March and April Data Breach Roundup
March and April saw a wide range of data breaches in a variety of sectors, all of which had significant consequences for the responsible businesses, as well as the unfortunate victims.
This is our short roundup of the recent work we have been carrying out to support victims of data breaches, as well as a closer look at some of the most notable data breaches that took place across March and April and updates related to the wider data breach industry.
Have you had your personal data exposed in a data breach? Looking for expert advice and support? Please get in touch today.
Our recent work supporting victims of data breaches
FatFace suffer data breach following cyber-attack
FatFace clothing company experienced a cyber-attack in January which subsequently led to a significant data breach which compromised private data belonging to their customers.
In March, an email was sent to FatFace customers and employees affected by the breach, confirming that private data such as names, addresses, national insurance numbers and card details were compromised in the breach.
Fatface subsequently paid a large ransom to the hackers.
An interesting detail regarding the data breach was that FatFace made a request for affected customers to keep the information contained within the email private and confidential.
Read more about this story here.
Arup experience data breach following payroll provider cyber-security incident
Arup, who are an independent firm of designers and technical specialists, contacted current and former employees to inform them that their third-party payroll provider experienced a cyber-security incident.
The incident led to Arup’s UK employee payroll records being compromised, leading to a significant data breach. Depending on when individuals were employed by Arup, various pieces of personal data were compromised.
In a letter sent to affected employees and former employees, Arup claimed to be working with their payroll provider to understand the details of the security incident that led to the data breach.
Read more about this story here.
Midlands News Association suffers security incident leading to data breach
The independent publisher Midlands News Association suffered a significant data security incident which subsequently revealed personal information and bank details belonging to journalists.
The names, addresses, bank account details, National Insurance numbers and dates of birth of a number of former employees were published online by an unauthorised third party. Though Midlands News Association have not confirmed how many individuals have been affected by the breach, it has been reported that employees from as long ago as 2011 may have been affected.
Midlands News Association confirmed “We are engaging with law enforcement to consider what steps can be taken to try to stop continued publication of the data.”
Read more about this story here.
New Forest District Council contacts the public to report data breach
New Forest District Council revealed the discovery of a data breach which exposed personal data belonging to members of the public.
In 2018, the Council received a request for a list of all Council housing through the website www.whatdotheyknow.com (WDTK). In responding to the request, the Council unknowingly attached a spreadsheet which featured an additional tab that contained a list of properties bought through the Right to Buy Scheme – as well the personal data belonging to the buyers of said properties. This was only discovered in April 2021.
The Council has sent letters to members of the public whose personal data was exposed in the breach, apologising for “any concern or distress that this may cause”. The Council has also self-reported the breach to the ICO.
Read more about this story here.
Bridgewater and Taunton College suffers data breach following ransomware attack
Bridgewater and Taunton College (BTC) experienced a data breach following a ransomware attack on the college’s IT environment. The original attack took place in January and, after carefully monitoring unusual activity, it was found that personal data belonging to a specific cohort at the college was breached and published to the dark web.
The personal data was gathered from enrolment forms to the college, which included contact details and other personal information provided on the original form.
The findings from the data breach were reported to the Cabinet Office in April, who then passed on the details to the ICO. Students affected by the breach have been contacted by the Cabinet Office.
Read more about this story here.
PracticeHub data breach – chiropractors hit by potential theft of client data
PracticeHub, a software platform that is used by many chiropractors in the UK was hit by a data breach that put clients’ sensitive personal information at risk.
Clients of a leading London chiropractic clinic were contacted to inform them that some of the clinic’s patient records, stored on PracticeHub, had gone missing. The clinic released a statement, claiming that “at this stage it must be presumed that they have been stolen”.
Given how widely used PracticeHub is, it is likely that patient records from many other chiropractic clinics are also involved. PracticeHub runs on Amazon Web Services (AWS) and initial information suggests other AWS customers may have been affected.
Read more about this story here.
The biggest data breaches uncovered in March 2021
Petlog misplaces owners’ details
Petlog, a firm that has the registered details of more than nine million chipped pets in the UK, has faced allegations of losing its customer’s personal data.
The firm sent out a request asking all users to create a new account, although they did not disclose exactly why this was necessary. In a statement to the BBC, Petlog claimed that pet information was safe, saying: "We reassure all customers that their pets are safely on our microchip database.
"There are some customers who may be unable to immediately view their pets' details when they set up their new online account, but this is because we are committed to protecting their data, and we want to verify details, in some cases, before we continue the online set up process.”
However, a Petlog user has reported that, after logging on, he received the details of someone else with the same name, indicating a breach of data protection regulations.
Read more about this story here.
Details of ‘vulnerable children’ uploaded to Birmingham City Council website
A serious data beach was reported when personal information relating to vulnerable children was uploaded to the Birmingham City council website in ‘error’.
In an email raising the alarm, it was said that the details were ‘potentially available externally’, highlighting the serious nature of the incident. The Information Commissioner’s Office (ICO) were subsequently informed.
A spokesperson for the ICO noted that they have provided data protection advice to the council and that they expect a further update if new information affecting the circumstances of the case come to light.
Read more about this story here.
Booking.com fined for late data breach notification
Booking.com were fined €475,000 after failing to report a serious data breach within the time period mandated by the General Data Protection Regulation (GDPR).
While investigations found that the breach was not Booking.com’s fault, its response was deemed to be too slow.
Booking.com was notified of the breach on January 13 2019, but waited 22 days to report the incident to the Dutch Data protection Authority (AP). GDPR rules state that a report must be submitted within 72 hours.
Read more about this story here.