect your friends, your family and your job. So being told to “get over it” isn’t helpful.

Crucially, the law understands the damage that can be caused by worry and upset. So you are 100% within your rights to make a compensation claim.

Claiming for GDPR distress following a data breach

At Hayes Connor Solicitors, we are committed to helping those affected by data breaches and cybercrime. And, we believe that the best way to make big companies pay for their failures is to use an expert lawyer to make a data breach compensation claim.

In addition, we also work with, and refer our clients to, other organisations and partners such as Victim Support. The leading independent victim’s charity in England and Wales for people affected by crime and traumatic incidents, last year Victim Support offered help to nearly a million victims of crime across the UK.

If you need assistance after a data breach, there are many resources on the Victim Support website to help you cope.

Don’t let them get away with it!

Something has to be done to make companies accountable for not looking after our information correctly. Claiming compensation isn’t just in your best interests, it could be the only way to ensure that businesses everywhere implement more secure processes.

 

data protection breach
,

My personal information has been lost after a data breach, what are my rights?

With the number of data breaches and cyber-attacks on the rise, it is essential that you understand your rights. So what do you need to know?

What type of information do organisations hold about me?

Modern organisations hold a tremendous amount of information about us. This could include data such as:

  • your name
  • your address
  • your date of birth
  • your email address
  • your telephone numbers
  • your credit card details
  • your bank details
  • your password(s)
  • your medical records
  • your religion
  • your political allegiances
  • and more.

 Of course, it’s easy to figure out what could go wrong if our financial information gets into the wrong hands. But it’s more complicated than that.

The UK’s data protection laws safeguard your personally identifiable information (PII). PII includes any data that can be used to identify a specific individual; either on its own, or in conjunction with other information an organisation has about us.

If PII gets into the wrong hands, it can be used to undertake identity fraud. For example, with enough information, cybercriminals can apply for credit in your name, set up fraudulent bank accounts and access your existing accounts.

 What is a data breach?

 A personal data breach occurs when personal information, protected under the law, is destroyed, lost, altered, disclosed or accessed due to a security incident.

It doesn’t matter if this happens accidentally or deliberately. If the confidentiality, integrity or availability of your personal data has been put at risk, then a data breach has occurred.

 If you have suffered damage or distress caused by an organisation breaching any part of the Data Protection Act, you have a right to claim compensation. The Data Protection Act is the UK’s interpretation of the General Data Protection Regulation (GDPR).

Some of the most common types of data protection breaches include:

  • Where your data has been inadvertently lost, hacked or leaked
  • Where your identity has been stolen to obtain credit cards fraudulently
  • Where your personal data has been sent to someone else without your express permission
  • Where your personal information has been misused or mishandled
  • Where an organisation failed to maintain up-to-date, accurate information about you and this caused you damage.

What is the difference between a data breach and a data hack?

The terms “breach” and “hack” are often used interchangeably. But there are some differences.

  • A data breach refers to any situation where data has been put at risk. A data breach can occur because of hackers and other cybercriminals, or by human error, negligence and poor security processes
  • A data hack is caused by people with malicious intent who break into a company’s systems to steal information.

Hackers do not cause the majority of data infringements, but in each of these instances, data can be exposed and put at risk. As such, identity theft often occurs after a data breach as well as a data hack.

How does an organisation have to respond to a data breach?

There are strict procedures that an organisation must follow if it experiences a data breach that could put your personal data (and therefore you) at risk. This includes informing the regulators that a data violation has occurred and letting you know without undue delay.

Should this happen, you should be told:

  • What has happened
  • The likely consequences
  • What they are doing to respond to the breach and minimise the risk to you
  • Who you can contact for more information.

What to do following a data breach

 If you have been told your data is at risk following a data breach, you should:

  • Contact your bank or card provider if your financial details have been compromised. If you’re not happy with the way your bank deals with your complaint, you can refer it to the Financial Ombudsman Service (FOS)
  • Beware of fraudsters who attempt to gather personal information (phishing)
  • Report any suspected phishing attempts to the police and relevant authorities
  • Look out for any bills or emails showing goods or services you haven’t ordered, or any unfamiliar transactions on your account and alert your bank or card provider immediately if there is any suspicious activity
  • Keep an eye on your credit score for any unexpected dips. Call Credit, Experian and Equifax to ensure credit isn’t taken out in your name
  • Beware of any unsolicited communications that refer you to a web page asking for personal data
  • Register with a suitable fraud prevention service
  • Change your passwords.

If you find that you have become the victim of cybercriminals following a data breach, you should contact Action Fraud as soon as possible.

