June & July 2023 data breach roundup

Hayes ConnorBy Legal Futures Associate Hayes Connor Solicitors

June and July were another couple of busy months in the world of data breaches, with organisations from all corners failing to secure the data of their customers, clients, and employees.

The past two months saw high profile private organisations such as British Airways, the BBC and Boots find themselves wrapped in a complex data breach involving a payroll provider, while credentials belonging to some of the county’s most prominent universities were exposed on the dark web.

To find out more about some of the most significant data breaches to take place in June, be sure to read on below…

MOVEit/Zellis data breach compromises employee information

An attack against the file transfer system MOVEit has exposed the personal data of employees belonging to several high-profile organisations in the UK. MOVEit is used by the payroll provider Zellis, who work with various organisations such as British Airways, the BBC, Boots, AON and DPD.

It has been confirmed that a ‘zero-day’ vulnerability in the MOVEit system allowed a hacker group to access information belonging to these companies, among others.

The data breach was confirmed by Zellis, who released a statement on the issue: “A large number of companies around the world have been affected by a zero-day vulnerability in Progress Software’s MOVEit Transfer product.

“We can confirm that a small number of our customers have been impacted by this global issue and we are actively working to support them.

“Once we became aware of this incident we took immediate action, disconnecting the server that utilises MOVEit software and engaging an expert external security incident response team to assist with forensic analysis and ongoing monitoring.”

Colchester City Council lose data belonging to 7,000 people

Colchester City Council wrote to over 7,000 local residents to inform them that their data had been breached as a result of an issue concerning the outsourcing contractor Capita.

Captia has been responsible for running the council’s benefits systems and auditing its council tax and benefits services for over six years. Reports indicate that Capita noted a security issue where personal data, including names and addresses, were found on its unsecured data storage area.  Seven other local authorities were said to be involved in the incident, in addition to Colchester City Council.

Colchester City Council said: “Capita has since acted to secure the data and have confirmed that there is no current evidence of persons accessing the data for malicious purposes.”

The also went on to express that they are “disappointed that Capita has failed to maintain the high-security standards it expects of its suppliers”.

The Information Commissioner’s Office are said to be investigation the matter further.

2.2 million credentials belonging to top UK universities found on dark web

2.2 million credentials belonging to some of the top universities in the UK have recently been discovered by researchers on the dark web.

Over half of the breached details uncovered by the cybersecurity platform Trillion belonged to Russel Group Universities. Email addresses, usernames and passwords were all said to be among the data that was left exposed.

The report did not disclose which dark web sites the information was discovered on, so as not to alert the sites to the presence of the researchers. The harvested credentials were indiscriminately collated, meaning that both students and members of staff were targeted.

Crossword Cybersecurity, who run Trillion, commented on the matter, stating: “We recognise that these environments are amongst the most uniquely challenging to protect with overlapping requirements for secrecy and openness – so many attack paths need to be factored.”

A separate spokesperson for Crossword also stated: “Trillion will match up all breached data found to the organisation running the scan based on their domain, and then the IT Security leader at each institution will be able to assess the most high-risk account credentials that have the potential to become security threats.”

Dorchester school left vulnerable following ransomware attack

A school in Dorchester has revealed that, after its computer systems were encrypted in a cyber-attack, it has since been unable to recover the lost data.

Thomas Hardye School reported that its screens and systems are locked after an attack was launched in May, which according to the school’s headteacher, is also likely to have resulted in a data breach.

Email and payment systems were also compromised in the attack, which was accompanied by a ransom demand. The school have confirmed that they will not be paying this.

In the worst-case scenario, the attack will lead to a complete loss of data, which includes some students’ BTEC and A-Level assignments.

The school’s head teach Nick Rutherford issued a statement to parents and carers of students: “We hold a large volume of data on staff, students and parents and are aware of the seriousness of any such data breach. We are following guidance from the Information Commissioner’s Office and we will continue to keep you updated.”

Cyber incident exposes University of Manchester

The university of Manchester was left exposed after a cyber security incident led to unauthorised activity taking place on their internal network.

An investigation into the matter has been launched after the university discovered that some of its systems were accessed. It is believed that, after the systems were accessed, data was likely copied.

