Posts

british airways breach
, ,

Don’t leave it too late to join the British Airways data breach

This week, the ICO said that it is considering fining British Airways a staggering £183 million for its part in one of the most severe cyber-attacks in UK history. This is because, while cybercriminals hacked the airline, the British Airways data breach was only possible due to inadequate security arrangements.

As a result of the data hack, almost 400,000 British Airways customers had their personal details and bank cards stolen. Enough details were exposed to make the threat of cybercrime a real possibility. Many banks had to cancel and re-issue cards as a result of the breach.

Don’t leave it too late to join our No Win, No Fee, BA data breach compensation case

At Hayes Connor Solicitors, we are taking a group action against British Airways to help victims of this data breach to claim compensation. We can help you claim compensation for financial losses, as well as for inconvenience and distress.

Make sure you don’t miss out on the compensation you deserve!

Since the data breach, we have been contacted by hundreds of people who were put at risk by BA. And, if you have been in touch about joining this case, it’s vital that you now complete and return the information we have sent to you (links included in our initial documentation).

If you have misplaced this information, or if you require copies, please do not hesitate to email us at enquiries@hayesconnor.co.uk

What if you haven’t previously contacted Hayes Connor Solicitors about the BA data breach?

The action that we are taking against BA is still open to you to join. But, as we have already started our group action case, it is vital that you register with us ASAP.

What is a group action case?

A group action claim is where a group of people – sometimes even thousands of people – have been affected by the same issue. Group action cases are also known as class actions or multi-party actions.

With a group action claim, this group of people (the Claimants) collectively bring their cases to court against a Defendant. In this case, British Airways. These victims then fight together to achieve compensation in the High Court of Justice.

Where cases are very similar, group actions can be a powerful tool and can have a bigger impact than a single claim.

What does the ICO fine mean for this case?

Investigating why the British Airways data breach was able to happen, the ICO found that information was able to be compromised by inadequate security arrangements at BA. This means that BA will be held responsible for its failure to protect customer data. But, while the ICO has the power to impose data breach fines, it does not give this money to victims of the data breach.

However, we can use the evidence uncovered by the ICO to make a very strong case. So, if your data was put at risk by BA, you should now make a data breach compensation claim.

To join our British Airways data breach group action compensation claim, register with us today.

REGISTER NOW

 

data protection act
,

Less than 40% of businesses and charities have made improvements to their cybersecurity since GDPR

In April, the government published its annual Cyber Security Breaches survey. This looks at how UK organisations approach cybersecurity. It also looks at the impact of a data protection breach. This report found that security has become a priority issue for organisations. But worryingly, only 30% of businesses and 37% charities have made improvements to their cybersecurity since GDPR. So, to meet the requirements of the Data Protection Act more must be done.

Of those who have made improvements to stop cyberattacks and data breaches:

  • 60% of business and charities have created new policies
  • 15% of businesses and 17% of charities have had extra staff training or communications
  • 6% of businesses and 10% of charities have improved their contingency plans.

Training is essential to prevent data breaches and cyber attacks

We found a lack of staff training to be especially worrying. Because, according to the Information Commissioner’s Office (ICO), accidental disclosure or human error is a leading cause of personal data breaches.

In fact, basic employee training could have a huge impact on an organisation’s cyber awareness and overall security. And, every day our data breach solicitors work on Data Protection Act cases where human error has allowed cybercrime to happen.

So, if an organisation’s security is only as strong as its weakest link, in many cases this Achilles’ heel is its own workforce.

What type of data breach training do employees need?

In many cases, data breaches can be avoided by staff abiding by the data protection principles of their businesses. But it is up to employers to make sure that all staff receive regular data protection training. This should be on things like:

  • Why robust processes are needed
  • The potential consequences of breaching data protection laws. These consequences can include damage to a business and even criminal charges for employees if they deliberately access data without a legitimate reason
  • Training to ensure that everyone is aware of the online safety rules and expectations
  • Awareness programs on how to recognise common threats such as phishing scams, malware etc.
  • Staff training on reporting measures, so people know how to respond to any threats.

What are the most common cybersecurity threats?

According to the report, the most common attacks are:

  • Phishing emails. With 80% of businesses and 81% of charities experiencing breaches or attacks
  • Others impersonating an organisation online (28% and 20%)
  • Viruses or other malware, including ransomware (27% and 18%).

