Posts

data breach appeal
, ,

Morrisons loses data breach appeal

Supermarket Morrisons has lost its appeal following a breach at the company which resulted in thousands of its employees’ details being posted online. The case is the first data leak group action in the UK.

In December 2017, in a landmark ruling, the High Court found Morrisons supermarket group liable for a mass data breach caused by the criminal actions of a rogue employee. However, Morrisons went on to challenge this decision.

The employee stole data from nearly 100,000 staff. This included names, addresses, salary and bank details. The information was then posted online and sent to newspapers. The media did not publish the data and Morrisons was informed of the breach. The employee was subsequently jailed for eight years.

The Court of Appeal upheld the original decision against the supermarket with three judges saying they agreed with the High Court’s earlier decision.

 

Where Next

Over the last 18 months, we have seen numerous examples of significant personal data loss. Many of these violations have been able to occur due to weaknesses contained in companies’ IT software.

As the trend towards a cashless society accelerates, this will only continue as retailers and other businesses seek quicker and slicker interfaces with their consumers. Both at the point of sale and throughout their customer journey.

In the case of Morrisons, significant steps were taken to protect data, but those steps failed. In this instance, the data was lost at the hands of an employee turned hacker. However, data is also at threat simply due to careless employees going about their day-to-day business.

The latest ruling is the tip of a very large iceberg. Mass data breach actions are also being made against Ticketmaster and British Airways among others. Such actions, when properly prepared and investigated, will have significant financial consequences in terms of damages and costs.

Data breaches on a large scale are a real and pressing threat. In response, the clear and overwhelming view of the Court of Appeal is that such events must be foreseen by companies, and insured against.

The reaction of the insurers to such events, their provision of cyber cover and premium costs is now under the spotlight. Indeed, we predict a situation where the volume of exclusions to policies will increase.

Companies must now protect themselves better from data loss. But they also need to be extremely vigilant as to the activities and errors of their employees to be afforded the cover they pay for, or think they pay for.

 

If you have been affected by this or any other data breach then you can get in touch with our experts today

,

Data protection complaints increase by almost 50% in three months

According to the Information Commissioner’s Office (ICO), the number of reported data protection complaints has almost doubled since April this year. The increase in data breach complaints has happened since the introduction of the GDPR on May 25th.

The stats show that:

  • 4,214 data protection complaints were made in July
  • 3,098 data protection complaints were made in June
  • 2,310 data protection complaints made in May
  • 2,165 complaints were made in April.

In total, there were 957 reported data security incidents in Q4 2018. Common causes for these data violations include:

  • Data sent to the wrong recipient
  • Loss of theft of paperwork
  • Failure to redact data
  • Failure to use bcc when sending an email.

Worryingly, reported cybersecurity incidents also increased by 31% over the same period. Overall, general business, education and local government were the sectors with the most reported data breaches (the figures exclude the health sector).

Commenting on the changes since the introduction of the GDPR, a spokeswoman for the ICO said: “It’s early days and we will collate, analyse and publish official statistics in due course. But generally, as anticipated, we have seen a rise in personal data breach reports from organisations.

“Complaints relating to data protection issues are also up and, as more people become aware of their individual rights, we are expecting the number of complaints to the ICO to increase too.”

A rise in data breach awareness

The stats indicate that more and more people are becoming aware of their data protection rights. This makes sense as there have been many high-profile data protection scandals over the last few months.

For example, at Hayes Connor Solicitors we are involved in the following cases:

 

  • Emma’s Diary. Emma’s Diary sold its users’ information to Experian’s marketing division. This data was then used to create a database which the Labour Party manipulated to profile new mums in the run-up to the 2017 General Election. Find out more about the Emma’s Diary data breach
  • Dixons Carphone. The Dixons Carphone or Carphone Warehouse data breach took place in 2017. It resulted in 10 million customer records being accessed from Currys PC World and Dixons Travel stores. The details stolen by cyber criminals include names, addresses, phone numbers, dates of birth, and email addresses. All of which can be used by cybercriminals to commit further crimes. Find out more about the Carphone Warehouse data breach
  • Ticketmaster has admitted that thousands of UK customers have been put at risk due to third-party software on their website. This has since been removed but not before the software accessed a number of customers’ personal and financial details. Find out more about the Ticketmaster data breach
  • Last year, Equifax warned that up to 400,000 UK consumers might have had their personal details stolen. The data included names, address, dates of birth, and credit card numbers. Find out more about the Equifax data breach.

