By Legal Futures Associate Hayes Connor Solicitors [1]
There were a whole host of data breaches in September that took place across various sectors both on a local and international scale.
In September, some of the most notable data breaches included a data breach involving the details of Afghan interpreters, an unsecured database containing customer records related to wearable technology and fitness services and a cyber-attack against a section of the France-Visas website.
Read on to learn more about some of the biggest data breaches that took place in September 2021.
Data breach reveals personal details of 250 Afghan interpreters eligible to come to the UK
The Ministry of Defence has launched an investigation after the personal details of 250 Afghan interpreters eligible to come to the UK were revealed in a data breach.
According to Sky News [2], an email from the UK government asking for weekly updates as the UK attempts to get the interpreters out of Afghanistan was sent with every recipient’s address visible. The Afghan Relocations Assistance Policy (ARAP) team are said to be responsible.
A spokeswoman for the MoD said: “An investigation has been launched into a data breach of information from the Afghan Relocations Assistance Policy team.
“We apologise to everyone impacted by this breach and are working hard to ensure it does not happen again.
“The Ministry of Defence takes its information and data handling responsibilities very seriously.”
Leading Afghanistan army veterans have expressed their anger, noting that the interpreters involved will likely have to leave their homes to avoid being captured by the Taliban as a result of the breach.
John Healey, Labour’s shadow defence secretary, also criticised the MoD, stating: “We told these Afghans interpreters we would keep them safe, instead this breach has needlessly put lives at risk.”
61 million customer records compromised through unsecured database
An unsecured database containing over 61 million customer records related to wearable technology and fitness services was left exposed online, with information including names, dates of birth, weight, height, gender and GPS logs, among other datasets.
As per ZDNet [3], a joint investigation from WebsitePlanet and cybersecurity researcher Jeremiah Fowler found that the database in question belonged to GetHealth. Based in New York, GetHealth describes itself as a ‘unified solution to access health and wellness data from hundreds of wearables, medical devices, and apps’.
After verifying that GetHealth was the owner of the database, the company was privately notified, and the system was quickly secured.
WebsitePlanet released a statement related to the incident, saying: “It is unclear how long these records were exposed or who else may have had access to the dataset.
“We are not implying any wrongdoing by GetHealth, their customers, or partners. Nor, are we implying that any customer or user data was at risk. We were unable to determine the exact number of affected individuals before the database was restricted from public access.”
French visa applicants have their details exposed
A cyber-attack that focused on a section of the France-Visas website exposed the details of more than 8,000 people who had applied for French visas.
The National Cyber Security Centre [4] has noted that the hack was quickly neutralised, but this did not prevent information such as names, dates of birth, passport numbers and nationalities from being taken. The leaked information is not said to include financial information, or anything defined as being ‘sensitive’ under the General Data Protection Regulation (GDPR).
The Ministry of Interior and the Ministry for Europe and Foreign Affairs has secured the attacked platform to prevent a repeat incident, and a criminal investigation is said to be underway. France’s data protection authority CNIL has also been informed.
The Ministry’s statement on the matter read: “This data could give rise to misuse but limited in its effect, in particular, because the information does not include financial or sensitive data within the meaning GDPR. They also do not allow administrative procedures to be initiated on behalf of the person whose data has been disclosed, whether on the France-visas portal or on any other French institutional site.”
Data belonging to visitors to Thailand exposed through unsecure database
The personal details of more than 106 million international travellers to Thailand were exposed via an unsecured database that was accessible without a password. Based on the evidence contained within the database, it has been surmised that any foreign visitor to Thailand over the previous ten years may have had their information exposed in the incident.
According to Comparitech [5], who carried out the investigation into the database was said to have included full names, passport numbers, arrival dates, residency status and visa type. Upon the discovery of the database, Thai authorities were immediately notified, and the data was secured the following day.
The IP address of the database remains public but has been replaced with a honeypot – a type of deception technology that allows someone to better understand attacker behaviour patterns.
Although Thai authorities responded quickly to the disclosure of the database, it is not clear how long the data was exposed prior to being indexed. Honeypot experiments have previously shown that attackers are able to find and access unsecured data in a matter of hours, though Thai authorities maintain the data was not accessed.
What to do if you or a client need help with a data breach
If you need support and guidance in relation to a data breach, or you believe that you have fallen victim to a data breach, the team at Hayes Connor will be on hand to offer the tailored advice you need.
Hayes Connor takes on cases directly from clients, as well as taking on referrals from other law firms, where specific expertise in handling data breach claims is required to bring forward an effective case.
With a wealth of combined experience across our team, we know exactly how to handle all manner of data breach claims, no matter how big or small, reaching the best possible outcome for our clients.
To find out more about the team’s expertise, or to get in touch about a potential claim or client referral, please head to Hayes Connor [6].