Organisations must do more to protect their data or face the consequences

The Data Protection Act (the UK’s interpretation of the GDPR), exists to protect the privacy of individuals. However, many organisations have struggled to keep up with changes in the rules. And this could leave everyone vulnerable.

In response, our data protection solicitors help our clients to make compensation claims. We do this after their data was put at risk by the organisations they trusted to look after it.

You have a right to claim compensation if you or a member of your family has suffered damage or distress caused by a breach of the Data Protection Act.

For more advice on how to keep your data safe, follow Hayes Connor Solicitors on Facebook and Twitter.

Alternatively, if you have been the victim of a data breach, find out how we can help you. Or contact us to discuss your case in more depth.

 

information unattended
,

Don’t leave personal data unattended

Human error is the leading cause of data breaches. In response, the Information Commissioner’s Office (ICO) has produced a handy toolkit to help businesses communicate the importance of information security to staff. At Hayes Connor Solicitors, we’re sharing some of the tips included in this toolkit. In doing this we aim to raise awareness of the importance of this issue. And help organisations across the UK improve their data protection processes. This is crucial to keeping the personal data they use safe.

Tip: All information you work with has value. Think before leaving it unattended

 

The risk of leaving personal data unattended

Confidential information can be compromised even when it is kept in offices. For example, printouts in output trays can be viewed, mishandled, or stolen. Unattended computers also pose a significant a threat. Because, if someone else sits at your desk, they could access data that they are not authorised to see.

For example, in a recent case, we saw the impact of what can happen when a woman’s sister-in-law (an NHS worker) accessed the NHS system and shared personal details about our client with the rest of her family.

The importance of a Clear Desk & Screen policy

Employers must understand the importance of data protection. Strict policies and procedures also help to process information safely. This includes establishing a ‘Clear Desk and Screen’ policy. This policy should cover things like:

  • Locking paper records containing confidential, personal or sensitive data at the end of each day. Or a workstation if it will be unattended for more than a short time
  • Making sure that you shut down your computer at the end of the working day
  • Locking laptops and other portable devices in a secure location at the end of each day
  • Locking your screen when you leave your computer unattended
  • Automatic screensavers after 10 minutes of inactivity
  • Shredding hardcopy documents containing personal data
  • Not disposing of paper records containing personal data in general waste or recycling bins
  • Not writing down passwords or other restricted account information
  • Locking away removable media when not in use. Or prohibiting the use of removable media
  • Removing documents containing personal data immediately from printers
  • Keeping the keys to locked filing cabinets or drawers in a secure location
  • Not leaving confidential information on desks, in shared conference facilities or meeting rooms
  • Removing all personal information from flipcharts and wiping down whiteboards
  • Securing office areas when not in use
  • Adhering to mobile device guidance when out of the office
  • Deleting any data from the recycle bin of any communal computers that you use

Other quick tips to keep personal data safe

  • When staff abide by the data protection principles of their businesses, data breaches can be avoided. But it is up to employers to make sure that all staff receive regular data protection training. This is vital to make sure they understand the potential consequences of breaching data protection laws
  • Organisations must do more to protect personal information. For example, by designing systems that only allow the relevant people to have access
  • Every staff member accessing personal records should provide a reason for doing so.

Not just hackers

Data breaches are not just caused by cybercriminals. For more advice on how to keep your data safe, follow our #NotJustHackers campaign on Twitter and Facebook.

Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to recover any losses.  Or give us a call to discuss your case in more depth.

talk talk breach
,

TalkTalk data hack customer details found online

In 2015, a TalkTalk data breach saw the personal information of 157,000 customers stolen. And, in a new twist, BBC Watchdog Live revealed that the company failed to inform 4,545 TalkTalk customers that their data was taken as part of the breach. This includes bank account details.

Making matters worse, BBC researchers found details for many customers online after a simple Google search. This information included full names, addresses, email addresses, dates of birth, TalkTalk customer numbers, mobile numbers and bank details. This information could have been accessible online since the breach.

According to the BBC, viewers contacted Watchdog Live as they were concerned that their details had been breached by TalkTalk. However, the telecom group said that their details were not compromised.

The ICO has already fined TalkTalk

In 2015, TalkTalk spotted issues with its website and immediately launched an investigation before warning customers. However, the Information Commissioner’s Office (ICO) found that that insufficient security at the company permitted customer data to be accessed “with ease”. The ICO also said that TalkTalk could have prevented the data breach if it had taken basic steps to protect its customers’ information.

