This year in June, Dixons Carphone announced that a major data breach had occurred, estimating that 1.2 million customers were affected by the hack. This number has now risen to 10 million customers’ who may have had their personal information hacked, including their names, addresses, and email addresses.

Dixons Carphone announced that no bank details were taken, however, 5.9 million payment cards were accessed, although the majority were protected by chip and pin.   

The company has expressed regret for any distress caused by the hack, stating they would be apologising to the customers affected in due time. Dixons Carphone chief executive, Alex Baldock advised that they are working with the top cyber security experts, in order to improve security measures, which has involved:

Facebook, the social media giant is set to face a fine of up to £1.25 billion after revealing that 50 million user accounts were compromised on Tuesday 25 September, with affected users being notified via their Facebook accounts.

This recent data breach has been established as the largest security breach Facebook have faced. It is also one of the more severe breaches, as the hackers obtained “access tokens”, which are a form of security key allowing users to browse Facebook on numerous devices without entering a password.

Obtaining these “access tokens” allowed the hackers to gain full access to a user’s account, including third party applications.

Facebook’s CEO, Mark Zuckerberg addressed the security breach, stating:

Since news broke regarding the British Airways data breach, the airline - which is already facing massive fines of up to £500 million from the Information Commissioner’s Office – is now set to face legal action from customers who have suffered financial losses.

The legal action was instigated by SPG Law, who are seeking compensation for their clients, not only for their financial losses, but also claiming costs for the “inconvenience, distress, and misuse” of their personal data.  

SPG Law confirmed that they have sent the airline a “Letter before action” document, in order to commence discussion regarding settlement. Within the letter, it states that If BA refuse to cooperate this will result in group litigation, which would allow the courts to manage numerous cases against them at once.

Tom Goodhead, a Partner at SPG Law discussed the airlines failings, stating:

Three Graces Legal is a commercial law firm which has many years' experience in dealing with civil claims for compensation, including large commercial dispute matters. We also deal with claims arising out of breach of the Data Protection Act and GDPR.

Our specialist data protection claims solicitor, Aaron Pearson, is a GDPR practitioner and the firm has acquired the standard of ISO17024 for GDPR practitioner and Cyber Essentials.

We make compensation claims on behalf of individuals and businesses who have been adversely affected by a breach of the Data Protection legislation. 

We offer a wide-range of funding arrangements, including been able act for you under a no win, no fee agreement.

We are specialists in pursuing civil claims for a breach of the Data Protection legislation. The law is constantly evolving to keep up with such a changing landscape, particularly where data is concerned. More than ever, we have to ensure that we remain vigilant, while organisations who collect and process our data must take measures to avoid a breach, otherwise they may be faced with a claim for compensation.

Compliance with data protection law, and moreover, the GDPR, is vital. We act for many businesses in advising them how to stay compliant so as to avoid any unwanted legal proceedings for breach of data protection laws. Equally, we act for individuals who have suffered some harm as a result of a data protection breach.

Three Graces Legal have seen how the changes arising from the existing Data Protection Act 1998, which was usurped by the European Directive, enabling a person to claim compensation for distress alone, has developed to be written into the General Data Protection Regulation. This now enables an individual to rely on a binding EU Regulation to claim compensation for distress arising out of a data breach.   

As cybercrime continues to rise affecting several large organisations who have had their personal data accessed or stolen, it is now vital that everyone considers and evaluates the best cybersecurity solutions to protect their business.

Recently, both small and medium organisations have been urged by the Business Fraud Prevention Partnership (BFPP) to seriously consider protection against cyber-crime. The founder of the BFPP, Edward Whittingham discussed misconceptions regarding cyber-crime, stating:

Recently, there has been discussion regarding whether or not it is GDPR-compliant to transfer encrypted data on applications based outside of the EU. An example of this is Dropbox, as they have US-based servers, therefore if personal data is transferred through the Dropbox system, then technically it has been transferred outside of EU jurisdiction and is no longer GDPR compliant.

However, personal data sent in this format is usually encrypted and only the necessary individuals are given the encryption key to gain access to the data. So, in this instance, is the transference of the data compliant?

Although, the data may have been transferred outside of the EU the encryption key is not stored on the Cloud servers, therefore there is no identifiable information from the provider. However, there is always a possible risk that a data breach will occur if an unauthorised source obtains the key by force.

From the 25^th May 2018, to avoid the risk of breaching the General Data Protection Regulation, employer’s are obligated to take on new responsibilities, as well as updating their contracts, policies and procedures, in order to maintain compliance under the GDPR requirements.

This means employer’s must:

Following Google’s announcement this week (8 October 2018) regarding a data breach in 2015, they have temporarily shut down their social network Google+, where a security bug enabled third party developers to gain access to user data, potentially affecting around 496, 951 Google+ users.

The announcement on Monday was the first time Google discussed the breach, which although occurred three years ago, was not exposed and remedied until March 2018. Google’s reasoning for late exposure was relayed in an internal memo, which discussed the avoidance of “regulatory interest”, and potential comparisons to Facebook’s Cambridge Analytica scandal.

The bug may have allowed third party developers to gain access to usernames, email, gender, data of birth, location, pictures, as well as occupation and relationship status. However, there is no concrete evidence to confirms this (as Google only holds API data for two weeks) therefore they cannot determine how many users were exposed. Google have advised that there was “no evidence that any profile data was misused” as well as there being “no evidence that any developer was aware of this bug, or abusing the API”.

According to a study from the Information Commissioners Office (ICO), data breaches have shown a 75% increase in the past two years.