 

If you have been affected by any of these data protection cases, or if you want to make a data breach compensation claim against another organisation, let us know.

At Hayes Connor Solicitors, we’ve been helping people to get the justice they deserve for over 50 years, so we know what it takes to make a successful data breach compensation claim.

Crucially, the law recognises the potential damage that is caused by physiological suffering. So, you can make a compensation claim if you have struggled emotionally following a data breach, even if you have not experienced any financial loss.

START A DATA BREACH CLAIM

 

carphone warehouse compensation
, ,

Join a group action Carphone Warehouse data breach claim

Dixons Carphone is facing legal action from potentially millions of people after it was revealed that hackers have accessed the information of close to 10 million customers. The hackers also got access to the records of 5.9 million payments cards (nearly all of which were protected by chip and pin).

While the company claims that no customers have been the victim of fraud as a result of the hack, you can still claim for any distress you have suffered as a result of the Dixons Carphone data breach.

The National Crime Agency has been investigating the Dixons Carphone data breach. It is working with the National Cyber Security Centre, the Financial Conduct Authority and the Information Commissioner’s Office (the UK’s data protection regulator).

As expert data breach solicitors, here at Hayes Connor, we are carefully watching developments unfold in this case, and are preparing to launch a group action Carphone Warehouse data breach claim once the relevant investigations are complete.

What happened in the Carphone Warehouse data breach?

The Dixons Carphone data breach took place in 2017 and resulted in customer records being accessed from Currys PC World and Dixons Travel stores. Both payment card details and non-financial records were compromised.

The Dixons Carphone’s investigation has not uncovered any evidence of additional fraud, but it has revealed that significantly more data was taken than first thought.

Crucially, the details stolen by cyber criminals include names, addresses, phone numbers, dates of birth, and email addresses. All of which can be used by cybercriminals to commit further crimes.

Dixons Carphone has been criticised for downplaying the severity of the hack. Because today, criminals don’t need payment card or bank account details to cause havoc. Indeed, the sheer scale of damage and distress that can be created by criminals gaining access to personally identifiable information (PII) cannot be underestimated. So, while there is no evidence of financial losses suffered by customers of Currys PC World and Dixons, this doesn’t mean that the impact on victims is any less significant.

To make matters worse, this is not the first time that the company has failed to protect its customers. Earlier this year, the Carphone Warehouse, which merged with Dixons, was fined £400,000 following another cyber-attack. The huge fine is one of the biggest ever handed out by the Information Commissioner’s Office. So, with a history of failures, the relevant authorities will now be looking very carefully at this latest data breach.

What are we doing about a Carphone Warehouse data breach claim?

At Hayes Connor Solicitors, we have received a large number of queries from people concerned that their information is now at the mercy of cybercriminals. In response, we are now considering launching a group action against Dixons Carphone.

As such, we have appointed Barrister Ian Whitehurst to help in this case. Having developed a practice in the field of data breach claims for individuals and companies who have had their personal and sensitive data breached by third parties, we are confident that our team will get the results our clients deserve.

Why launch a group action Carphone Warehouse data breach claim?

A group action is undoubtedly the best way forward for data breach claims of this nature. It allows people with the same type of claim to bring it together on a collective basis to strengthen their overall position and increase their chances of settlement or success in litigation.

What’s more, with a group action claimants often share the legal fees. Even better, while the cost of pursuing small claims can be a barrier to justice, by grouping cases together, solicitors are often able to run group actions on a no win-no fee basis.

Find out more about group actions.

What should you do if you have been affected by the Dixons Carphone data breach?

If you are worried that Dixons Carphone has exposed your data, there are a few simple steps you can follow.