According to the ICO: “For no good reason, TalkTalk appears to have overlooked the need to ensure it had robust measures in place despite having the financial and staffing resources available”.

In response, the ICO fined TalkTalk £400,000. Two friends from Staffordshire (aged just 21 and 23), breached the TalkTalk website as part of a group of hackers. They have since gone to jail.

Is this a new TalkTalk data breach?

The customer data found by BBC Watchdog Live appears to relate to 2015 data breach. So it is not a new incident.

TalkTalk claims that the historical privacy violation was a genuine error. It also said that it had written to all impacted customers to apologise. And that it wrote to its entire base to inform them about the breach, and advised them about the risk of scam calls. TalkTalk also offered free credit monitoring to protect against fraud.

But, it now looks like 4,545 customers may have received the wrong notification regarding this incident.

Are these customers at risk?

TalkTalk claims that “on their own, none of the details accessed in the 2015 incident could lead to any direct financial loss.”

But our data protection experts would strongly disagree. Savvy cybercriminals can easily piece together a profile by collecting different information from different sources.

Security experts have also confirmed that, with this information, criminals could:

  • Sign up for services
  • Set up direct debits
  • Purchase goods on their victim’s behalf.

Fraudsters could also use this data to carry out a phishing attempt. For example, by pretending to be the victim’s bank to gain more information about them.

The data breached by Talk Talk was extremely sensitive. And the lack of care shown by the company continues to be worrying.

Data breaches can be extremely traumatic

A data breach can cause severe stress and anxiety for victims.

Alan’s TalkTak case

For example, BBC Watchdog Live highlights the case of one man called Alan.* Alan has had his phone, email and bank account bombarded with a series of fraudulent attacks since the Talk Talk hack. Even if these attacks are unsuccessful, this is an extremely distressing situation to be in. So it’s no wonder that Alan feels that TalkTalk has failed its customers “on a gigantic scale”.

According to the BBC, “Whilst Alan will never know if the attacks were a direct result of the TalkTalk data breach, he feels the details leaked are enough to allow fraudsters to impersonate him.”

Maureen’s TalkTalk case

Watchdog also spoke to Maureen.* Maureen was shocked to discover that her details were breached in 2015. Not least because TalkTalk told her that her details had not been stolen. In fact, despite raising concerns with TalkTalk on multiple occasions, she was repeatedly reassured that her information had not been compromised.

Watchdog Live’s investigation found Maureen’s sensitive data through a simple online search.

What happens now?

If the data has come from TalkTalk, then it is vital that the company looks to put right the harm this continued failure has caused its customers. Simply contending that the breach is old news is not good enough.

Watchdog has spoken to many people affected by the TalkTalk data breach. Many of who have been subject to “frequent scam calls”. And in some cases “attempted fraud and identity theft, impacting their credit rating”.

Hayes Connor Solicitors can help

Our expert, online fraud and data protection solicitors will advise you on whether you have a valid data breach compensation claim against TalkTalk. We will also answer any questions you might have.

Our initial assessment is always free. Keeping you fully informed we will also notify you about your legal rights when making a claim.

SIGN UP TO THE TALKTALK DATA BREACH CLAIM


*Not their real names

personal breach
,

Data breach after production company unlawfully filmed expectant mums without their permission

A TV production company has been fined £120,000 after filming expectant mums without their permission. This shocking data breach took place at Clinic 23 at Addenbrooke’s Hospital Cambridge. The walk-in clinic cares for patients who have concerns about their pregnancy.

What happened in this data breach case?

True Visions Productions (TVP) was making a Channel 4 documentary on stillbirths. It set up cameras and microphones in examination rooms at the hospital. Filming took place between July and November 2017 until expectant mothers expressed concerns.

TVP had the hospital trust’s permission to be on site. But the company did not explicitly warn all visitors about the filming. Nor did they get acceptable permission from those affected by the filming. As a result, TVP unfairly and unlawfully filmed patients and was fined £120,000 by the Information Commissioner’s Office (ICO).

Clinic 23 data breach ruling

The ICO ruling said:

“TVP had posted limited notices advising of the filming near to the cameras and in the waiting room area and had left letters on waiting room tables. However, the detailed investigation found that these letters did not provide adequate explanations to patients, with one notice incorrectly stating that mums and visitors would not be filmed without permission.”

