October 2021 Data Breach Roundup

Hayes Connor SolicitorsBy Legal Futures Associate Hayes Connor Solicitors

There were a wide range of data breaches in October that took place across various sectors both locally and internationally.

In October, some of the most notable data breaches included the streaming platform Twitch, a group led action by professional footballers whose data has been sold without permission and a HIV charity who exposed the details of over 100 people.

Read on to learn more about some of the biggest data breaches that took place in October 2021.

Former Tesco employee receives substantial compensation after loss of sensitive medical records

A former Tesco employee, who had worked for the supermarket for over 30 years, was awarded £3000 in compensation after 15 years’ worth of employment records were lost.

As per Bristol Live, Jacqueline Ogborne’s records, including sensitive medical details such as counselling notes and personal medical information about her post-natal depression, were lost by Tesco when she requested it all as part of an employment tribunal claim.

“Anyone who has experienced postnatal depression will know how vulnerable you feel” she said.

“This was an incredibly challenging time for me. When I shared this personal information with my employer, I thought I could trust them to look after it and keep it secure.”

Ben Brown, a litigation executive at Hayes Connor, took on the case. He also provided his take on the matter, saying: “Employers need to do more to keep the information they hold about employees safe and secure.

“We are seeing more and more cases like this, where employees are discovering that private information has been misplaced or lost.”

Streaming platform Twitch loses 100GB worth of data in massive breach

Major streaming platform hit the news for all the wrong reasons in October, as it was revealed that they had experienced a major data breach, leading to more than 100GB worth of data being posted online.

As per a report from BBC News, the data exposed in the breach included company information, such as the site’s source code and unreleased products, and streamers’ earnings. Twitch acknowledged the breach, stating that it was the result of a server configuration change. There was not confirmation whether the data that has already been posted online is genuine or not.

A statement on the platform’s website simply read: “The incident was a result of a server configuration change that allowed improper access by an unauthorized third party. Our team took action to fix the configuration issue and secure our systems.

“Twitch passwords have not been exposed. We are also confident that systems that store Twitch login credentials, which are hashed with bcrypt, were not accessed, nor were full credit card numbers or ACH / bank information.

“We take our responsibility to protect your data very seriously. We have taken steps to further secure our service, and we apologize to our community.”

Hundreds of professional footballers to take legal action against data collection industry

A group of professional footballers, led by former Cardiff City manager Russell Slade, are seeking compensation for the trading of their performance data over the past six years. The footballers in question are also demanding an annual fee from the companies for any future use of their data.

Slade’s legal team have argued that because players receive no payment for the unlicensed use of their data, this contravenes General Data Protection Regulation (GDPR) rules that were previously strengthened in 2018.

BBC News have reported that 17 major betting, entertainment and data collection firms have initially been targeted, but this could expand to over 150 companies in the future.

Speaking on the matter, Slade said: “On one player, and I’m not talking about a Premier League player or even a Championship player, there was some 7,000 pieces of information on one individual player at a lower league football club.

“A big part of our journey has been looking at that ecosystem and plotting out where that data starts, who’s processing it, where it finishes and that’s a real global thing.

“It’s making football – and all sports – aware of the implications and what needs to change.”

HIV Scotland handed heavy penalty for careless data breach

HIV Scotland were fined £10,000 by the Information Commissioner’s Office (ICO), after it sent out an email containing the personal information over 105 people, including patient advocates representing people living in Scotland with HIV.

BBC News reported that all of the email addresses of the recipients were visible and, from this, 65 of the addresses identified people by name. The ICO’s reasoning for the severity of the fine stemmed from the fact that an assumption could be made about individual’s HIV status.

After carrying out an investigation into the charity’s email procedures, the ICO found a number of shortcomings. This included inadequate staff training, incorrect methods for sending bulk emails and an inadequate data protection policy.

New interim chief executive for HIV Scotland, Alastair Hudson, said of the incident: “For a small charity, financially, I cannot deny that this is a heavy blow. However, we will find a way to pay the £10,000 fine to the ICO.

“As an organisation, HIV Scotland would like to re-iterate its commitment to providing a safe and supportive space where our stakeholders and networks can contribute to better health and wellbeing for those impacted by HIV and improving sexual health for all.”

Ministry of Defence (MoD) exposes secret data of enhanced weapons

The MoD found itself at the centre of anther data breach scandal in October, as a security leak saw information related to enhanced weapons being exposed online.

The Mail on Sunday’s report details that the details related to the next generation of munitions appeared to have been safely redacted in a document marked ‘Official Sensitive’. However, a simple copy and paste then revealed every blanked-out detail.

The MoD are said to be taking action to correct the security breach after they were altered to the mistake by the Mail. The name of the website involved has not been disclosed.

Former Labour Defence Minister Kevan Jones condemned the breach, saying that it was an “astonishing breach of security standards” and called for Defence Secretary Ben Wallace “to ascertain how many other documents have been redacted and published in a similar way.”

What to do if you or a client need help with a data breach

If you are looking for support or guidance with a data breach, or you have reason to believe that you may be a victim of a data breach, the team at Hayes Connor are able to offer the tailored advice you need.

Hayes Connor are able to take on cases directly from clients, in addition to taking on referrals from other law firms who think that specific expertise is required to bring forward an effective case.

With a wealth of combined experience across our team, we know exactly how to handle all manner of data breach claims, no matter how big or small, reaching the best possible outcome for our clients.

To find out more about the team’s expertise, or to get in touch about a potential claim or client referral, please head to Hayes Connor.


Associate News is provided by Legal Futures Associates.
Find out about becoming an Associate


Loading animation