  1. Determine what was stolen. To protect yourself as much as possible you need to know what kind of information was accessed in the data breach. Dixons Carphone should be able to advise you on this
  2. Change your passwords. If an online account (such as an email address) has been compromised, change the password right away. You should also change all other accounts that use the same password, and – if your email could be compromised – any accounts that could be accessed via your email. To keep you safe in the future, create a secure, unique password for each account (you might want to consider using a password manager to do this for you)
  3. Deploy additional security measures. If an app or website offers two-factor authentication to protect an account, use it
  4. Contact your bank. If any financial information has been stolen, contact your bank immediately and explain that your account is at risk of fraud. As well as issuing a new card, the bank should be able to advise you if it detects suspicious activity on your account
  5. Be vigilant. Beware of scammers using your stolen data against you. For example, don’t click on any links in emails asserting to be from your bank and always use the numbers they provide on their website if they ask to talk to you
  6. Sign up for a credit and/or identity-monitoring service. This will help you to monitor your financial accounts and sensitive personal information. Many organisations will offer such services free following a data breach but it’s important to check the small print. Be careful that in accepting any offer you are not giving away your rights to pursue a separate data breach compensation claim at a later date
  7. Keep a record. Make a list of all the accounts that could have been accessed and note down why you are concerned about them
  8. Inform the Information Commissioner’s Office (ICO) about your concerns. At present the ICO is undertaking an investigation into the Dixons Carphone Data Breach. While it does not award compensation, if the ICO believes that the organisation in question broke the law, you can use this information in court to help prove your claim
  9. Contact Hayes Connor Solicitors ASAP. We’ll ensure that you are fully informed on this matter and will notify you about the investigation and your legal rights when making a claim.

To find out more, read our handy step-by-step guide to making a data breach claim

How can you join the Carphone Warehouse data breach claim group action?

If you have had an email from Dixon’s Carphone you could be entitled to several thousand pounds in compensation so it’s important to act now. And, because we offer no-win, no-fee funding arrangements, you have nothing to lose.

Find out more about no-win, no-fee.

To join a group action compensation claim, you will need you to register with us. We’ll let you know what is happening in this case and if and when you can make a data breach compensation claim.

REGISTER NOW

carphone warehouse compensation
,

Ten million customers could claim compensation for distress in Dixons Carphone data breach

Following the Dixons data breach discovered in June this year, Dixons Carphone has begun contacting customers to warn them that their information has been accessed by hackers. And, while the company initially estimated that 5.9 million people could be at risk, that figure is now closer to 10 million. But with Dixons Carphone claiming that no customers have been the victim of fraud as a result of the hack, can you claim compensation for distress?

What has happened?

The breach, which took place in 2017, saw data leaked from servers containing customer records from Currys PC World and Dixons Travel stores. Both payment card details and non-financial records were compromised.

While Dixons Carphone’s investigation has not uncovered any evidence of additional fraud, it has revealed that significantly more data was taken than first thought.

In an email to customers affected by the data breach, Dixons Carphone admitted that the scale of the non-payment leak reached around 10 million customers. Details stolen during the attack include names, addresses, phone numbers, dates of birth, and email addresses – all of which can be used by cybercriminals to commit further crimes.

Alex Baldock, chief executive of Dixons Carphone, has apologised for the breach and admitted that the company had ‘fallen short’ of its duty to protect customers. And, a spokesperson for Dixons Carphone said that: “While there is now evidence that some of this data may have left our systems, these records do not contain payment card or bank account details and we have no confirmed instances of customers falling victim to fraud as a result.”

However, by downplaying the severity of the hack, it is clear that Dixons Carphone does not understand the importance of keeping its customers’ personal data safe, and the sheer scale of damage and distress that can be caused by criminals gaining access to personally identifiable information (PII).

In fact, while there is no evidence of financial losses suffered by customers of Currys PC World and Dixons, this doesn’t mean that the impact on victims is any less significant.

Distress matters in data breach cases

Being the victim of a crime can have a considerable effect on you. Both mentally and physically. Everyone reacts differently, but for some people, the consequences can include a lack of sleep, feeling ill, unsettled or confused. Stress can also affect your friends, your family and your job. So, just because your financial details were not exposed or used, doesn’t mean the breach should be treated any less seriously.

According to Victim Support: “The effects of crime can also last for a long time, and it doesn’t depend on how ‘serious’ the crime was. Some people cope really well with the most horrific crimes while others can be very distressed by a more minor incident”.

Compensation for distress in data breach cases

If you have suffered damage or distress caused by an organisation breaching any part of the Data Protection Act, you have a right to claim compensation.

Crucially, the law recognises the potential damage that is caused by physiological suffering. So, you can make a compensation claim if you have struggled emotionally following a data breach, even if you have not experienced any financial loss.

