Data Breach Year in Review 2020.

There is no doubt that the last few years have been transformative for data protection. Today, more of our data is being used and shared than ever before; especially as we all exploit technology in our business and personal lives. But this increased reliance on technology does not come without risk, and, as yet, too many organisations are still failing to take data protection seriously.

In 2020, as the world struggled to overcome the challenges brought about by the coronavirus pandemic, data protection issues were thrust into the spotlight as the challenges of an at-home workforce and the need for remote technology and health-focused apps became apparent.

Nevertheless, despite the pandemic, the legal world continued to operate, with record data protection fines being issued by the Information Commissioner’s Office (ICO).

In our 2020 year in review report, our expert data protection lawyers take a look at some of the key cases and developments that occurred in the world of data breach law over the last 12 months.

Kingsley Hayes

Head of Data Breach

Kingsley Hayes
January 2020
Web Designer

Dixons Carphone was fined by the ICO

In January 2020, the ICO  fined Dixons Carphone £500,000 after a massive data breach at the company in 2017. According to the ICO:

“The contraventions in this case were so serious that we imposed the maximum penalty under the previous legislation, but the fine would inevitably have been much higher under the GDPR.”

The details stolen in this breach included names, home addresses, phone numbers, dates of birth and email addresses. The hackers also got access to the records of 5.9 million payments cards. 

The ICO investigation into the Dixons data breach found:

We launched a group action against Dixons Carphone. Group actions can be a powerful tool and can have a bigger impact than a single claim.

February 2020
Web Designer

Financial Conduct Authority involved in serious breach

In February 2020, the Financial Conduct Authority (FCA) mistakenly published the private records of 16,000 people online. All the people involved in this data breach had previously made a complaint to the FCA. The data exposed in this breach included the names of the complainants, along with some addresses and telephone numbers. The data was visible between November 2019 and February 2020.

A Crew and Concierge data breach put thousands at risk

A data breach at UK-based Crew and Concierge Limited exposed the personal data of workers in the yachting industry. The breach affected 17,379 people of 50 different nationalities – all of whom were on Crew and Concierge’s books. The data had been online and available for anyone to access without a password since February 2019.
March 2020
Web Designer

COVID-19 changed everything

In a month that changed everything, on 11 March 2020, the coronavirus outbreak was labelled a pandemic by the World Health Organisation. 

Quick to see the impact this might have on data protection, Kinglsey Hayes (who later joined our firm as Head of Data Breach), raised concerns in the media about how the coronavirus pandemic might lead to an increase in data breaches. 

In particular, he discussed:

Hammersmith Medicines Research was targeted by cybercriminals

On 14 March 2020, the Maze ransomware group attacked the computer systems of Hammersmith Medicines Research (HMR) – a company which performs early clinical trials of drugs and vaccines. 

HMR did not pay the ransom. Malcolm Boyce, managing and clinical director at HMR said: “We have no intention of paying. I would rather go out of business than pay a ransom to these people”.

In response to this refusal, the cyber gangsters published the personal and medical details of more than 2,300 former volunteer patients online. The information has since been taken down.

The extremely sensitive and confidential information exposed in this hack includes:

  • names and dates of birth
  • identity documents (scanned passports, National Insurance cards, driving licence and/or visa documents, and any photographs taken at the screening visit)
  • health questionnaires, consent forms, information from GPs and some test results (including, in some cases, positive tests for HIV, hepatitis, and drugs of abuse).

The data exposed went back years. 

Another Marriott data breach was uncovered

In 2018, a huge data breach put 339 million Marriott International customers at risk. But, in March 2020 it seemed that the hotel giant still was not taking its data protection responsibilities seriously as it suffered a further breach – this time involving the personal information of 5.2 million guests. 

