June & July Data Breach Roundup
Data breaches in a wide range of sectors hit the headlines in June and July, with some of the most prominent businesses in the UK finding themselves in hot water.
Our data breach roundup for June covers several of the most notable cases that took place over the course of the months, including the cases our team are currently working on, as well as any other incidents that have taken place across the UK.
If your data has been exposed in a breach, our specialist solicitors will be on hand to advise you on the general process for making a compensation claim. Please get in touch with a member of our team to discuss the details of your case today.
Our recent work supporting victims of data breaches
Employee information exposed in MOVEit/Zellis data breach
A Russian cyber gang claimed responsibility for a substantial data breach which targeted the MOVEit file transfer system used by thousands of firms around the world.
Zellis, a UK-based payroll provider, use MOVEit as a third-party supplier for a number of high-profile clients. A number of this clients have been affected by the attack and, while Zellis did not name any of these companies, the likes of British Airways (BA), Boots and the BBC have all revealed that employee data has been exposed.
A statement from Zellis confirmed the issue, reading: “A large number of companies around the world have been affected by a zero-day vulnerability in Progress Software's MOVEit Transfer product.
"We can confirm that a small number of our customers have been impacted by this global issue and we are actively working to support them.”
Christine Sabino, Legal Director at Hayes Connor, has also commented on the breach, saying: “The consequences of data breaches and the theft of sensitive information are far-reaching.
“Personal information, even in small fragments like names, dates of birth, or addresses, can lead to identity theft, resulting in financial losses, reputational damage, and emotional distress for the victims.
“In light of this alarming incident, it is crucial for businesses to implement stringent data security measures and maintain transparency with their customers, partners, and employees. By doing so, organisations can mitigate risks, safeguard sensitive data, and demonstrate their commitment to protecting individuals' privacy.”
To read more about this story, click here.
Capita data breach puts millions at risk
Months after an initial cyber-attack took place against Capita, details have come to light that reveal the data of millions of individuals has been put at risk.
The attack has led to multiple organisations reporting breaches of personal information which was held by the outsourcing company. At the end of May, 90 organisations had filed data breach reports with the Information Commissioner’s Office (ICO).
A statement from the ICO read: “We are receiving a large number of reports from organisations directly affected by these incidents and we are currently making inquiries.
“We are encouraging organisations that use Capita’s services to check their own position regarding these incidents and determine if the personal data they hold has been affected. If necessary, consider reporting a data breach to the ICO and we will use this information to inform our next steps.”
Employees from various well-known companies such as Marks and Spencer, WH Smith and British Coal are said to be among those who have been affected by the breach. Employees of Capita itself have also been affected by the breach.
To read more about this story, click here.
The biggest data breaches uncovered in June and July 2023
Over 7,000 people affected by Colchester City Council data breach
Colchester City Council have contacted more than 7,000 people to inform them that they have been affected by a data breach following an issue with outsourcing contractor Capita.
Names and addresses had been found on Capita’s unsecured data storage area. Eight other local authorities were involved in the issue, including Rochford District Council.
Colchester City Council have stated: "Capita has since acted to secure the data and have confirmed that there is no current evidence of persons accessing the data for malicious purposes."
The Council also noted that it was "disappointed that Capita has failed to maintain the high-security standards it expects of its suppliers".
To read more about this story, click here.
Breached credentials belonging to UK universities found on dark web
Over 2.2 million breached credentials belonging to the UK’s top 100 universities have been uncovered on the dark web.
The details, uncovered by cybersecurity platform Trillion, include emails, usernames and passwords. The specific websites that the credentials were found on have not been disclosed, so as not to alert the site of the presence of researchers.
A spokesperson for Crossword Security, who created the Trillion risk monitoring platform, said of the issue: “We recognise that these environments are amongst the most uniquely challenging to protect with overlapping requirements for secrecy and openness – so many attack paths need to be factored.”
To read more about this story, click here.
Dorchester school unable to recover data following cyber attack
Thomas Hardye School in Dorchester has been unable to recover personal data, including students’ BTEC and A-level assignments, after a ransomware attack was carried out against its screens and systems.
The attack also disabled the school’s email and payment systems and was accompanied by a ransom demand to be payable on the dark web. The school has refused this ransom. The school is also said to be currently working with exam board to support and A-level and BTEC students affected by the attack.
The head teacher Nick Rutherford contacted parents and carers of students at the school to inform them of the details and next steps, saying: "We hold a large volume of data on staff, students and parents and are aware of the seriousness of any such data breach. We are following guidance from the Information Commissioner's Office and we will continue to keep you updated."
To read more about this story, click here.