Make a compensation claim for damage and distress

To claim compensation, you must be able to prove that you suffered as a result of the breach. This includes financial and medical harm, as well as anguish and anxiety. In many cases, a violation will not cause damage but will cause distress.

While some people would have us believe that claiming for distress is an overreaction, the law doesn’t agree with them.

Many people suffer anguish, anxiety and stress after a data breach and this can have a significant impact on you mentally and physically. Effects can include a lack of sleep, feeling ill, unsettled or confused. Stress can also affect your friends, your family and your job. So being told to just “get over it” isn’t helpful.

Organisations have a duty to protect your sensitive data. And letting other people access our bank accounts is a complete failure of this responsibility. So, why shouldn’t you seek compensation for this inability to look after your information correctly if it has caused you distress?

Until recently, a person who suffered damage might have had their compensation increased to take into account any associated distress, but in most cases, compensation would not have been awarded for distress alone. However, a recent ruling has paved the way for those affected by data breaches to claim damages for distress, even if they have not suffered any financial loss.

To start a compensation claim

  1. Inform the Information Commissioner’s Office (ICO) about your concerns. While it does not award compensation, if the ICO believes that the organisation in question broke the law, you can use this information in court to help prove your claim
  2. Read our handy step-by-step guide to making a data breach claim
  3. If you are offered any form of compensation or free services for not being able to access your funds it’s important to check the small print. Be careful that in accepting any offer you are not giving away your rights to pursue a separate data breach compensation claim at a later date

Contact Hayes Connor Solicitors ASAP. We’ll ensure that you are fully informed on this matter and will notify you about the investigation and your legal rights when making a claim

british airways
, ,

BA admit to second cyber attack

Last week, we reported that a second cyber-attack had hit British Airways. The hack took place between April 21 and July 28 and was only uncovered as the airline was investigating another breach of its website which occurred in September.

August – September Data Breach

According to an update on the British Airway’s website, the company is investigating, as a matter of urgency, the theft of customer data from its website, ba.com, and its mobile app.

BA states that you may have been affected if you made a booking or paid to change your booking with a credit or debit card on ba.com or the mobile app between 22:58 BST August 21 2018 until 21:45 BST September 5 2018. It also recommends that you contact your bank or credit card provider and follow their advice.

You can find more details on the Aug-Sept BA data breach here.

 

April – July Data Breach

A further update on the BA website says: “Since our announcement on September 6, 2018 regarding the theft of our customers’ data, British Airways has been working continuously with specialist cyber forensic investigators and the National Crime Agency to investigate fully the data theft. We are updating customers today with further information as we conclude our internal investigation.”

It continues: “The investigation has shown the hackers may have stolen additional personal data and we are notifying the holders of 77,000 payment cards, not previously notified”.

You can find more details on the Apr-Jul BA data breach here.

 

What was stolen?

The stolen data included some payment card numbers, expiry dates, and card verification value (CVV) numbers. In addition, in both cases, the hackers also gained access to personally identifiable information (PII) including names, addresses, and email addresses.

PII includes any data that can be used to identify a specific individual, and, if it gets into the wrong hands, it can be used to undertake identity fraud. For example, with enough information, cybercriminals can apply for credit in your name, set up fraudulent bank accounts and access your existing accounts.

It appears likely that both attacks were carried out by the same hackers, and could have gone on for months. There are also fears that customers’ details could be sold on the dark web to cybercriminals.

BA has said that it will contact everyone affected by both data breaches. If you have been told your data is at risk you should:

  • Contact your bank or card provider
  • Beware of fraudsters claiming to be British Airways who attempt to gather personal information (phishing). BA has said that it will NOT be contacting any customers asking for payment card details
  • Report any such requests to the police and relevant authorities
  • Look out for any bills or emails showing goods or services you haven’t ordered, or any unfamiliar transactions on your account and alert your bank or card provider immediately if there is any suspicious activity
  • Keep an eye on your credit score for any unexpected dips
  • Beware of any unsolicited communications that ask for your personal data or refer you to a web page asking for personal data
  • Register with a suitable fraud prevention service
  • Change your passwords on any accounts that use the same passwords as your BA account.

Compensation for the BA data breaches

British Airways has previously promised to compensate any customers who suffer “financial hardship” because of the breach.

However, it is not up to BA to dictate the terms of any compensation payments. What’s more, in the UK it doesn’t matter if you haven’t lost out financially as a result of the hack. A personal data breach is a 21st-century version of being burgled and being the victim of a crime can have a significant impact on you mentally and physically. So, if the data breach has caused you stress or anxiety, then the law agrees that you are entitled to compensation.