A personal data breach is a 21st-century version of being burgled. So why shouldn’t you seek compensation for this failure to look after your information correctly?

What next in the Dixons Carphone data breach case?

The National Crime Agency has been investigating the Dixons Carphone data breach. It is working with the National Cyber Security Centre, the Financial Conduct Authority and the Information Commissioner’s Office (the UK’s data protection regulator).

Dixons Carphone has said that is “continuing to keep the relevant authorities updated.”

This is not the first time that the company has failed to protect its customers. Earlier this year, the Carphone Warehouse, which merged with Dixons, was fined a £400,000 following another cyber-attack.

The huge fine is one of the biggest ever handed out by the Information Commissioner’s Office. In that breach, the personal data of over three million customers and 1,000 employees was put at risk.

With a history of failures, the regulator will now be looking very carefully at this latest revelation.

Can you claim compensation for distress in the Dixons Carphone data breach?

Absolutely. Data breaches can have severe consequences for those affected, so, customers of Dixons Carphone should now be looking to claim compensation.

In this case, because of when the breach took place, any financial penalties paid by Dixons Carphone for failing to protect customer data adequately will be calculated under old data protection legislation. This means that the company will escape the threat of much more substantial fines now possible under the General Data Protection Regulations (GDPR).

But with a history of data negligence at the company, and a clear downplaying of the importance of this latest breach, something must be done to hold them to account.

If you have had an email from Dixon’s Carphone you could be entitled to several thousand pounds in compensation so it’s important to act now.

IF YOU THINK YOU MAY HAVE A CLAIM THEN COMPLETE OUR CONTACT FORM.

data breach ticketmaster
,

Ticketmaster data breach: putting GDPR to the test

Following the Ticketmaster data breach – where cybercriminals got away with customers’ personal and financial information- the latest data protection regulations are now being put to the test.

Unless you have been living under a rock, you will have heard about GDPR. In fact, you’re probably fed up hearing about it. But GDPR is likely to have a significant impact on the way companies handle your valuable data; with enormous fines for those that don’t look after it properly.

And, according to data protection lawyers, the Ticketmaster data breach could be a real test to see if the legislation will hold companies to account.

What happened in the Ticketmaster data breach?

Ticketmaster was affected by a substantial data protection breach after cybercriminals hacked the company’s website. Different customers had different data stolen including:

  • Financial information stolen and used. There are reports that customers of Ticketmaster have been the victims of theft, with their cards used on money transfer service Xendpay, Uber gift cards and Netflix (among others). Anyone who has had their financial details stolen and used fraudulently could now be looking at compensation in the region of £5,000
  • Financial information stolen. Many of those affected by the Ticketmaster data breach will have had their financial details stolen but not used (at least not yet). Crucially, you can make a compensation claim if you have struggled emotionally following a data breach, even if you have not experienced any financial loss. If you had your financial details stolen during the Ticketmaster data hack, you could be looking at compensation in the region of £3,000
  • Email address stolen. If your email account has been hacked the consequences could be devastating. Again, it doesn’t matter if there is no evidence of your data being used. If the distress of having your data in the hands of cybercriminals has caused you suffering, you can make a claim. Anyone who has had their email address stolen could be looking at compensation in the region of £1,500
  • Other personal information stolen. Along with the financial info and email addresses stolen, the Ticketmaster hackers also gained access to personally identifiable information (PII). PII includes any data that can be used to identify a specific individual, and, if it gets into the wrong hands, it can be used to undertake identity fraud. Anyone who has had their personal data stolen could be looking at compensation in the region of £500 – £1,000.

 

Find out more about the different types of data breaches in this case.

Ticketmaster data breach and GDPR

The Ticketmaster data breach affects up to 40,000 people who bought tickets between September 2017 and 23 June 2018. With the GDPR coming into force on May 25th 2018, this means that the breach spans two different data protection acts:

  • The Data Protection Act (DPA) 1998
  • The Data Protection Act (DPA) 2018 (the UK’s version of the GDPR).

These acts have drastically different level of fines. The first up to a maximum of £500,000 and the second up to £17 million (or 4% of an organisation’s annual turnover, whichever is higher).