The report was conducted by Kroll, one of the top corporate investigations and risk consulting firms, based out of the US. Kroll compiled data breach reports which were submitted to the ICO, regarding breaches of personal data, including financial and health details. Some of the data contained in the reports were of public knowledge, whilst other forms of data were accessed under the Freedom of Information Act.

The final report established that over 2,000 reports submitted to the ICO were due to human error in the past year, with the most common grounds for a data breach being: data being sent by email or fax to the wrong recipients and the loss or theft of paperwork.

In the past year there have been an array of high-profile data breaches from some of the UK’s biggest organisations including: British Airways, Dixons Carphone, and Ticketmaster UK.

It is alarming that such large established organisations have jeopardised not only their company’s data, but also the personal data of their customers, through their lack of cyber security.

Many cybersecurity experts believe that a data breach can occur due to a simple mistake being made possibly when updating systems or when processing the migration of data. Although there has been a substantial amount of investment placed on cybersecurity, there are still gaps in the basic procedures, which must be addressed.

According to recent survey, 17 out of 24 regulatory authorities were unprepared for the General Data Protection Regulation (GDPR), when it was introduced on 25 May 2018.

Regardless of these statistics, organisations cannot afford to become complacent, as all businesses are at risk of data breaches. Therefore, GDPR compliance must be continually enforced.

According to the British security company, SureCloud, there have been an influx of Wi-Fi routers hacked in millions of homes across the UK.

SureClouder researcher Elliott Thomson, who discovered the reported Wi-Fi hacks, stated:

“The hacker would be able join the Wi-Fi network, access shared files, access ‘internet of things’ devices which trust the local network”

He also reported that a hacker could access web browsing history:

October is Cyber Security Awareness Month, which means organisations should be considering their current cybersecurity measures in an effort to prevent data breaches and cyber threats. The need to improve cybersecurity has also been amplified since results from the Cyber Security Breach Survey 2018 established that 43% of businesses have suffered a data breach in the last 12 months.

Small businesses especially should be evaluating their cybersecurity measures, as according to research from security firm Sitelock, smaller organisations are actually more at risk of a website hack, mainly due to their lack of cybersecurity and website maintenance.

Laura Dodge, Marketing Manager at Pedalo, the web development agency discussed the indispensability of implementing cybersecurity and website maintenance, stating:

Experts believe that the greatest threat to an organisation is not its lack of cybersecurity, it is actually the employees who tend to cause the most damage.

This comes after 77% of survey respondents indicated that regardless of training and adherence to company policies, it is actually employees that are the main source of cyber-attacks, as they may be unaware of the warning signs. Therefore, it is vital that companies improve cybersecurity training by implementing ways for staff to protect, as well as how to conduct themselves online, especially on social media.

As social media is an integral part of engagement - and with that comes an inherent level of trust - meaning it is vital that everybody is aware of what is safe when positing content. This is particularly the case for employees who are responding to their customers, as they must be aware of online actors who utilise fake accounts in order to pose as customers and purposely target staff and the organisation.

Superdrug have recently announced that they have been the target of a data hack, with a warning to customers that their personal data may have been stolen.

The health and beauty chain admitted that they had been contacted by someone who appears to be a hacker, claiming that they have obtained personal data from approximately 20,000 customers.

A spokeswoman from Superdrug stated:

“The hacker shared a number of details with us to try and prove he had customer information – we were then able to verify they were Superdrug customers from their email and log-in”.

The company also confirmed that 386 accounts had been access, including customers’ names, addresses, data of birth, phone number, and Superdrug balance points, however luckily no card information was obtained.

They sent out an email to their customers, in addition to a confirmation on Twitter stating:

Data protection is a term to over-arch the mitigation against failures in protection (confidentiality), accuracy (integrity) and access (availability) that can cause an impact to data subjects and ultimately, your business. Compliance is about the governance of the GDPR, and non-technical measures to adopt and adapt.

 Risk-assessments enable the decision-makers consider everything from contractors leaving with passwords and insider-knowledge and lead to changes in technology, anonymisation of databases, deletion of old, unnecessary records, role-based access to customer data and so on. 

But what about technical support and access to customer data, particularly when required on a large-scale? What measures are available to manage, minimize and control this?

In a recent security report, which analysed 850 cyber-crimes against UK universities and colleges from 2017 to 2018, there was clear evidence to show that the cyber-attacks were often committed by disgruntled students or staff members within these organisations.

The report was conducted by the government-funded agency, Jisc,who discovered that the crimes were not being committed by professional hackers or organized crime groups, but instead the perpetrators were much closer to home.  This conclusion was made due to the attacks showing “clear patterns” of activity during term times, whilst attacks were reduced during holiday periods.

Dr John Chapman, the head of security operations at Jisc, who assists with providing technology services to the higher and further education field, stated:

According to Action Fraud’s cyber statistics, there were 12,372 cyber-crime reports made between October 2017 and March 2018, which resulted in victims losing a total of £28 million.

Action Fraud, the national fraud and cyber-crime reporting centre is led by the City of London Police. As one of the founding members of the Global Cyber Alliance, The City of London Police also run Cyber Protect, which along with Action Fraud was put in place, in order to investigate, detect, and protect individuals and organisations from cyber-crime and fraud.

Action Fraud’s statistics show that out of the 12,372 cyber-crimes reports, 4,796 were reports of social media and email accounts being hacked, which resulted in victims losing a total of £11 million.

It is most likely that the reported cyber-crimes were committed by criminals unbeknownst to the victims, as statistics show that around 50% of cyber-crime and fraud is conducted abroad.

In relation to the Action Fraud statistics, The Temporary Commander, Pete O’Doherty of the City of London Police, stated the following: