November 2020 Data Breach Roundup

Hayes Connor SolicitorsBy Legal Futures’ Associates Hayes Connor Solicitors

Data breaches happen all the time, affecting organisations in all sectors and of all sizes, including private companies, educational establishments, charities and government bodies.

While it would be impossible to provide a truly comprehensive list of all the data breaches that are uncovered each month in the UK, the following are some of the most noteworthy to come to light in November 2020.

Millions of people’s payment details at risk following and Expedia data breach

The payment details of millions of people have potentially been leaked online as a result of serious security failings by a software company responsible for a hotel reservation system used by major companies including and Expedia.

Spanish firm Prestige Software provides the Cloud Hospitality system used by many different hotel booking websites across the industry to store sensitive customer details, including card numbers, CVV numbers, names, addresses and information about customer reservations.

On 6 November 2020 security experts at Website Planet reported that the system has no security in place to protect the customer data being stored there. This affects bookings made through many different companies going back as far as 2013 and may affect more than 10 million people.

Jose Hernández, product manager at Prestige Software, told The Independent: “We have taken measures to diligently react to this incident which, according to the information that we are managing right now, should actually have had very limited effects. We are still working on this and will update you should any relevant development be given.”

Sheffield Council experienced hundreds of data breaches in the last year

Sheffield Council logged 231 information security and personal data breaches during the 2019/20 period. 92 of these were personal data breaches with five being considered serious enough to require referral to the Information Commissioner’s Office (ICO)

According to reporting by The Huddersfield Examiner, the majority of the 92 personal data breaches involved data relating to members of the public and were caused by human error. Examples of these errors include emails and post being sent to the wrong people, as well as printing errors.

One common mistake saw 279 parking fine letters being printed double-sided meaning approximately 140 people received a letter with someone else’s name, address and registration number printing on the back.

In another incident, a social worker was storing sensitive documents in their car, which was broken into and the documents stolen. In a similar incident, a social worker’s house was broken into and sensitive documents stolen.

The ICO took no action in any of the five cases reported, but it does illustrate how common data breaches are and how easily they can occur due to simple human error, such as failing to store documents securely.

Bristol City Council email data breach reveals disabled children’s names

The names of hundreds of children who are disabled or have special needs, as well as their primary carers’ email addresses, were exposed due to a blunder by Bristol City Council, it has been reported.

The council emailed the primary carers asking for their view on a new support service. However, the person who sent the email accident used the ‘carbon copy’ or ‘Cc’ function rather than the ‘blind cardon copy’ or ‘Bcc’ function they should have used. This meant that everyone who received the email could see the email addresses of everyone else and the names of the children associated with those email addresses.

The breach occurred on 23 November and was first reported by The Bristol Post.

Ann James, the Bristol City Council director responsible for children and families, confirmed the error was a GDPR breach. She said: “Personal information was shared this morning, which should not have been.

“We did not use ‘blind carbon copy’ when sending an email to you this morning, and as a result your child’s name and your email address could be viewed by everyone who received the email.

“The breach was caused by human error and I apologise unreservedly for any distress that this may have caused you or your family.”

Ms James also said that the breach had been referred to the Information Commissioner’s Office (ICO), which will investigate and make recommendations.

Up to 350,000 Spotify accounts put at risk from hackers using stolen login details

A massive database containing login details for up to 350,000 Spotify accounts and other user data has been uncovered by security researchers. It is believed the data was exposed as a result of other data breaches,

The database was uncovered by Security researchers Noam Rotem and Ran Locar from vpnMentor and reported by cyber security news website Teiss. The database appears to belong to fraudsters who were attempting to use the login details to target Spotify and its users.

The database was uncovered due to the fact the fraudsters had failed to secure it with a password, which is, ironically, a common mistake made with legitimate databases (as in the Prestige Software above).

Spotify has responded by initiating a rolling reset of all of the affected users’ passwords, meaning the stolen login details would no longer be usable by the fraudsters.

Social housing provider suffers data breach putting customer and staff data at risk

Social housing provider Flagship Group was hit by a cyber attack on 1 November 2020 that caused most of its systems to be taken offline.

The incident is thought to be a ransomware attack caused by a piece of software called Sobinokibi. A statement on Flagship Group’s website confirmed that “some data encryption and some personal customer and staff data has been compromised” in the attack.

Flagship group owns approximately 31,000 homes across the East of England, including in Cambridge, Essex, Norfolk and Suffolk, as well as building and selling homes privately. The company employs 1,200 people across in roles including facilities, repairs, maintenance and heating. This means there are thousands of customers and staff who could potentially have had their details exposed.

David McQuade, Chief Executive of Flagship Group, said: “We take the privacy and security of our customer and staff data very seriously, and we’re very sorry it has been compromised.”

He added: “Our teams are working tirelessly around the clock to bring our systems back online, and we apologise for any inconvenience this may have caused.”

What to do if you or a client need help with a data breach

If you require expertise in the field of data breaches or cyber security, the team at Hayes Connor are more than happy to help.

As well as taking cases directly from clients, Hayes Connor regularly takes referrals from other law firms, where clients need advice from a team with specific expertise in handling the complexities of data breach claims.

With a wealth of combined experience across our team, we know exactly how to handle all manner of data breach claims, big and small, getting the best outcome for victims.

To find out more about the team’s expertise, or to get in touch about a potential claim or client referral, please head to


Associate News is provided by Legal Futures Associates.
Find out about becoming an Associate


Loading animation