It is not yet clear which legislation is relevant, but the breach could be judged under both. Alternatively, the entire data protection failure could be treated as a breach under GDPR as it kept happening after the new laws came into force. If GDPR is used, the Ticketmaster data breach case will be considered a test case that is likely to set the tone for action to be taken by the ICO in future breaches.

What does this mean for you?

In truth, while data protection lawyers are eagerly waiting to see what legislation applies, for people who had had their data breached it doesn’t make much difference. Mainly because, while the ICO can impose a fine on a company, this isn’t given to victims of the data breach.

The only way for you to hold Ticketmaster to account is to make a data breach compensation claim.

At Hayes Connor Solicitors, we have already been contacted by lots of Ticketmaster customers who are worried that their data was not looked after as carefully as it should have been.

In response, we are supporting no-win, no-fee compensation claims for everyone who has had their data accessed in the Ticketmaster data breach. Depending on the numbers involved we may even start a group action against Ticketmaster.

Find out more about making a claim against Ticketmaster.

To start your compensation claim, you will need you to register with us. We’ll let you know what is happening in this case and if and when you can make a data breach compensation claim.

 

REGISTER NOW

equifax data hack
,

What is a group action claim?

In 2015 – in the first group litigation of its kind in the UK – 5,518 people brought a claim against Morrisons under the Data Protection Act 1988, for misuse of private information and breach of confidence. But what is a group action claim and can you join one?

A group action claim is where a group of people – sometimes even thousands of people – have been affected by the same issue. Group action cases are also sometimes called class actions, collective redress actions, or multi-party actions. With a group action, this group of people (the Claimants) collectively bring their cases to court against a Defendant. These victims then fight together to achieve compensation in the High Court of Justice.

The benefits of group action claims

Group action claims are becoming far more common in the UK. Here are just some of the reasons why:

  • Strength in numbers. Starting a claim can be frightening, and it’s not unusual for people who have perfectly valid complaints to be put off due to the risks of going up against a large and well-resourced Defendant. Where cases are very similar, group actions can be a powerful tool and can redress the balance.
  • Save on legal costs. By joining together, individuals can share the risks and costs of claiming compensation. Legal advice is also shared, so not everyone in the action needs to pay for their own solicitor.
  • Help victims with smaller claims. Group actions provide a way for people with more modest cases (that may not justify legal fees) to claim the compensation they deserve. Often, solicitors will agree to take such cases on a no-win no-fee basis.
  • You might not have to go to court. Usually, a Lead Test Case is started, and common issues are tried. The result of this case is then used as a precedent for other cases in the action; so every single claim doesn’t have to be taken to court.

 

Who can make a data protection group action claim?

In data breach cases, the Information Commissioner’s Office (ICO) investigates any reported breaches and has the power to impose hefty fines. If the ICO believes that an organisation broke the law, this information can be used in court to support a group action claim.

If you have suffered damage or distress caused by an organisation breaching any part of the Data Protection Act, and the ICO finds that the organisation did indeed break the law, you have a right to claim compensation. However, in many cases, where a breach occurs, you won’t be the only person making a claim. In such circumstances, it is often worth joining a group action claim.

However, before you can join a group action, the court decides whether claims can be grouped together. Where approved, a group litigation order (GLO) is created which grants permission for group action proceedings to begin.

In many cases, people start to think about joining a group action before the court has issued a GLO, or even before an organisation has been found guilty and fined by the ICO. For example, at Hayes Connor Solicitors, having witnessed an influx of queries from clients who have received letters from Equifax informing them that their data may be at risk following the latest hack, we are currently building a secure database of victims who want to seek compensation for damages or distress suffered. If Equifax is fined, we will let people know when their claim for compensation can be made and help them get the compensation they deserve.

 

Does everyone in a group action claim get the same amount of compensation?

No. Just because your case is part of a group action doesn’t mean that you will receive the same amount of compensation as everyone else.

All claims within a group action are settled based on their merits, and, as with any case, the value of your claim depends on the extent of your suffering. So if your claim is successful, you will receive what you are owed.

CONTACT US TO FIND OUT MORE ABOUT MAKING A GROUP ACTION CLAIM

data breach solicitors
,

What are your rights if you are ‘named and shamed’?

