December 2023 data breach roundup

Hayes ConnorBy Legal Futures Associate Hayes Connor Solicitors

The end of 2023 was just as busy as the rest of the year when it came to data breaches, with individuals up and down the UK, and around the world, having their information exposed.

December saw a wide range of companies hit by data breaches, from local UK schools, through to worldwide gaming developers.

To find out more about some of the most significant data breaches to take place in December, be sure to read on below.

Essex school apologies for sharing pupil data

Ortu Gable Hall School in Corringham, Essex was guilty of a major data breach after mistakenly sharing the personal information of 69 pupils who were being disciplined for bad behaviour.

The information was included as an attachment in an email which was intended to be seen by staff at the school. Instead, the email was sent to all parents.

Children’s pupil premium eligibility and SEN status was listed, as well as descriptions of the incidents and what action was taken. The parents who received the email were asked to delete it by the school.

School principal Gary Lewis has apologised to the parents for any distress caused, explaining the cause of the breach in a statement.

“The member of staff responsible made a genuine mistake by sending to ‘all parents’ instead of ‘all staff’. This was a complete accident and the member of staff is devastated by the situation and its effects on you all.

“We will now investigate their actions and look to take appropriate action to ensure such an incident is not repeated.”

The Information Commissioner’s Office (ICO) has been notified and will be assessing the information that has been provided.

Addenbrooke’s Hospital responsible for leaking thousands of patient records

Addenbrooke’s Hospital in Cambridge were guilty of two separate data breaches in 2020 and 2021, resulting in the private information of more than 22,000 being leaked.

The breaches concerned maternity and cancer patients at the hospital, with names, hospital numbers and medical information all being exposed. Women who have had terminations and miscarriages were also identified. The breaches have only just come to light.

Roland Sinker, chief executive of Cambridge University Hospitals NHS Foundation Trust  said: “I want to apologise to all of our patients for two data breaches, which happened in 2020 and 2021, and which have recently come to light.

“Both were the result of mistakenly including patient information in Excel spreadsheets in response to Freedom of Information Act (FOI) requests.

“In responding to the [first] request, we mistakenly shared some personal data which was not immediately visible in the spreadsheet we provided but which could be accessed via a ‘pivot table’.”

After discovering the first breach, the trust undertook a review of all the FOI requests it had responded to over the previous 10 years, leading to the second breach being identified.

23andME data breach affects over 6.9 million users

Genetic testing company 23andMe were subject to a major data breach in December, affecting an estimated 6.9 million users.

The biotechnology company was not directly hacked, but cyber-criminals were able to access around 14,000 individual accounts by using email and password details previously exposed in other hacks. These hackers were then able to find their way into a significant number of files which contained information about other users’ ancestry.

The stolen data includes information such as names, how each person is linked and in some cases birth years, locations, pictures, addresses and the percentage of DNA shared with relatives.

There is no evidence to suggest that the datasets are being advertised or are being used by criminals.

23andME will now be forcing customers to change their passwords and improve their account security.

Major PlayStation studio subject to ransomware attack

Insomniac, a games studio responsible for developing some of PlayStations best-selling games, was hit by a ransomware attack at the end of the year which resulted in over a million files being leaked on the dark web.

The group responsible for the ransomware attack, Rhysida, demanded a £1.6m payment which was not paid. In response, the files were leaked, then emerging on social media. This included footage of an upcoming game still in development, Wolverine, as well as internal company emails and employee information. Insomniac are yet to make a comment on the situation.

The hack follows on from a similar hack against game studio Rockstar, where hackers were able to access and leak footage from their latest game in development, Grand Theft Auto 6.

Speak to our legal experts about a data breach

When a data breach occurs, the potential impact can be significant. Substantial financial losses and distress are likely for any individuals whose data is exposed, highlighting the importance that a prompt legal response can make.

Every organisation that stores, handles and uses personal data is legally obligated to keep it secure. If they fail to uphold this obligation, any victims may be entitled to make a claim for compensation.

At Hayes Connor, our specialist data breach solicitors have a wealth of combined experience and expertise in handling such claims. We are therefore in a strong position to advise you on how best to proceeed.

For further information on our data breach expertise and how we handle such claims, see here.

To start a data breach claim, you can use our online claim form.


Associate News is provided by Legal Futures Associates.
Find out about becoming an Associate


Loading animation