“The law says that personal data must be processed fairly and transparently. A patient attending the clinic would not have reasonably expected there to be cameras in examination rooms and would expect to be made aware of any filming.”

Recording stopped in November 2017. Filming then resumed using different methods until spring 2018. The programme was broadcast the following October. However, the unlawfully obtained footage was deleted and was not aired.

Anxiety and stress

Commenting on the data breach, a spokesperson for the ICO said: “Patients would not have expected to have been filmed in this situation, and many will have been very distressed when they learned such a private and potentially traumatic moment had been recorded. The recorded footage would have included the sensitive personal data of patients who could already be suffering anxiety and stress.”

A spokesperson for Cambridge University Hospitals NHS Trust said: “While protocols were in place to protect privacy, we acknowledge the ICO decision and we are sorry for any distress caused.”

TVP has hit out over the decision, stating that it was “disappointed in the outcome”. It has said that the ICO’s approach was wrong. It is also “considering the decision and the potential for an appeal.”

Did TVP get off lightly?

Many would argue yes. While being hit by a £120,000 fine, the maximum fine possible was £500,00. What’s more, due to the timing of this investigation, the penalty falls under the previous Data Protection Act. If it had been scrutinised under current law, the fine could have been much higher. In fact, the ICO now has the power to impose penalties of up to £17 million.

Also, despite clearly upsetting expectant mothers at a hugely vulnerable time, it doesn’t appear that TVP has taken responsibility for its actions.

In most cases, data breaches happen because of a failure to implement reasonable and robust processes. So claiming compensation isn’t just in your best interests. It is often the only way organisations will take their responsibilities seriously. And make the necessary improvements.

Compensation for those affected by the data breach

The ICO is an independent authority. It upholds information rights in the public interest. It also promotes openness by public bodies and data privacy for individuals. But, while the ICO has the power to impose fines on organisations, it does not award compensation to victims.

However, if you have suffered any emotional distress caused by unlawful filming at the clinic, you might have a data breach compensation claim.

Many data breach victims have developed stress, anxiety and distress. In response, at Hayes Connor Solicitors we help our clients to get their lives back on track.

Register to ensure you are fully informed about this case. We will notify you about the investigation. We will also update you on your legal rights when making a claim.

REGISTER HERE

mobile phone breach
,

A simple mobile phone repair leads to a data breach compensation claim

In this day and age, it’s frightening to think about what could happen if your phone was to fall into the wrong hands. But it’s not just thieves and cybercriminals you have to worry about. In a recent case, our solicitors saw the impact of what can happen when a phone company failed to protect a customer’s personal information. And, we helped this client to get £1,000 in data breach compensation.

What happened in this data breach compensation case?

Our client’s mobile phone was stolen so she ordered a new one from her mobile phone company. But, when it arrived, it would not recognise face recognition, passwords or PIN. She was advised to send the faulty device back for a repair.

She did this, but was then told by the company that they could not access the phone as she had password protected it. So, they sent it back to her to remove all passwords.

Understandably, by this time our client was frustrated. But the situation was made worse when her phone never arrived. And, two months after the initial replacement was ordered, there were still discussions going on between the courier and the mobile phone company about whether the telephone had been delivered to her address.

Eventually, the phone company said that they had found the phone, and sent it back to her. But, when it arrived she discovered that it was someone else’s phone with all their personal details on it.

At the same time, our client’s phone was sent to that person. And somehow, the phone was no longer password protected. So everything in her phone, including her personal details was accessible to a complete stranger. To make matters worse, our client’s network provider chased her for services she hadn’t been able to use. And they indicated that they would send debt collectors around to her property to collect what was owed. Furthermore, while she was told that her credit rating would not be affected, she subsequently found out that this might not be the case.

Emotional distress results in data breach compensation

All in all, what should have been a simple repair has caused our client a significant amount of distress. And, a direct result of this data breach, our client has suffered psychological effects, including stress and anxiety. In response, our client was simply told that this was a “mistake and hardly ever happens”.

Committed to making sure she was reimbursed for her distress, we took this case on and managed to secure out client £1,000 data breach compensation.

Commenting on her experience with Hayes Connor Solicitors, she said:

“I found Hayes Connor on the internet. James was very helpful from the start, and put me at ease straight away! It wasn’t straightforward, but James was patient courteous and very helpful. I needed to make sure they {the phone company} were taught a lesson that they can’t get away with data breach! I would use Hayes Connor again and would recommend them to anybody”.