Also in March 2020

tenants were put at risk after a data breach at the Watford Community Housing Trust
customers of Virgin Media had their personal information breached
Informed customers about a security incident at the company. People who had called the 118118 Money customer service line could be affected.
April 2020
Web Designer

The Supreme Court found Morrisons not liable for 2014 data breach

The Supreme Court decided that supermarket chain Morrisons was not liable for a deliberate data breach caused by a disgruntled employee. However, this decision does not mean that businesses can be complacent. In most cases, data breaches are not caused by people seeking to cause damage to a brand. Instead, they are the result of genuine human error made possible due to poor security processes and a lack of training. And, for that, an employer can still be held liable.

May 2020
Web Designer

Over nine million people had their details hacked in the EasyJet data breach

EasyJet admitted that it had fallen victim to hackers. According to the airline, the personal details of nine million customers had been accessed and 2,208 passengers had their credit card details stolen (including CVV numbers!). Shockingly, EasyJet knew about the hack in January 2020. But it only warned customers whose credit card details were stolen in early April, and everyone else was notified in May. This raised serious questions about why it took so long to inform customers, especially as not doing so put them at additional risk.

Cathay Pacific was fined £500,000 by ICO for data breach

EasyJet wasn’t the only airline to hit the news because of a data breach in May 2020. Cathay Pacific Airways Limited was also fined £500,000 by the Information Commissioner’s Office (ICO) for a similar offence. In this case, the airline’s failure to secure its systems resulted in the personal details of some 9.4 million customers being exposed. Of these customers, 111,578 were from the UK.
June 2020
Web Designer

Babylon Health app breached patient confidentiality

The Babylon Health GP video appointment app gave some users access to videos of other patient consultations. The app had become especially popular during the COVID-19 pandemic, as it provided an alternative to visiting the doctor in person.

Commenting on the breach, Kingsley Hayes said:

“Healthcare is rapidly going digital. But, amidst this online information revolution, there must be robust protections in place. This is essential to secure confidential and sensitive medical data. Especially because, should such information become public, this could cause considerable distress and embarrassment to those involved. And, it might even be exploited by criminals.

“By allowing GP sessions to become public, Babylon has breached the Data Protection Act, and doctor-patient confidentiality. The healthcare sector handles some of our most sensitive personal data, and, as patients, we have the right to expect this will be taken care of. Babylon failed to do this.”

July 2020
Web Designer

Blackbaud alerted customers to a system breach

In July 2020, it was revealed that over 100 educational and third-sector organisations were at risk following a breach of the Blackbaud cloud platform. Blackbaud – a firm that provides administration, fundraising, and financial management software – was targeted by cybercriminals in a devastating cyber-attack. The hackers demanded a ransom in exchange for deleting the data, which Blackbaud paid.

The US-based software provider took weeks to warn people that their data had been stolen. Furthermore, despite initially claiming that financial data had not been stolen, Blackbaud has since admitted that bank account information and users’ passwords were among details feared accessed by hackers. Although not everyone will have had their financial details compromised. 

According to media reports, the affected institutions included:

The British Dental Association (BDA) confirmed that its servers were illegally hacked

In July 2020, hackers targeted the British Dental Association’s (BDA) systems. Cybercriminals accessed personal and financial data including: 

  • bank account numbers
  • sort codes
  • names
  • contact details
  • transaction histories
  • correspondence logs
  • case notes
  • some patient information could also have been compromised.

As the BDA confirmed that its servers were illegally hacked, it also warned dentists to be extra vigilant. In particular, the BDA has suggested that members take the following steps as a precaution:

August 2020
Web Designer

18,000 coronavirus test results were published in data breach error

On 14 September 2020, Public Health Wales (PHW) admitted that a mistake had led to a data breach violation involving the data of Welsh residents who had tested positive for COVID-19 between 27 February and 30 August.

The breach exposed the following information:

  • For 16,179 people, the data consisted of their initials, date of birth, geographical area and sex
  • For 1,926 people living in enclosed settings (e.g. nursing homes and supported housing), or residents who share the same postcode as these settings, the information also included the name of the setting.
September 2020
Web Designer

Strengthening our firm's role as a consumer-champion law firm, in September 2020 we were delighted to launch a new data breach and cybercrime division.

We are one of the most experienced group action and multi-claimant law firms in the UK. Our legal team has represented thousands of workers and consumers, and, with experience in complicated litigation and high-risk cases, we are used to standing up to well-funded corporates. Already taking on giants such as Uber, Volkswagen and Mercedes, in September 2020 we strengthened our role as a consumer-champion even further, with the launch of a new data breach and cybercrime group.

Introducing a new data protection champion

“Over the last few years, I’ve seen how data breach law has evolved, both here in the UK and across the world, and I’ve helped thousands of clients get the compensation they deserve after an injustice. However, there is no doubt that - when it comes to data breach violations - large organisations are smarter and better resourced than ever before. And it can be difficult for some firms to stand up to such strength. In response, the UK needs a new data breach champion. I’m thrilled to take up my position as Head of Data Breach, and look forward to securing the best possible result for each and every client.”
Kingsley Hayes, Head of Data Breach

Shopify data breach worries merchants and customers

Shopify admitted that it caught two rogue employees stealing transaction data from its online stores. The theft impacted around 200 merchants and their customers. The businesses put at risk in the Shopify data breach included Kylie Jenner’s make-up company, which has already informed customers about the privacy violation. The incident occurred between 15 August and 15 September 2020.

October 2020
Web Designer

ICO fined Marriott International £18.4million

The ICO fined Marriott International Inc £18.4 million after a data breach put the personal data of some 339 million customers at risk. Seven million guest records related to people in the UK.

The ICO investigated on behalf of all EU authorities as lead supervisory authority under the General Data Protection Regulation (GDPR). The penalty and action have been approved by the other EU Data Protection Authorities.

Whilst the Marriott data breach was discovered in 2018, it could affect customers who made a booking at one of the affected hotels and timeshare properties as far back as 2014. However, the penalty only relates to the breach from 25 May 2018, when new rules under the GDPR came into effect.

ICO fined British Airways £20 million

The ICO fined British Airways £20 million for a serious data breach which took place in 2018. The breach – which happened due to a cyberattack – compromised the personal and financial details of more than 400,000 British Airways customers and staff.

The hack went undetected for more than two months and was eventually discovered by a third party. According to the ICO: “It is not clear whether or when BA would have identified the attack themselves. This was considered to be a severe failing because of the number of people affected and because any potential financial harm could have been more significant”.

British Airways was initially facing a £183 million fine for the data breach. However, this amount was reduced to £20 million after appeal.

We launched data breach proceedings against Royal Mail

In October 2020, we issued legal proceedings against the Royal Mail. The action related to the release of employee information collected by Royal Mail as part of an internal investigation following allegations of harassment and bullying made against another Royal Mail employee.

The claimants in this case had a reasonable expectation of privacy given the circumstances. Despite this, during the investigation, personal information was sent to a third party. The personal data included addresses, mobile telephone numbers, and in one case the name of an individual who had asked to remain anonymous. Although Royal Mail had informed the claimants that interview notes would be shared with the third party, those involved were reassured that their personal details would be removed before doing so.

We believe that Royal Mail is vicariously liable for the actions of its employees in sending the documents to the third party, as the employees were acting within their field of activities and furthering their employer’s purposes.

November 2020
Web Designer

Ticketmaster fined £1.25 million for data breach

In October 2020, the ICO  fined Ticketmaster £1.25 million for a shocking data privacy failure which took place in 2018. In this case, cybercriminals hacked Ticketmaster’s website resulting in a significant data breach. The Ticketmaster data breach exposed customer names, addresses, email addresses, phone numbers, financial/payment details and Ticketmaster login details. In total, 40,000 people in the UK had their payment details swiped.