Join our BA data breach group action

Committed to helping victims of data breaches and cybercrime to achieve the justice they deserve, at Hayes Connor Solicitors we are now considering launching a group action to compensate victims of both BA data hacks.

Just because BA was a victim of cybercriminals, doesn’t mean it is any less liable if it failed to protect your all-important data sufficiently. Big companies must be held to account.

At Hayes Connor Solicitors, we are experts in data breach cases, and, once you have registered with us, it’s not uncommon that we uncover information that allows us to increase the value of your claim significantly. What might seem irrelevant to you, could make a huge difference in the eyes of the law. That’s why it’s important not to be fobbed off by a low initial offer from BA. Instead, by making a no-win, no-fee claim with us, we can increase the amount of compensation you receive substantially.

To join our group action, you will need you to register with us. We’ll let you know what is happening in this case and if and when you can make a data breach compensation claim.

Data breaches often have severe consequences for those affected so you could be entitled to thousands of pounds in compensation.

REGISTER NOW

 

 

, ,

BA hit by second cyber attack leaving thousands of customers at risk

A second cyber-attack has hit British Airways. The hack was discovered while the airline was investigating another breach of its website which occurred in September.

It appears that the earlier attack took place between April 21 and July 28. Over 185,000 people could have had their payment card details stolen.

Two separate groups of customers have been affected by the latest BA data breach:

  • 77,000 people have had their names, addresses, email addresses and detailed payment information taken. This includes card numbers, expiry dates, and card verification value (CVV) numbers
  • 108,000 people have had their personal details stolen, but not their payment card CVV numbers.

The hack went undetected for months; meaning BA customers have been exposed to fraud all this time. It appears likely that both attacks were carried out by the same hackers and there are fears that customers’ details will be sold on the dark web to cybercriminals.

A breach of the BA website in September affected 380,000 transactions. As in this latest case, along with the financial info stolen, the hackers also gained access to personally identifiable information (PII).

PII includes any data that can be used to identify a specific individual, and, if it gets into the wrong hands, it can be used to undertake identity fraud. For example, with enough information, cybercriminals can apply for credit in your name, set up fraudulent bank accounts and access your existing accounts.

BA has said that will contact everyone affected by the latest data breach.

What is happening now?

The September BA data breach is currently being investigated by the Information Commissioner’s Office and the National Crime Agency. It is possible that the airline could face huge fines as the violation occurred after the introduction of the General Data Protection Regulation which imposes strict data protection rules on organisations. This latest breach will also of interest to the regulators.

What should you do to protect yourself?

Signs that criminals have used your data or financial information following either of the BA data breaches include:

  • Bills or emails showing goods or services you haven’t ordered
  • Unfamiliar transactions from your account
  • An unexpected dip in your credit score
  • Unsolicited communications that ask for your personal data or refer you to a web page asking for personal data.

If you believe you have been affected by either BA data breach, please contact your bank or credit card provider immediately.

Compensation for the BA data breaches

Alex Cruz, the chairman and chief executive of British Airways, has previously promised to compensate any customers who suffer “financial hardship” because of the breach.

However, it is not up to BA to dictate the terms of any compensation payments.

What’s more, in the UK it doesn’t matter if you haven’t lost out financially as a result of the hack. A personal data breach is a 21st-century version of being burgled and being the victim of a crime can have a significant impact on you mentally and physically. So, if the data breach has caused you stress or anxiety, then the law agrees that you are entitled to compensation.

Join our BA data breach group action

Committed to helping victims of data breaches and cybercrime to achieve the justice they deserve, at Hayes Connor Solicitors we are now considering launching a group action to compensate victims of both BA data hacks.

Just because BA was a victim of cybercriminals, doesn’t mean it is any less liable if it failed to protect your all-important data sufficiently. Big companies must be held to account.

At Hayes Connor Solicitors, we are experts in data breach cases, and, once you have registered with us, it’s not uncommon that we uncover information that allows us to increase the value of your claim significantly. What might seem irrelevant to you, could make a huge difference in the eyes of the law. That’s why it’s important not to be fobbed off by a low initial offer from BA. Instead, by making a no-win, no-fee claim with us, we can increase the amount of compensation you receive substantially.

To join our group action, you will need you to register with us. We’ll let you know what is happening in this case and if and when you can make a data breach compensation claim.

Data breaches often have severe consequences for those affected so you could be entitled to up to £5,000 in compensation.

REGISTER NOW