A restaurant in Cardiff recently hit the news after its owner took to Twitter when a customer missed her reservation. The screenshot of the booking, posted on Twitter, revealed the customer’s name, telephone number and email address. Not only did the post disclose her personal details, but it also triggered a torrent of abuse from other users of the social media site.

When that prospective diner made her reservation, she likely didn’t bank on her personal information being shared all over the Internet. And, while diners who don’t show up are undoubtedly a genuine problem for restaurants, the owner’s decision to ‘name and shame’ the customer wasn’t just poor etiquette, it was a serious violation of her privacy.

We live in a world in which we’ve grown accustomed to sharing our personal information with relative ease – be it on social media sites, through online shopping, or even making a reservation at a restaurant. Unfortunately, this means we are sometimes at risk of that information being shared or used in ways that are inappropriate, or even illegal. So what happens when you become the victim of a data breach?

 The use of personal data is currently governed by the Data Protection Act 1980. This Act is designed to protect storage of personal data, and its rules apply to any organisation, public or private, that has access to third-party data. While data seems like a very technical term, it actually covers all manners of personal information – from things such as name, address, or ethnicity, to more sensitive material such as religious beliefs, expressions of opinion, and sexual orientation.

The Data Protection Bill is currently making its way through Parliament in order to better protect people who share their data. It is intended to update British law, paralleling the EU’s incoming General Data Protection Regulation. This modernisation is a response to the ever-increasing amount of data that is processed, and according to Government, it will strengthen regulations, with tougher sanctions for breaches.

Those sanctions are implemented by The Information Commissioner’s Office (the ICO). The ICO is an independent body that investigates breaches – any individual can report a concern to the ICO, and it will be looked into. The ICO has a range of tools open to it – it can serve enforcement notices, conduct audits, and most notably, it has the power to impose fines of up to £500,000.

Further, when a breach is so serious as to constitute a criminal offence, the ICO can take the matter to court. Recent examples of those prosecuted include a nurse who inappropriately accessed patient files, and a counsellor who sent details of vulnerable clients to his personal email address – data breaches can occur in many different ways, and the consequences can be severe.

However, the ICO does not have the power to award compensation to those who have been directly affected by a data breach. In a case like that of restaurant reservation, where the violation was not only intentional but also arguably malicious, a victim may want to take further action. If the ICO has found an organisation guilty of a data breach, lawyers can work with the evidence that it provides to take private legal action. It isn’t strictly necessary to go to the ICO first, but their findings can strengthen any claim made.

When you supply your information to an organisation, you trust that that information will be used and stored appropriately. This isn’t just a social nicety – it can constitute a legal relationship. The organisation has a duty to you. If that duty is breached, and that breach causes you to suffer a loss, you may be entitled to compensation.

This suffering can be both financial and emotional. In 2015, a group of people brought a successful claim against Google after learning that the company had used their personal information to create targeted advertisements. This was deemed to be misuse of private information. The claimants suffered no financial loss – their claim was based purely on the fact that knowledge of third party access to private information caused them to feel distress and anxiety.

While the customer whose information was shared on Twitter might not necessarily have incurred a financial loss, she was subject to abusive comments from other people online. If this caused her distress, or anxiety, she could be entitled to damages to cover that loss.

In this case, the abuse may well be considered as an aggravating element of the data breach, but online abuse can constitute a separate criminal offence. “Trolling” – the abuse of individuals online – can be prosecuted under the Malicious Communications Act 2003. The threshold for prosecution is high, but with cybercrime on the increase, more measures are being taken to protect victims of online abuse. Another recent cybercrime phenomenon is “doxxing” – the publication of personal information that encourages harassment or criticism of the individual to whom it relates. Perpetrators can be charged under the Serious Crime Act 2007 – naming and shaming can in effect be a criminal offence.

Violations of your right to privacy are extremely serious, and the consequences can be so too. If you think you’ve been the victim of a data breach, you can contact the ICO, or get in touch with a lawyer. It’s easy to become desensitised to the importance of protecting your information, but if something as simple as making a dinner reservation can lead to a stream of online abuse, it shows that when it comes to data protection, it’s important to know your rights.

 

If you’ve been a victim of a data breach you can contact us to find out more about making a claim.

,

TSB: What are your rights following the recent data breach?

