April 2022 data breach roundup

Hayes Connor SolicitorsBy Legal Futures Associate Hayes Connor Solicitors

The month of April saw various data breaches occur across a number of industries in the UK. Many of which occurred due to hackers accessing systems, but also via human error.

Two significant sectors, the Ministry of Defence and The Home Office, were impacted, concerning both the British Army Recruitment and the Home Office Visa Services.

To learn more about the range of data breach incidents that occurred in April 2022, keep reading.

Award winning mattress company, Emma Sleep, faces cyber attack

Customers across 12 countries have been impacted by a cyber attack on the award winning mattress company, Emma Sleep.

The company confirmed that it was a Magecart attack. The checkout page was implemented and loaded with a piece of JavaScript code designed to skim card data from the user’s browser. Both debit and credit card details, along with personal information, may have been stolen from customers over a period of a month.

The company sent out an email to those affected, stating: “This was a sophisticated, targeted cyber-attack on the checkout process on our website and personal information entered, including credit card data, may have been stolen, whether you completed your purchase or not.”

In a statement made by a spokesperson, the following was said: “As soon as we became aware of this attack, we took immediate action to remove the threat and ensure the security of data, launched a full investigation, and reported this to the relevant authorities, including the police. We also directly contacted all those customers who may have been affected.”

A police investigation has also been launched in the hopes of determining how the attack has happened, exactly what details were compromised, and to uncover those responsible.

Customers of Funky Pigeon were impacted by cyber attack on the brand

Online cards and gifts retailer, Funky Pigeon, owned by retailer WH Smith, was targeted by hackers. As a precaution, protective measures, including taking systems offline, have been carried out.

The brand has confirmed that no payment details or customer account passwords have been accessed but presumes personal data such as names, addresses, email addresses and personalised card and gift designs have been compromised.

They have since reached out to all customers who have purchased from them within the last 12 months, making them aware of the situation. They are now currently looking into the matter with an external IT specialist in hopes of finding out how the cyber attack happened and a way to prevent future attacks.

A spokesperson for parent company WH Smith stated: “We would like to sincerely apologise to our customers for any concern or disruption this may cause, and reassure them that our teams are working around the clock to investigate and resolve this incident.

“As our investigation progresses, we will provide further updates to customers and other affected parties as necessary.”

Popular retailer, The Works, suffers from cyber attack

Books, toys and arts and crafts retailer The Works were forced to close five of its stores at the start of April after hackers accessed its computer systems.

The cyber attack led to till issues and delays in distributing online orders to its customers,  but the retailer expressed that no customer’s payment details have been stolen as they are processed on third party systems. The retailer hasn’t been able to confirm whether the hackers have managed to access and steal any personal details.

The retailer released a statement, confirming: “Customers can continue to shop safely at The Works, both in store and online.”

Since the cyber attack, the retailer has taken a number of actions to investigate the incident and prevent further problems from occurring. They have disabled both internal and external systems, including email, and have informed the Information Commissioner’s Office (ICO) regarding the cyber attack.

British Army victim of data breach that impacted recruitment

After more than 100 army recruits’ personal details were found being sold on the dark web, the British Army recruitment service was suspended for over a month as a safety precaution.

The data compromised included full names, dates of birth, addresses, qualifications, and past employment information.

In what was presumed to be a possible hack into the internal Defence Recruitment System, an investigation was launched into the matter to determine how the incident occurred and by who.

A spokesperson for the British Army expressed, “This investigation has now concluded allowing some functionality to be restored and applications to be processed.”

Despite access being restored, the external online recruitment portal is still not available, meaning the army is having to recruit new soldiers via emergency backup methods.

The British Army has reported the breach to the Information Commissioner’s Office (ICO), which has reviewed the incident and information provided and determined not to take further action.

Home Office Visa Services apologise after human error data breach

More than 170 lawyers and private email addresses were exposed in a human error data breach by the Home Office visa services when an email was sent using carbon copy instead of blind carbon copy on 7 April 2022.

The Home Office sent a follow up email 24 hours later, on 8 April 2022, making those impacted by the breach aware and apologising for the incident and any inconvenience caused.

The UK Visa and Citizen Application Service are run by a private contractor called Sopra Steria. The contractor was sending out an email concerning a change of location for visa appointments. However, they failed to hide the other email addresses, causing a data breach. This isn’t the first Home Office data breach that’s been caused by human error; a similar incident happened in April 2019.

The Information Commissioner’s Office (ICO) has stated they haven’t directly received a report concerning the breach but explained not all data breaches need to be reported and, instead, need to be internally recorded and explained as why there was no report.

What to do if you or a client needs help with a data breach

If you are a victim of a data breach, seeking legal support and guidance immediately is crucial. Should you need to make a compensation claim, the team of data breach solicitors at Hayes Connor are ready to lend specialist support.

Whether you’re a law firm looking to refer a client or are an individual needing a bespoke data breach service, the team at Hayes Connor can assist.

The Hayes Connor team are one of the largest data breach law firms nationally. When you choose to work with a member of the team, they will take the time to understand your situation and the impact it has had on you and your family, financially and mentally. Once they are aware of the matter at hand, they can provide advice tailored specifically to you and your needs.

If you are interested in learning more about Hayes Connor’s data breach expertise or wish to enquire about a potential claim or client referral, please don’t hesitate to contact Hayes Connor, where the team can assist.


Associate News is provided by Legal Futures Associates.
Find out about becoming an Associate


Loading animation