Not just hackers

At Hayes Connor, we want to reduce the number of data violations taking place across the UK. To do this, we are sharing such real-life examples of data breaches to raise awareness of this issue and educate people to prevent similar mistakes from happening.

For more advice on how to keep your data safe, follow our #NotJustHackers campaign on Twitter and Facebook.

Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to get data breach compensation by completing our enquiry form or give us a call to discuss your case in more depth.

acceptable use policy
,

Do you know your acceptable use policy?

Human error is the leading cause of data breaches. In response, the Information Commissioner’s Office (ICO) has produced a handy toolkit to help employees understand the importance of information security.

By sharing some of the tips included in this, we hope to raise awareness of the importance of this issue. And help organisations across the UK improve their data protection processes.

Tip: Is this acceptable use? Make sure you’ve read your internal policy

 

What is an acceptable use policy?

Recently, there have been changes to the rules covering the use of technology. So, it’s more important than ever that employees understand their data protection responsibilities.

An acceptable use policy (AUP) helps to make sure that everyone knows what is and isn’t acceptable when it comes to using digital technology. As such, an AUP should cover things like:

  • Use of email and web for personal purposes
  • The types of sites that are forbidden
  • Use of video/audio streaming
  • Restrictions on downloading files
  • Policies for sending bulk emails. For example, making sure staff use the bcc function, so email addresses are not disclosed
  • Guidance on logging off or locking devices when not in use
  • Guidance on physically storing mobile devices to minimise loss by theft.

The AUP should also set out the process and potential consequences for any infringements.

Quick tips

  • Employers must understand the importance of data protection
  • Employers should make sure that an AUP is in place to ensure the safe processing of information. Both in and out of the office
  • In many cases, data breaches can be avoided by staff abiding by the AUP. But it is up to employers to make sure that all staff receive regular data protection training, This will make sure they understand the potential consequences of breaching data protection laws
  • An AUP should be updated regularly to make sure it complies with advancements in data protection legislation
  • Robust reporting measures and processes should be established to respond to any breaches of the AUP.

Not just hackers

Cybercriminals are not the only cause of data breaches. For more advice on how to keep your data safe, follow our #NotJustHackers campaign on Twitter and Facebook.

Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to recover any losses. Or give us a call to discuss your case in more depth.

 

data breach solicitors
,

Ways to claim data breach compensation

Did you know that there are different ways to seek data breach compensation? Our data breach solicitors look at the possible options you can use to make a compensation claim to make sure you are fully informed following a data breach.

1. Report a data breach claim to the Information Commissioner’s Office

Each EU member state has a supervisory authority that oversees GDPR (General Data Protection Regulation) compliance. In the UK, this is the Information Commissioner’s Office (ICO).

If you’re unhappy with the way an organisation has handled your personal data, you can file a complaint with the ICO here. You can complain to the ICO about a wide range of information rights. This includes:

  • Nuisance calls and messages. For example, if you have received unwanted marketing via email, telephone, or text
  • Official or public information. If you have had a problem accessing or re-using official or public information that you’ve asked for from a public body
  • Your personal information concerns. If you have had a problem accessing your personal information from an organisation. Or if you’re concerned about how an organisation has handled your information, if the information is wrong, they have lost it, or disclosed it to someone else
  • Internet search results. If you have asked an internet search provider to remove links to information about you and they have refused
  • Cookies. If you’re concerned about the use of cookies on a website
  • EU-U.S. Privacy Shield. If you have a concern about the way your data has been handled when it was transferred to the United States using the Privacy Shield.

The limits of the Information Commissioner’s Office

The ICO does have the power to impose hefty fines on organisations in breach of their data protection duties. However, it does not have the authority to award compensation to individuals. But you can use the results of the investigation to support a legal claim. As such, making a report to the ICO is always a good first step in any data breach compensation claim.

And, if you do decide to make a legal claim, you don’t have to do this yourself. Our expert solicitors can help you to seek data breach compensation following an investigation by the ICO.

Find out more about the ICO here.

2. Make a data breach compensation claim via data breach solicitors

If you do decide to wait for the outcome of an ICO investigation, it could take some time. The ICO investigates hundreds of complaints each year (even more since GDPR!), and each one takes time. So, if getting a speedy resolution is important to you, you might prefer to go straight to making a legal claim. If you do this, the proceedings can be started quickly and are often settled out of court.