Although the breach began in February 2018, the penalty only related to the breach from 25 May 2018, when new rules under the General Data Protection Regulation (GDPR) came into effect.

December 2020
Web Designer

Twitter fined €450,000 by Irish data regulator

In the first major tech post-GDPR case, Twitter was fined €450,000 by the Irish Data Protection Commissioner (DPC) for privacy breaches. This was the first time a multinational tech firm had been held to account by the Irish regulator since GDPR was introduced. The penalty was issued as Twitter failed to promptly declare and properly document a data breach.

The Irish DPC is the lead EU privacy supervisor for several tech giants.

This case could be significant as there is a backlog of investigations against the likes of Facebook, WhatsApp, Google, Apple and LinkedIn (amongst others). Facebook has said that it has put aside €302 million for potential regulatory fines.

Almost 300 patients involved in an NHS data breach

NHS Highland patients were involved in a serious medical data breach. The health board admitted that the details of 284 patients were sent to 31 people. The data breached included patient contact details, dates of birth and name of their clinics. 

HMRC guilty of ‘serious’ personal data breaches

In December 2020, it came to light that HMRC had reported a series of ‘serious’ personal data incidents last year. For example: 

  • HMRC sent out NI number letters relating to 16-year-old children with incorrect details. This breach impacted almost 19,000 people.
  • A fraudulent attack saw cybercriminals access the details of over 60 employees. This data included names, contact details and other information such as usernames and passwords. 573 people are said to have been impacted as a result. In this case, the affected customers may not yet have been notified.
  • In a smaller but still serious breach, the data of an employee was put at risk when paperwork was left on a train. The sensitive information breached included medical notes and HR letters.

Other data breaches at HMRC occurred due to cyber-attacks and a catalogue of human errors.

About our firm

When it comes to legal support, large organisations are smarter and better resourced than ever before. And it can be difficult for some law firms to stand up to such strength when representing clients after a data breach.

Our data breach team has the legal expertise and resources necessary to take on the corporate giants. We have supported thousands of multi-claimant and group-action data breach clients, and we can do the same for you.

Our Group Actions

Ticketmaster concert


A data breach at Ticketmaster has put customers at risk of scammers and fraudsters. Register with KP Law to find out what happened, and whether you can claim compensation.

Read More »


The 2plan data breach has put clients at risk of scammers and fraudsters. Register to find out whether you can claim compensation.

Read More »

Southern Water

Have you been affected by the Fresca Group data breach? KP Law can help victims claim no-win, no-fee compensation.

Read More »
British Airways Data Breach

Air Europa 

The Air Europa data breach could affect thousands of passengers. Find out how to claim no-win, no-fee compensation.

Read More »

Metropolitan Police

The names, ranks, photos, vetting levels, and pay numbers for officers and staff could have been accessed in the Metropolitan Police Data Breach.

Read More »


The Capita data breach could affect more than half a million people in the UK. Register with us to find out what happened, and whether you can claim compensation.

Read More »

Cambian Group

Vulnerable individuals are at risk following the Cambian Group data breach. KP Law can help victims to claim compensation.

Read More »

JD Sports  

Ten million customers are at risk following the JD Sports data hack. KP Law can help victims to claim compensation.

Read More »

Arnold Clark  

KP Law has launched an investigation to find out what happened and how this breach affects Arnold Clark customers. We believe that failures to adopt standard security measures may have made this attack easier.

Read More »

Parasol Group

In January 2022, Parasol Group shut down some of its systems after it discovered “malicious activity” on its network.

Read More »

Police Federation

In 2019, The Police Federation of England and Wales (PFEW) suffered a severe data breach following a ransomware cyber-attack hit the PFEW headquarters. Around 120,000 current and former officers are affected.

Read More »
Easyjet data breach


In 2020, EasyJet admitted that, as well as the personal details of nine million customers, over 2,000 passengers had their credit card details accessed by hackers.

Read More »