December 2021 Data Breach Roundup

Hayes Connor SolicitorsBy Legal Futures Associate Hayes Connor Solicitors

There was a wide range of data breaches in December that took place across various sectors, both locally and internationally.

In December, some of the most notable data breaches included Gumtree advertisers’ information being leaked via a simple security vulnerability, an NHS trust exposing the data of Covid vaccine trialists and Sainsbury’s being hit by a cyber-attack against their payroll provider Kronos.

Read on to learn more about some of the biggest data breaches that took place in December 2021.

Simplify Group suffer cyber-attack exposing customer data

Simplify Group, who own several major conveyancing brands in the UK, was hit by a cyber-attack that prevented thousands of home buyers from being able to complete their transactions and opened them up to the threat of a data breach.

Conveyancing brands, including the following, were all affected by the attack:

  • My Home Move
  • Move with us
  • Premier Property Lawyers
  • JS Law
  • DC Law
  • Advantage Property Lawyers

It was widely reported that Simplify had to immediately take down its systems while it addressed the situation, but this means that buyers and sellers were left in the dark about the extent of the situation and what data may have been exposed.

Richard Forest, Legal Director at Hayes Connor, commented on the matter, saying: “We have already been contacted by a number of people who are worried about the impact this could have on them at a time when they are already under a significant amount of stress. This obviously has added to that and just before Christmas as well.

“Home moves involve a huge amount of personal data which can be very valuable to the wrong sort of people so Simplify have a duty to all of their customers to let people know what has happened, why and how exactly they have been affected, and to do so immediately.”

Gumtree security vulnerability causes major data breach

Security researcher Alan Monie discovered a worrying security vulnerability on the classifieds site Gumtree, where simply pressing the F12 key led him to access a wide range of personally identifiable data of advertisers.

As reported by Bleeping Computer, Monie was able to view full names, usernames, account types, email addresses and postcodes, all by accessing the developer tools console. It is normally considered a primary security measure to make this sort of sensitive data not publicly viewable, even when someone views a website’s source code.

Monie said: “The site was super leaky. Every advert on the site included the seller’s postcode or GPS coordinates – even if the seller requested the map of their location to be hidden. It leaked the seller’s email address, and their full name was available via a simple IDOR vulnerability.”

A spokesperson for Gumtree responded by saying: “We were made aware by a user of a security issue affecting our website source code in November 2021. This was resolved within hours of it being brought to our attention.

“In response to these issues, we reported the incident to the Information Commissioner’s Office (ICO) outlining our actions already taken, and planned, to monitor the issue.”

Confidential patient data left dumped outside abandoned GP surgery

Hundreds of patients’ confidential details were found outside an abandoned GP surgery in an unlocked filing cabinet. The documents included reference cards that included full names, dates of birth, addresses and NHS numbers.

As per The Metro, the documents were left in a doorway for days before they were finally discovered outside the former Priory Medical Centre in Warwick.

Under the UK General Data Protection Regulation Laws, which came into force in 2018, each medical practice in England should have a designated Data Protection Officer, who would be responsible for preventing data breaches of this nature.

A spokesperson for NHS Coventry and Warwickshire Clinical Commissioning Group said: “This morning, we were made aware of four mini-filing cabinets containing patient information, found at unused GP practice premises in Warwick. Based on the information gathered to date, the data appears to be historic.

“This data has been recovered and secured, according to information governance procedures, and we are working with the practice to understand this data breach and any potential impact on patients.”

NHS Trust issues apology after sharing email addresses of vaccine trial participants

An NHS Trust was forced to issue an apology after it mistakenly shared the email addresses of various people who were taking part in a Covid vaccine trial. The Midlands Partnership NHS Trusts sent an email to recipients who could all see each other’s addresses due to carbon copy being used instead of blind carbon copy.

BBC News has reported that the breach was caused by human error. After realising the mistake, the trust made an attempt to recall the email, but in a letter sent to recipients, it has admitted that it could not be sure no-one had opened the email.

A spokesperson for the NHS Trust has apologised for the error, and, following an investigation, the ICO has accepted the actions they took as a response.

After a review, the ICO took no further action, providing further data protection and advice and closing the case.

Ubisoft admits to data breach involving Just Dance players

The video games publisher Ubisoft has admitted to a data breach that exposed certain information about players of the game Just Dance.

PC Mag reported that the company posted to the Just Dance community forums to reveal the situation, stating that the incident was the result of a misconfiguration which made it possible for unauthorised individuals to access and possibly copy some personal player data.

Exposed data is said to include public or semi-public information, but there remains a distinct difference between knowingly sharing certain information with additional control and having a video unwillingly exposed.

Ubisoft claims that they have “taken all the proactive measures necessary to secure our infrastructure from future incidents.”

Sainsbury’s payroll provider hit by Kronos attack

The supermarket chain Sainsbury’s was one of the major businesses in the UK to be affected by a cyber-attack against its payroll systems provider Kronos. Like many companies, Sainsbury’s relies on Kronos to log, store and process the hours employees have worked.

BBC News reported that Sainsbury’s lost around a week’s worth of data for its 150,000 UK employees in the run up to Christmas. Kronos confirmed that the issue was caused by a ransomware attack on its computer systems.

Multiple departments, including payroll, human resources and accounting, had to use historical data and working patterns to make sure that employees were paid the correct amount of time.

A Sainsbury’s spokesperson said: “We’re in close contact with Kronos while they investigate a systems issue. In the meantime, we have contingencies in place to make sure our colleagues continue to receive their pay.”

What to do if you or a client need help with a data breach

If you are the victim of a data breach or you simply need some advice and guidance, the team at Hayes Connor can provide the tailored support you need.

Hayes Connor can take on cases directly from clients, in addition to taking on referrals from other law firms who believe that specific expertise is required to bring forward an effective case.

With a wealth of combined experience across our team, we know exactly how to handle all manner of data breach claims, no matter how big or small, reaching the best possible outcome for our clients.

To find out more about the team’s expertise or to get in touch about a potential claim or client referral, please head to Hayes Connor.


Associate News is provided by Legal Futures Associates.
Find out about becoming an Associate


Loading animation