There is no confirmation as to what data has been accessed and what sort of impact this could have on anyone associated with the university.

Patrick Hackett, Secretary and Chief Operating Officer of the university apologised in a statement: “Regrettably, I have to share with you the news that the University is the victim of a cyber incident.

“We are working to understand what data have been accessed and will update you as more information becomes available…We know this will cause concern to members of our community and we are very sorry for this.

“Our priority is to resolve this issue and provide information to those affected as soon as we are able to, and we are focusing all available resources.”

London Mayor’s Office exposes personal information of sexual abuse survivor

The London Mayor’s Office for Policing and Crime have confirmed that personal data belonging to hundreds of people was exposed in a public data breach.

An investigation is ongoing to establish how the data breach occurred and exactly what information was exposed. Sky News have revealed that a sexual abuse survivor is among those who have been informed that their data has been compromised.

The survivor of the sexual assault spoke about the incident, saying: “I was told to phone up their helpline, but the conversation has left me with more questions than answers.

“All they could tell me is that people could click a button on their website to view the content of submissions made by other people – including me.

“When I asked them to tell me precisely what information has been available, they said they’d look into it and let me know.”

A spokesperson for the London Mayor’s Office for Policing and Crime has confirmed that the data was accessible for four months on two separate online forums.

The ICO have been notified and have confirmed that they will be looking into the incident further.

Patient information shared by NHS Lanarkshire staff on WhatsApp

An unauthorised WhatsApp group was used by NHS Lanarkshire staff to share the personal information of parents on over 500 occasions.

The group, which was reportedly used by 26 members of staff, was active for two years between April 2020 and April 2022. The names, phone numbers and addresses of patients were shared in the group, as well as images and videos which contained clinical information.

WhatsApp was originally used by staff members to communicate with one another during the height of the Covid pandemic, but the intention was only for basic information to be shared.

A non-staff member was accidentally added to the group, which then meant that the personal information was disclosed to an unauthorised individual.

Information Commissioner John Edwards commented on the incident, saying: “There’s no suggestion that the data was misused, that anybody acted unprofessionally with it – but it did expose the data to risk.

“I think the clear message for other boards is to really consider a risk assessment when deploying new technologies and new communications platforms.”

Roblox develop profiles leaked in major data breach

The personal information of Roblox developers who attended the Roblox Developer Conference between 2017 and 2020 have been leaked following a third-party security issue.

As noted by PC Gamer, around 4,000 accounts are said to have been compromised in the data breach, which was caused by unauthorised access to a subset of Roblox’s creator community. The information exposed in the data breach includes names, phone numbers, email addresses, dates of birth and physical addresses.

Troy Hunt, an engineer at haveibeenpwned, has reported that the data leak was previously posted in 2021, but an unnamed source claimed that the news didn’t spread outside of niche Roblox communities, while the company itself did not publicly disclose the leak or alert anyone who had been affected.

A Roblox spokesperson said via email: “Roblox is aware of a third-party security issue where there were indications of unauthorized access to limited personal information of a subset of our creator community.

“We engaged independent experts to support the investigation led by our information security team. Those who are impacted will receive an email communicating the next steps we are taking to support them. We will continue to be vigilant in monitoring and vetting the cyber security posture of Roblox and our third-party vendors.”

What to do if you or a client needs help with a data breach

If you find out that your data has been misused, or exposed in a data breach, you may understandably be worried about what may happen next. No matter the circumstances, data breaches can be very stressful ordeals. This is even where you have not necessarily experienced any direct financial losses.

Making a claim for data breach compensation can help you to deal with the consequences of such an incident. Hayes Connor are one of the largest teams of dedicated data breach specialists in the UK and have experience in advising individuals in all types of situations.

When instructed, the Hayes Connor team will take the time to understand your situation in detail and the impact it has had on your life. From there, they can proceed to advise you on your available options and provide the strongest representation.

If you need any assistance with making a data breach compensation claim, don’t hesitate to get in touch with Hayes Connor today.


Associate News is provided by Legal Futures Associates.
Find out about becoming an Associate


Loading animation