Following a bungled IT upgrade over the weekend, many TSB mobile and internet banking customers are still unable to access their accounts. And, according to reports, up to 1.9 million could be affected. To make matters worse, some customers have reported that they have been given access to random bank accounts worth thousands of pounds in what could be a terrible breach of personal data.

With many customers now calling for compensation from TSB, it is important that you know your rights.

Getting compensation from the bank

In 2012, The Royal Bank of Scotland was fined £56 million by regulators after a software upgrade left more than 6.5 million customers locked out of their accounts. The bank also paid over £70 million to UK customers. So people who haven’t been able to access their money over the last few days could be in line for compensation.

However, in the TSB case, the breach of personal information could also lead to a raft of data breach compensation claims against the bank.

Currently, both the Financial Conduct Authority and the Information Commissioner’s Office (ICO) are investigating the IT breakdown. But while they have the power to fine TSB for the failed system upgrade and any data breaches, they do not provide compensation to customers.

So, what can you do if your bank details were put at risk?

If you have suffered damage or distress caused by an organisation breaching any part of the Data Protection Act, you have a right to claim compensation. If you are worried that your banking details have been exposed by TSB, there are a few simple steps you can follow.

  1. Inform the Information Commissioner’s Office (ICO) about your concerns. While it does not award compensation, if the ICO believes that the organisation in question broke the law, you can use this information in court to help prove your claim
  2. Read our handy step-by-step guide to making a data breach claim
  3. If you are offered any form of compensation or free services for not being able to access your funds it’s important to check the small print. Be careful that in accepting any offer you are not giving away your rights to pursue a separate data breach compensation claim at a later date
  4. Contact Hayes Connor Solicitors ASAP. We’ll ensure that you are fully informed on this matter and will notify you about the investigation and your legal rights when making a claim.

Can you claim compensation if you didn’t lose any money?

In short, yes. In fact, while some people would have us believe that claiming for distress is an overreaction the law doesn’t agree with them.

Many people suffer anguish, anxiety and stress after a data breach and this can have a significant impact on you mentally and physically. Effects can include a lack of sleep, feeling ill, unsettled or confused. Stress can also affect your friends, your family and your job. So being told to just “get over it” isn’t helpful.

Organisations have a duty to protect your sensitive data. And letting other people access our bank accounts is a complete failure of this responsibility. So, why shouldn’t you seek compensation for this inability to look after your information correctly if it has caused you distress?

Start a compensation claim against TSB

If you want to make a compensation claim against TSB, contact Hayes Connor ASAP. Our expert, online fraud and data protection solicitors will advise you on whether you have a valid claim and will be pleased to answer any questions you might have. If you are not sure whether your information has been misused or mishandled, we can find this out for you. Our initial assessment is always free.

If you want to find out more about claiming for a data breach you can contact us here

Tesco Bank data breach. Are you affected?

Tesco Bank is at the centre of a recent data breach investigation after thousands of customers’ sensitive information was carelessly leaked. The bank has found itself in the spotlight after Travelex – which runs Tesco Bank’s foreign currency exchange service – admitted that a breach had occurred putting 17,000 users at risk.

This data leaked includes full names, dates of birth, phone numbers, delivery/billing addresses, email addresses, IP addresses and partial payment card numbers. Travelex stresses that card information was disguised using industry standards, so ‘no financial information was put at risk’.

It is thought that the cause of this breach is down to human error rather than a cyber-attack, although an investigation is ongoing.

Do you need to worry?

The Travelex breach involves travel money customers who used Tesco Bank’s foreign exchange currency service online between 14 December 2016 and January 2017.

If you have been affected, you can expect to receive a letter from Travelex soon. The company has also set up a special hotline 0800 9758376 (Mon-Fri 9am-5pm) or via email customer.enquiries@travelex.com.

What should you do now?

While Travelex is adamant that financial information is safe, and that there is no indication that any of the data has yet been used by a third party, your name, date of birth and contact details can be used by cyber-criminals with the aim of committing identity theft and fraud. So the breach is a significant one; particularly if the information finds its way onto the darknet.

As such it is vital that those at risk:

  • Report their concerns to the ICO to ensure a full investigation takes place
  • Review guidance issued by the ICO
  • Review all bank accounts and credit card statements for unusual transactions
  • Be cautious of any unsolicited communications that ask for any personal information or refer you to a website asking for the same
  • If you have been the victim of online fraud or identity theft, you should also contact Action Fraud. You can do this online or via telephone. Action Fraud is the national fraud reporting service and is the starting point for any police investigation into your loss.