At Hayes Connor, our data breach solicitors can help you to make a data breach compensation claim after your personal information was put at risk by an organisation you trusted to look after it.

If you have already contacted the ICO about a potential breach, we can still investigate your claim. Our data breach solicitors will work with the ICO to gather as much evidence as possible to help you succeed.

Helping to protect you

Victims of data breaches often find that their bank and credit cards have been used fraudulently. And, in many cases, their email addresses and other personal information finds its way onto the dark web. Here it can be accessed by cybercriminals who want to cause further damage. This can also lead to emotional upset and distress.

Luckily, the GDPR and the Data Protection Act give people a way to claim data breach compensation if this happens to them.

If you have suffered from a personal data breach, let our data breach solicitors know.

CONTACT US

 

fraud
, ,

Stop cybercriminals stealing your money!

Financial fraud is on the rise. But there are some simple steps you can take to protect your money and info from hackers, fraudsters and scammers.

According to Take Five To Stop Fraud – an organisation that offers straightforward and impartial advice to help everyone in the UK protect themselves against financial fraud – one of the most important things you can do is stop and think. Because, according to the cyber-security experts, you probably already know these basic rules on how to stay safe from financial fraud. You just need to take a breath and stay calm enough to remember them.

What else does Take Five recommend?

  1. Understand that a genuine bank or other financial organisation will never contact you out of the blue to ask for your PIN or full password
  2. Know that a legitimate bank or other business would never ask you to move money to another account for fraud reasons
  3. Never automatically click on a link in an unexpected email or text. This could result in you giving a fraudster access to your personal or financial details
  4. Always question uninvited approaches in case it’s a scam. Instead, contact the company directly using a known email or phone number
  5. Don’t assume an email or phone call is authentic. Just because someone knows your details (such as your name and address or even your mother’s maiden name), it doesn’t mean they are genuine
  6. Be careful who you trust. Criminals may try and trick you by telling you that you’ve been a victim of fraud. Criminals often use this to draw you into the conversation, to scare you into acting and to reveal your security details
  7. Know that criminals can make any telephone number appear on your phone handset. So even if you recognise a number, or it seems authentic, it might not be genuine
  8. Don’t be rushed or pressured into making a decision. A trustworthy organisation would never force you to make a financial transaction on the spot
  9. Listen to your instincts. If something feels wrong, then it is right to question it
  10. Have the confidence to refuse requests for personal or financial information. Stop the discussion if you do not feel in control of it
  11. Never hesitate to contact your bank or financial service provider on a number you trust. For example the one listed on their website or the back of your payment card.

Get more advice from Take Five here. You can also take a quick test to find out if you are too smart to be scammed.

Types of financial fraud

A cyber-attack can take many forms including:

  • Financial data hacks. Hacking can lead to your personal and sensitive data getting into the wrong hands. In the worst cases, this can lead to you falling victim to financial fraud and identity theft. The impact of data hacking can be devastating, and we have seen instances where financial losses only started to occur three to six months later. This is often because data stolen is used in batches over time.
  • Financial phishing attacks. Phishing scammers use emails, texts, websites, phone calls and social media to access your data, your computer, or your financial accounts. Their ultimate goal is to steal your money and/or personal information. Unfortunately, in most cases, where someone has become a victim of a phishing scam, their bank is not responsible for their losses. So, people can be left not knowing where to turn for compensation.
  • Bank and credit card takeover fraud. Takeover fraud happens when a criminal uses another person’s account information (e.g. a credit card number) to buy products and services. Takeover fraud is also used by scammers to extract funds from a person’s bank account.
  • Push payment scams. Push payment fraud (also called APP fraud) happens when cybercriminals deceive individuals into sending them money. Because the victim believes the fraudster to be genuine, they authorise the handover of cash.

Not Just Hackers

Despite fears about cybercriminals, it is human error rather than cybercrime that is the biggest cause of financial data breaches. Typical examples of such errors include where a bank or other financial organisation:

  • Sends sensitive data to the wrong recipient (via email, post or fax)
  • Loses paperwork
  • Forgets to redact data
  • Stores data in an insecure location
  • Loses devices such as laptops, phones and tablets
  • Doesn’t train its staff properly on data protection or where staff deliberately ignore data
  • Leaves sensitive information online without any password restrictions.

Find out more about our #NotJustHackers campaign.

Are banks doing enough to protect customers from data breaches?

