By Legal Futures’ Associates Hayes Connor Solicitors [1]
Following on from a busy February, the number of data breaches in March and April continued to mount, with various different cases emerging in a variety of sectors.
In March and April, there were a number of significant data breaches, including an incident where ‘vulnerable’ children’s details were posted by Birmingham City Council and a hefty fine handed to a major hotel bookings site for a delayed response to a breach of GDPR.
Christine Sabino, Legal Director at leading Data Breach Experts, Hayes Connor Solicitors states: “We continue to see the effects of poor data security and lack of care over the personal data held, by so many organisations. There is no slowing down in the number of ransomware and cyber-attacks, highlighting the lack of sufficient security measures by companies and organisations in many varied sectors.
“Local authorities, retailers, educational establishments all need to ensure that data protection is at the forefront of their security systems and training. As they control and process more and more data, robust protections need to be in place to avoid both security and human error lapses.
As the ‘hackers’ become more sophisticated so must the security measures. Employers must also ensure that appropriate training and security measures are in place and updated when responsible for the handling of data for large numbers of customers, employees, students etc.
“A breach occurring through human error rather than malicious intent is of no comfort to those whose personal and often highly sensitive data is breached in this way.”
Read on to learn more about some of the biggest data breaches to hit the UK in March and April 2021.
Acer falls victim to ransomware attack
The Taiwanese PC manufacturer Acer became the latest victim of the ransomware group known as REvil, who demanded a £36 million ransom after stealing various files including financial spreadsheets and bank communications.
As reported in ITPRO [2], REvil allegedly gave Acer until March 28 to send of the funds before the stolen data was leaked. As of yet, there is no updated to suggest whether Acer complied with the group’s demands.
The attack marks the highest ransom REvil have demanded, after previously targeting foreign exchange company Travelex and the entertainment law firm Grubman Shire Meiselas and Sacks.
When pressed for further details on the incident, Acer stated that an investigation was ongoing and: “For the sake of security, we are unable to comment on details.”
University of Northampton suffers cyber-attack
The University of Northampton was hit by a significant cyber-attack that resulted in the disruption of its IT and telephones systems and servers. The attack was detected in March and was subsequently reported to the ICO.
As per ITPRO [3], the university also reported the incident to the police as a precaution and has rolled out a number of ‘temporary solutions’ designed to support students and staff. Northamptonshire police confirmed that they were also working alongside the National Cyber Security Centre to investigate the attack.
A spokesperson for the university said: “At the University of Northampton, we take the safety and security of our information as well as the continuity of our systems and services extremely seriously – and will continue to take every action to protect the organisation against cyber-attacks.”
Details of ‘vulnerable children’ uploaded to Birmingham City Council website
A ‘serious’ data breach occurred at Birmingham City Council as the details of ‘vulnerable’ children were mistakenly put at risk after being uploaded in error by staff.
The details, which are said by Birmingham Mail [4] to relate to children who are entitled to free bus passes, was potentially available externally. The council raised the alarm for the breach in an email on March 19 and quickly informed the ICO.
The ICO did not take any immediate action in response to the breach, as they were satisfied with the way the council responded and rectified the issue. The ICO provided additional data protection advice to the council and noted that if any new information that affects the circumstances of the case comes to light, they should be informed.
Petlog misplaces owners’ details
Petlog, a firm which has the registered details of more than nine million chipped pets in the UK, faced allegations in March that it had personal data belonging to its customers.
A BBC report [5] revealed the details of the incident, where Petlog sent out an unexpected request to all users, asking them to create a new account. The reasons for doing so were not disclosed. In a statement to the BBC, Petlog claimed that the pet information was safe, saying: “We reassure all customers that their pets are safely on our microchip database.”
However, a Petlog user who spoke to the BBC claimed that, after logging on, he received details belonging to someone else with the same name, indicating that a breach of data protection regulations had occurred.
“This seems like a massive breach of GDPR (data-protection regulations),” the Petlog user told the BBC. “In theory I could register his dog to my address and claim him as mine.”
The ICO said that is has no record of such a breach, although it was also noted that not all incidents need to be reported.
Booking.com fined for late data breach notification
The hotel bookings site Bookings.com was handed a hefty €475,000 fine after it failed to report a serious data breach within the time period which is mandated by GDPR.
