May Data Breach Roundup
As the sun sets on May and rises on June, we can take the opportunity to reflect on yet another busy month in the world of data breaches!
This is our short roundup of the recent work we have been carrying out to support victims of data breaches, as well as a closer look at some of the most notable data breaches that took place across May and updates related to the wider data breach industry.
Have you had your personal data exposed in a data breach? Looking for expert advice and support? Please get in touch today.
Our recent work supporting victims of data breaches
AX report data breach following sophisticated cyber-security attack
AX (formerly Accident Exchange) reported that they suffered a data breach, resulting from a cyber-attack they experienced at the start of 2021.
It has been reported that an unauthorised third party was able to access one of AX’s external facing systems, with this breach going unnoticed for over a month. It was then discovered that sensitive personal data belonging to customers of AX were accessed by those responsible for the attack.
Both the Information Commissioner’s Office (ICO) and Financial Conduct Authority (FCA) have been informed about the incident.
Moss Bros suffer data breach exposing employee information
The clothing company Moss Bros contacted current and former employees in May to inform them that their personal data related to their employment had been exposed in a data breach which occurred in April.
Moss Bros’ systems, which are hosted by a third-party provider, were accessed without their authority. Further investigations found that data had been downloaded from the servers, including employee data.
The exact data exposed in the breach was not confirmed, but Moss Bros have revealed that they store information including names, addresses, phone numbers, bank account details and employment records.
Read more about this story here.
Klarna report data breach affecting 9500 app users
The global payments and shopping service Klarna published a statement at the end of May in which they revealed that they experienced a significant data breach affecting around 9500 of their app users.
Klarna CEO Sebastian Siemiatkowski claimed that the incident was self-inflicted and was caused by human error, as opposed to an external breach of their systems. The breach caused users to see the full details of other accounts, including personal information, purchase history and payment methods. Some reports also suggested that partial bank account details were also exposed.
Klarna’s investigation into how the human error occurred and exactly which consumers were affected are still ongoing.
Read more about this story here.
The biggest data breaches uncovered in May 2021
4.5 million people’s data exposed following IT system hack on Air India
Towards the end of May, Air India disclosed the fact that it had experienced a data breach affecting at least 4.5 million customers after a sophisticated cyber-attack on their IT System.
The details belonging to affected customers included names, passport information and payment details stretching back over 10 years. The compromised software was operated by SITA Passenger Service System, according to Air India.
In a statement, Air India stated they were: "Investigating the data security incident, securing the compromised servers, engaging external specialists of data security incidents, notifying and liaising with the credit card issuers and resetting passwords of Air India Frequent Flyer Program."
They also added: “While we and our data processor continue to take remedial actions including but not limited to the above, we would also encourage passengers to change passwords wherever applicable to ensure safety of their personal data."
Read more about this story here.
Covid vaccination booking site leaks medical data belonging to patients
NHS Digital is said to be revising its process for booking Covid vaccinations in England after it was discovered that users’ vaccination status could be easily leaked through lax security procedures.
Users could make appointments on the website using their NHS number or, if they did not have that to hand, some basic personal information. However, in the process, users’ vaccination status was disclosed. That meant someone who had basic personal details of a friend, colleague or stranger could find out what should be confidential medical information.
A spokesperson said of the mater: “The NDG has contacted the organisations which run the website to ensure that they are aware of the concerns that have been raised and will discuss with them the twin important aims of protecting confidentiality whilst maintaining easy access to vaccinations for the public.”
Read more about this story here.
Edinburgh mental health clinic in probe after client information is accessed in scam
An Edinburgh mental health clinic is at the centre of a probe after a data breach resulted in hundreds of clients’ contact details being accessed as part of a sophisticated phishing scam.
Bosses at The Edinburgh Practice were accused of failing to properly notify patients of the attack, despite receiving a number of complaints. Dozens of services users at the clinic had previously raised concerns with the ICO when they received emails from scammers who sought to harvest their personal information through a virus disguised as an important document.
Police Scotland are understood to have launched an investigation into the incident through their cybercrime unit.
Read more about this story here.
The latest data breach news and announcements
Amex fined for sending four million unlawful emails
The ICO fined American Express Services Europe Limited (Amex) £90,000 for sending more than four million marketing emails for customers who did not want to receive them.
The ICO began their investigation when it received complaints from Amex customers who were still getting marketing emails despite having previously opted out from them. The ICO found that Amex had sent over 50 million ‘servicing emails’, with around 4 million of those emails being marketing related. Amex did not review its marketing model following complaints.
Read more about this on the ICO website.
ICO takes action against contact tracing QR code provider
The ICO fined Tested.me (TML), a provider of digital contact tracing services, £8,000 for sending direct marketing emails to people who had provided their personal data for contact racing purposes.
The company sent nearly 84,000 nuisance emails at the height of the pandemic between September and November 2020. Using personal data for marketing without adequate valid consent is against the law.
Read more about this on the ICO website.
Speak to our legal experts about a data breach
If you are a victim of a data breach, you may be owed compensation. Even in instances where you have not suffered specific harm, you may still have grounds to make a claim. In cases where you have suffered financially or emotionally, you may be able to access substantial damages.
At Hayes Connor, we have one of the largest teams of data breach claims specialists in the country, with a wealth of combined experience representing a wide range of clients on data breach cases.
Our expert team can work alongside you to help clarify whether you have a claim, how the general claims process works and the level of compensation you can expect to receive.
We ensure that anyone who is affected by a data breach is able to access the compensation they deserve, as well making the claims process as straightforward as possible.
You can find out more about our expertise and how we handle data breach claims here.
To start a claim, you can use our online claim form.