By Legal Futures’ Associates Hayes Connor Solicitors
New year, new data breaches! 2021 has barely begun and there is already a growing list of significant data breaches that have come to light, with implications for huge numbers of members of the public whose sensitive personal data may have been exposed.
Data breaches uncovered in the last month include a security breach at one of the UK’s biggest energy providers that left customers without electricity or gas, an accidental leak of landlords’ personal data by a local council and the theft of sensitive customer photos from a cosmetic surgery provider.
Read on to find out more about some of the biggest data breaches to hit the UK in January 2021.
Millions of stolen passwords for sale on dark web
Millions of passwords stolen in data breaches have been put up for sale on the dark web, an investigation Which? has uncovered.
Personal information relating to customer accounts for businesses including Tesco, Deliveroo and McDonald’s were included in the data for sale. Should this information be used by fraudsters, it could potentially allow them to clone those accounts or gain access to online services such as the Deliveroo app. This could allow fraudsters to place fraudulent orders and gain access to other sensitive customer data included in those accounts.
The investigation, carried out in October 2020 in partnership with security specialists Red Maple Technologies, discovered the data being advertised for sale on the dark web. This is the term used to describe hidden parts of the internet that are only accessible to those with specialist tools and know-how.
The data is likely to have been collected by cyber criminals from various different data breaches and highlights the continuing risk to anyone who has been impacted by a data breach, even if they do not see any immediate consequences.
No gas or electricity for many E.On customers following data breach
E.On customers whose homes are fitted with pre-payment meters been left without electricity or gas after the energy giant suspended its app that customers rely on to top up their accounts.
This move comes after E.On suffered a security breach that saw customer login details stolen. The app, used by tens of thousands of E.On customers, was taken down on 12 January without warning. E.On claim that the move was taken to deactivate the app after they discovered hackers attempting to access customer accounts using data that had been stolen from an unnamed third party.
According to a report in the Independent, E.On have not made it clear exactly when or how the data was stolen or when its app will be back up. The company claims any customers whose data has been exposed have been contacted and told to change their passwords.
Hackney council files leaked online by cyber criminals
Documents that are claimed to be personal data stolen from Hackney council last year have been posted online by a hacker group.
The documents, which it is alleged contain passport documents and other highly sensitive personal data, were supposedly stolen from Hackney council in a ransomware attack in October 2020.
The group behind the attack and posting of the documents is known as Pysa/Mespinoza by cyber security experts. The documents have been posted to the dark web, meaning they are now available to criminals who may wish to use them for fraud and other illegal purposes.
The story was reported by Sky News, whose team have seen the document file names, but state they did not download the documents, so could not confirm their contents. However, the document file names suggested the leaked data could include passport information, staff data and other photo ID data.
Hackney council admitted it had suffered a cyber attack in October 2020 and the council has self-reported the matter to the Information Commissioner’s Office (ICO) for investigation.
Cosmetic surgery photos stolen by hacker group
Patient before and after photos have been stolen from the large cosmetic surgery chain by hackers who are threatening to post the images online.
The hacker group behind the attack, known as REvil and also as Sodinokibi, claim to have over 900 gigabytes of patient photographs stolen from The Hospital Group, which operates a chain of 11 clinics offering treatments including bariatric weight loss surgery, breast enlargements, nipple corrections and nose adjustments.
The BBC reports that the Hospital Group (also known as the Transform Hospital Group) has a range of celebrity clients, including Former Big Brother contestant Aisleyne Horgan-Wallace, Atomic Kitten singer Kerry Katona, Shameless actress Tina Malone and The Only Way is Essex star Joey Essex.
A spokesperson for The Hospital Group said: “We can confirm that our IT systems have been subject to a data security breach. None of our patients’ payment card details have been compromised but at this stage, we understand that some of our patients’ personal data may have been accessed.”
REvil is one of the world’s most high profile ransomware groups and while the BBC report did not contain details of any specific demands in relation to the stolen photos, it is likely that a ransom has been demanded in exchange for not releasing the photos.
The team at Hayes Connor are currently supporting several clients affected by The Hospital Group data breach.
HMO licence holders’ personal details exposed by Blackpool Council in Freedom of Information blunder
Blackpool Council accidently revealed sensitive personal information of over 400 HMO licence holders in its response to a Freedom of Information (FOI) request.
The information was first published online in November 2018 in a response from the council to an online FOI request. The personal data exposed in the response included HMO (House in Multiple Occupation) licence holders’ personal contact details, dates of birth and ethnicities, according to a report in the Blackpool Gazette.
While the response containing this information has now been taken down, it is unclear how long the information was accessible and who may have seen it.
A Blackpool Council Data Protection Officer confirmed in an email to one HMO licence holder that this error was a breach of GDPR and that the council would be self-reporting the matter to the Information Commissioner’s Office for investigation.
Hayes Connor is currently representing several HMO licence holders affected by Blackpool Council Freedom of Information data breach.
What to do if you or a client need help with a data breach
If you require expertise in the field of data breaches or cyber security, the team at Hayes Connor are more than happy to help.
As well as taking cases directly from clients, Hayes Connor regularly takes referrals from other law firms, where clients need advice from a team with specific expertise in handling the complexities of data breach claims.
With a wealth of combined experience across our team, we know exactly how to handle all manner of data breach claims, big and small, getting the best outcome for victims.
To find out more about the team’s expertise, or to get in touch about a potential claim or client referral, please head to www.hayesconnor.co.uk.