The initial data breach occurred in 2018, where telephone scammers targeted 40 employees at various hotels in the United Arab Emirates. The breach itself was not deemed to be down to Booking.com, but, as reported by Infosecurity magazine [6], their response was found lacking.
The Dutch company were first notified on January 13 2019, but did not report the incident to the Dutch Data Protection Authority (AP) until February 7 – 22 days later. GDPR rules state that a report must be submitted within 72 hours.
The Vice President for AP said: “A data breach can unfortunately happen anywhere, even if you have taken good precautions, but to prevent damage to your customers and the repetition of such a data breach, you have to report this in time,”
TikTok sued on behalf of millions of under 13s over data breach claims
The former children’s commissioner for England, Anne Longfield, has launched a legal case against the video-sharing platform TikTok. It is claimed that TikTok illegally collected personal data from millions of children using the platform.
ITV News [7] report that the claim was lodged was on behalf of as many as 3.5 million children in the UK aged under 13, who may have allegedly had their data illegally collected since May 2018 when the General Data Protection Regulation (GDPR) was introduced. The claim calls for compensation which could run into the billions of pounds.
Speaking about the case, Ms Longfield said: “In terms of what they take, there are addresses, names, date of birth information, their likes, their interests, who they follow, their habits – all of these – the profiling stuff, but also the exact geolocation, that is very much outside what would be deemed appropriate,” she said.
In response to the action, a TikTok spokesperson announced they would “vigorously defend the action”.
Estate agent apologises after exposing personal data in 3D house tour
A Devon estate agent apologised after a virtual 3D tour of a house for sale was published with a ‘substantial’ amount of personal data on view, including financial paperwork belonging to the owners.
As reported by the BBC [8], Fowlers estate agent stated that the private data in the virtual tour had ‘slipped past’ its staff and the homeowner. The tour had been live on the property platform Rightmove since October 2020.
The video was first spotted by Carole Theriault, co-host of the Smashing Security podcast, who said: There is way too much information on show for anybody watching the 3D virtual tour to see. It’s a treasure trove of private data – a veritable goldmine for identity thieves, phishers, you name it.”
Fowlers owner Philip Fowler said that his company had withdrawn the 3D tour along with all of its others for further review and said the estate agent “takes our clients’ privacy very seriously”.
Google data breach case due to be heard in the Supreme Court
A landmark case alleging that Google illegally tracked millions of iPhone users is set for the Supreme Court.
The case will not be about the exact claim itself, instead focusing on whether the complainant Richard Lloyd (former director of Which?) can bring it forward on behalf of those affected. The BBC [9] claim that, if the case does go ahead, it is likely that many more will follow.
It is alleged that between 2011 and 2012, Google cookies collected data on health, race, ethnicity, sexuality and finance through Apple’s Safari web browser, even when users had selected a ‘do not track’ privacy setting. The case relates to 4.4 million users.
Anthony Walker, Deputy Chief of TechUK, one of several groups hoping to see the case dismissed, argued that: “This massively raises the liability for people providing data-driven services in the UK, which is most of the digital economy,”
Facebook dismisses data breach contained in internal email
An internal Facebook email that revealed the platform’s strategy for dealing with the leaking of account details from 533 million users was accidentally sent to Belgium-based Data News.
The email suggests that the social network expects further incidents and was planning to frame it as an industry problem that was a normal occurrence. As a result, it planned to issue limited statements about the issue.
Facebook confirmed to the BBC [10] that the memo was genuine, saying: “We understand people’s concerns, which is why we continue to strengthen our systems to make scraping from Facebook without our permission more difficult and go after the people behind it.”
Ethical hacker Inti De Ceukelaire also spoke about the situation, condemning Facebook’s approach which “revealed what we have suspected for a long time but now it is there in black and white – Facebook cares more about its reputation than informing its users”.
What to do if you or a client need help with a data breach
If you are looking for expertise in the field of data breaches, you have concerns that you may have been a victim of a data breach, the team at Hayes Connor are on hand to provide all of the expert advice you need.
Hayes Connor take on cases directly from clients, as well as taking on referrals from other law firms, where specific expertise in handling data breach claims is required to bring forward an effective case.
With a wealth of combined experience across our team, we know exactly how to handle all manner of data breach claims, no matter how big or small, reaching the best possible outcome for our clients.
To find out more about the team’s expertise, or to get in touch about a potential claim or client referral, please head to www.hayesconnor.co.uk [11].