University of Manchester computer systems compromised
After detecting unauthorised activity on its network, the University of Manchester has confirmed that it has been hit by a cyber security incident.
The university is said to have launched an investigation into the matter after discovering that their systems were accessed by an unknown third party. The data on those systems is believed to have been copied.
Various authorities have been informed about the potential data breach, and further updates are likely to surface in the near future.
To find out more about this story, click here.
London Mayor’s Office data breach puts sexual abuse survivor at risk
The Mayor’s Office for Policing and Crime have confirmed that around 400 people have been affected by a data breach that made personal information publicly accessible.
The data breach relates to complaints about policing in the capital being made available on an official website. A spokesperson for the Mayor’s Office for Policing and Crime has confirmed the data was accessible for a four-month period.
The spokesperson said: "A manual error made it technically possible for visitors to temporarily access the content submitted on the two online forms between November 2022 and February 2023.
"There is no evidence that any of this information was accessed by anyone with malicious intent or that it has been misused."
Among those affected included a survivor of sexual assault, who confirmed to Sky News that she has been left uncertain as to what information was exposed in the breach and what may happen next.
To find out more about this story, click here
NHS Lanarkshire staff share patient information through WhatsApp
An investigation from the ICO has found that staff at NHS Lanarkshire have shared personal information belonging to patients via an unauthorised WhatsApp group.
Personal information included names, phone numbers and addresses. 26 staff members were said to have shared this type of information on over 500 occasions between April 2020 and April 2022. Images and videos, including clinical information, were also said to have been shared.
Information Commissioner John Edwards said of the matter: "There's no suggestion that the data was misused, that anybody acted unprofessionally with it - but it did expose the data to risk.
"I think the clear message for other boards is to really consider a risk assessment when deploying new technologies and new communications platforms."
To find out more about this story, click here.
Developer profiles leaked following Roblox data breach
Gaming platform Roblox experienced a major data breach in July, resulting in the exposure of the personal information of individuals who attended the Roblox Developer Conference between 2017 and 2020.
Approximately 4,000 names, phone numbers, email addresses, dates of birth and physical addresses were leaked in the data breach.
The breach was exposed by haveibeenpwned, who have noted that the original breach date was 18 December 2020, with the information then being available on 18 July 2023.
A Roblox spokesperson said via email: "Roblox is aware of a third-party security issue where there were indications of unauthorized access to limited personal information of a subset of our creator community.
"We engaged independent experts to support the investigation led by our information security team. Those who are impacted will receive an email communicating the next steps we are taking to support them. We will continue to be vigilant in monitoring and vetting the cyber security posture of Roblox and our third-party vendors."
To find out more about this story, click here.
The latest data breach news and announcements
ICO recommends Privacy Enhancing Technologies (PETs)
The Information Commissioner’s Office (ICO) is recommending that organisations start to use Privacy Enhancing Technologies (PETs) to share people’s personal information safely and anonymously.
If used correctly, PETs could share personal anonymised personal information to detect and prevent financial crimes and related harms, such as fraud, money laundering, and cybercrimes.
The ICO has launched guidance on PETs and their implementation, which is aimed at data protection officers and any other individual who uses large personal data sets in finances, healthcare, research, and central and local government.
To find out more about this story, click here.
ICO backs data sharing schemes to protect gamblers
The ICO has backed proposals for the financial sector to share data with gambling companies to protect customers from unaffordable losses.
Gambling companies will only be able to use personal information they receive for the sole purpose of financial risk checks, with customers needing to be told that checks on their financial health may need to be undertaken if they incur substantial losses.
To find out more about this story, click here.
Data protection and journalism code of practice submitted to Secretary of State
The ICO have published a recommended code of practice about using personal information for journalism to the Secretary of State for Science, Innovation and Technology.
The code is designed to provide practical guidance on how to comply with data protection laws and best practice when personal information is used for journalistic purposes.
To find out more about this story, click here.
Speak to our legal experts about a data breach
Data breaches can have a significant impact on any innocent victims, even if they do not necessarily experience any direct financial losses. Finding out that your data has fallen into the wrong hands can be a very stressful experience.
Organisations are legally obligated to keep your data secure. If they fail to uphold this obligation, the potential consequences can be extremely serious. Affected parties may be able to make a claim for compensation.
At Hayes Connor, our specialist data breach solicitors have a wealth of experience and expertise in handling data breach claims. As such, we will be able to provide straightforward support and advice on how to proceed if your data has been compromised.
We will take the time to clearly establish the details of your case, the impact it has had on your life, and the sort of compensation you could receive.
For further information on our data breach expertise and how we handle such claims, see here.
To start a data breach claim, you can use our online claim form.