In many cases, financial data breaches happen because of a failure to implement reasonable and robust processes. Often because of the cost needed to do this.

But, by not putting adequate processes and training in place, banks and other financial organisations are leaving customers open to an increased risk of cyber scams and avoidable mistakes that lead to data breaches.

Protect yourself following a financial fraud, data breach or scam

If you are worried about the security of your money and personal information, you should:

  • Contact your bank/credit card provider immediately
  • Consider a credit freeze until the matter is resolved
  • Report the scam to the police and contact Action Fraud for advice on what to do next
  • Keep an eye on your bank and credit card statements to see if there is anything you don’t recognise
  • Let the credit reference agencies know of any activity that was not down to you
  • Register with the Cifas protective registration service. This will slow down credit applications made in your name with additional verification checks made to ascertain that the applicant is actually you.

For more advice on how to keep your data safe, follow us on Twitter and Facebook. Alternatively, if you have been the victim of a financial data breach or cyber fraud, contact us to find out how we can help you to claim compensation for any loss of money and/or emotional distress.

personal details
, ,

Head teacher fined for data protection breach after obtaining personal information about schoolchildren

A former headteacher has been fined. This comes after he took personal information about schoolchildren from his old school to his new one. The breach took place at two primary schools where he had worked previously. The violation revealed “large volumes of sensitive personal data” from his previous schools on his new school’s system.

What happened in this data protection breach?

A former headteacher downloaded personal information about his former pupils onto a USB stick. Next, he uploaded this data to servers at his new school. The information included:

  • Names
  • Unique pupil numbers
  • Pupil attainment and progress spreadsheets
  • Performance management data for staff.

The teacher (who was now a deputy head) was suspended from his role. This situation only came to light after an IT audit discovered the data protection breach.

What did the ICO decide?

The Information Commissioner’s Office (ICO), said that the teacher had no lawful reason to process the data. This means that he breached data protection legislation. Initially, the teacher had “no valid explanation” for how the data appeared on his school’s server. But he later admitted that he took the data for professional purposes.

Appearing before Ealing Magistrates’ Court, the teacher admitted two offences of unlawfully obtaining personal data. He was fined £700, ordered to pay costs of £364.08 and a victim surcharge of £35.

What did the ICO say about this breach of personal data?

Commenting on this data protection breach, Mike Shaw, manager of the ICO’s criminal investigation group, said:

“Children and their parents or guardians have the right to expect that their personal data is treated with respect and that their legal right to privacy is adhered to.

“A head teacher holds a position of standing in the community and with that position comes the added responsibility to carry out their role beyond reproach.

“The ICO will continue to take action against those who we find have abused their position of trust.”

Lessons learned following this personal data breach

This case should remind employees across all sectors of the risks data violations. Because if someone accesses or shares personal data without a valid reason, they could face criminal prosecution and fines.

Organisations also need to do more to protect personal data. This includes ensuring comprehensive data protection training is in place. And making sure employees understand the consequences of breaking the law.

Furthermore, organisations must ensure adequate and robust protections so that information is only accessed by those people who need it. There must also be a record of such access.

Helping to reduce the impact of educational personal data violations

The Data Protection Act exists to protect the privacy of individuals. In an educational context, this means students, their families, and staff.

However, many schools have struggled to keep up with changes in the rules covering the use of technology. And this could leave everyone vulnerable.

If an individual’s data is violated by an organisation they trusted to look after it, at Hayes Connor Solicitors, we help them to make a compensation claim.

If you or a member of your family has suffered damage or distress caused by a school, college or university breaching any part of the Data Protection Act, you have a right to claim compensation.

Not Just Hackers

There has been a worrying rise in reported data breaches across the UK education and childcare sector. Competing priorities and limited budgets make meeting data protection requirements challenging and this makes schools, universities and colleges an attractive target for hackers.

But, despite the threat posed by cybercriminals, human error remains the leading cause of data privacy violations.

At Hayes Connor, we want to reduce the number of data violations taking place across the UK. As such, we are sharing such real-life examples of data protection breaches.  In doing this, we hope to raise awareness of this issue. We also want to educate people to prevent similar instances from happening.

For more advice on how to keep your data safe, follow the Hayes Connor #NotJustHackers campaign on Twitter and Facebook.

Alternatively, if you have been the victim of a data breach, find out how we can help you to recover any losses. Or contact us to discuss your case in more depth.