While Travelex is offering 12 months complimentary fraud protection to those affected, we advise anyone signing up to be careful that in doing so, they are not inadvertently signing away their rights to pursue a compensation claim against the company. If you are any doubt, please contact us and we can advise on the terms and conditions of this offer.

Can you claim compensation?

If you have suffered damage or distress caused by an organisation breaching any part of the Data Protection Act, you have a right to claim compensation. In this case, we would expect payment of between £1,500 – 2,500 due to the details disclosed. However, this could increase further if you suffer any financial losses because of the breach.

If it is found that the leak was down to human error, there is a case for negligence. What’s more, we are especially concerned that there may have been a delay in disclosing the breach. If this is true, this could lead to aggravated damages being awarded (additional damages caused by the delay).

At Hayes Connor Solicitors we can seek compensation on your behalf. Likewise, if you suspect your data has been mishandled or lost, we can check whether this is the case, and if so, start the claims process.

Because of the number of people involved, we may also be able to mount a group action claim. With this approach, you and the other Claimants collectively bring your cases to court against a Defendant. Where circumstances are very similar, group actions can be a powerful tool and can have a bigger impact than a single claim. As specialists in data law, we are watching this case very carefully and may put together a group action and seek compensation when the investigations are complete.

What now?

If you have been affected by this breach, contact us to start the legal proceedings. Likewise, if you want to be kept up to date on this case, get in touch. We’ll let you know if and when you can claim.

CONTACT US.

,

Healthcare accounts for nearly half of all data breaches

Healthcare accounts for nearly half of all data breaches

 Last year was a challenging year for the healthcare sector, which is still feeling the after-shocks of the WannaCry global ransomware outbreak. And in 2018, we can expect to see an increase in attacks on the medical industry. Particularly as healthcare organisations remain hesitant to dedicate budget to cybersecurity.

According to research, the UK health sector accounts for nearly half of all data breaches. With the collective healthcare breach numbers almost four times more than the second highest sector (local government). The last few years have certainly seen healthcare prove lucrative for hackers, and led to a rise in medical data breaches, with one in 13 patients having their records stolen after a healthcare provider data breach.

Healthcare is going online, and this information revolution has seen most organisations move away from paper record keeping. But the healthcare sector handles some of our most sensitive personal data, and, as patients, we have the right to expect this will be looked after. However, as our health and social care system becomes digital, it appears that there are not yet adequate and robust protections in place to secure the data and information held within it. Following the WannaCry abuse, the vulnerability of the healthcare sector and the importance of improving its cybersecurity came into sharp focus.

Between January 2014 and December 2016, healthcare organisations suffered 2,447 incidents and accounted for 43% of all reported data breach incidents. However, when it comes to the reasons for these breaches, human error is the main culprit. So, in addition to worrying about external threats and ensuring the right technology and process are in place, more must be done to make sure that staff have the knowledge and ability to handle data securely.

Who is responsible for human error?

A company can be held liable for human error where it fails to ensure the proper security measures are in place. And, in a recent case, Morrisons was found “vicariously liable” for a disgruntled employee’s actions when he deliberately published sensitive data of almost 100,000 staff online. What this means is that an employer can be liable for the actions of its employees, as long as it can be shown that they took place in the course of their employment. So, when it comes to defending compensation claims, human error or misbehaviour is no excuse.

Today, information shared in error is the single highest contributor to data breaches year-on-year, and when this data contains sensitive medical information, the potential damage and distress becomes all too apparent. For example, in recent cases investigated by the ICO, sensitive diagnosis information was sent to a neighbour and confidential details about a woman and her family were sent to her estranged ex-partner.

At Hayes Connor, we can help you make claims against a wide range of healthcare organisations already fined by the ICO. Of course, you may not know that your medical data has been breached until you read about it or see it in the news. But if you are in any doubt it’s worth finding out whether your data was put at risk, because, if so, you may have a claim for compensation. We can also keep you updated on upcoming and current healthcare data breach claim investigations.

 

With strict-time limits in place for making most compensation claims, if you want to achieve maximum recompense in the minimum amount of time, it’s essential to act now.