In 2023, we have continued to witness a tumultuous landscape of cybersecurity breaches, with many high-profile organisations affected, including Arnold Clark, Capita, Cambian, Parasol, The Metropolitan Police, and more. With a growing prevalence of ransom demands by hackers, and threats to release sensitive personal data onto the dark web, millions of individuals are at risk.
A true data protection champion, we acted promptly and proactively to address the aftermath and implications of these breaches, offering legal counsel and support to affected parties where appropriate, and emphasising the critical need for immediate protection. In particular, we were delighted to successfully settle our hard-fought claim against Equifax this year, securing compensation and justice for thousands of affected clients.
Over the past twelve months, in addition to representing clients in various data breach class actions, our team also attended industry events such as the CORLA Annual General Meeting, further solidifying our commitment to collective redress and access to justice. We also achieved significant legal commentary in key publications, as our data protection experts provided valuable insights into the implications of cybersecurity incidents, data protection fines, and regulatory gaps.
Our high-profile data breach and cybercrime claims following breaches at British Airways, EasyJet, Equifax, Ticketmaster and Equiniti were pivotal in establishing our firm’s rankings in both the Legal 500 and Chambers and Partners. Such recognition speaks volumes about our firm’s approach and our prowess in advocating for clients against well-resourced entities. On a personal note, I was delighted to be recommended in the Legal 500 this year.
For more detailed insights into each month’s specific legal actions, developments, industry recognitions, and ongoing efforts in addressing cybersecurity incidents, please refer to the respective sections within this report.
Kingsley Hayes
HEAD OF DATA & PRIVACY LITIGATION
If they were not paid, the cybercriminal said they would upload customer information to the dark web. Tens of thousands of people were thought to be at risk.
According to the sportswear chain, hackers may have accessed customer names, addresses, email accounts, phone numbers, order details, and the final four digits of customer bank cards.
According to a statement by Air France and KLM, customers of these two airlines had their accounts breached when hackers managed to break into the Flying Blue loyalty program.
Partner and Head of Data and Privacy Litigation, Kingsley Hayes, examined the €400mn data protection fine brought against Meta by the Irish Data Protection Commission. Kingsley’s article was published in UK Tech News, 23 January 2023, and can be found here.
Already boasting some of the most formidable data privacy, cybercrime, and data breach solicitors in the UK, we further strengthened our Data Breach team with two prestigious new hires.
Associate Bill Singer joined us from Simpson Millar. He has an enviable reputation fighting against unequal odds to advance cases through the courts, and achieving resolution via negotiated settlements. Associate James Kelliher also joined us from Hayes Connor Solicitors. James has vast experience in data breach law, and has been successful on a number of multi-claimant and group action claims. We are delighted that James and Bill have joined our team as our firm goes from strength to strength.
Following the initial hack, our data security experts launched an investigation into the Arnold Clark data breach, and we discovered that – in addition to the initial 15 gigabytes – a further 30GB of stolen data had been uploaded to the dark web.
We examined the lessons to be learned from Twitter’s latest hacking scandal in Law360. You can read the article here.
In early 2023, hackers targeted car dealership Arnold Clark and threatened to release a huge amount of customer information onto the dark web unless they were paid a multi-million-pound crypto-currency ransom. The cybercriminals released an initial 15 gigabytes of sensitive data on 17 January 2023. A further 30 gigabytes of data was posted on the dark web on 14 February 2023, and on 31 March 2023, our data security experts discovered another 475 gigabytes of data on the dark web.
Representatives, including Associate Nathaniel Barber, attended the Annual General Meeting of the Collective Redress Lawyers Association (CORLA) at the Law Society.
Established in November 2021, CORLA was founded by a group of law firms that are deeply committed to improving access to justice for claimants by way of collective redress. Our firm is a founding member of CORLA, alongside Edwin Coe, Hausfeld, Leigh Day, Milberg London, and PGMBM. Nathaniel is CORLA’s Membership Secretary.
In March 2023, our Women’s Network hosted a series of events, including a panel event to celebrate IWD2023.
We were absolutely delighted to have been Highly Commended at the 2023 Modern Law Awards for the Boutique Law Firm of the Year (11+ employees) category. The awards celebrate the best talent in the UK legal industry.
We were thrilled to win ‘D&I Initiative of the Year’ at this year’s Women, Influence and Power in Law Awards. Hosted by Law.com, these awards celebrate top female lawyers who have made invaluable contributions in making the UK legal profession increasingly more diverse in the past year.
We were absolutely delighted to win ‘Race Equality Initiative of the Year’ at the Women & Diversity in Law Awards 2023. Hosted by Global Legal Post, these awards celebrate those working in the UK legal sector who have made invaluable contributions to facilitating change and promoting diversity, equity and inclusion.
In March, as part of our investigations into the Police Federation of England & Wales (PFEW) data breach, we uncovered that the PFEW failed to notify retired police officers directly of the attacks – even if their personal data was compromised in the data security failure. In response, we reached out to retired officers to encourage them to sign up to our PFEW action.
Bill Singer commented on the damaging leak of Arnold Clark customers’ personal data in Car Dealer Magazine. While Head of Data and Privacy Litigation, Kingsley Hayes, discussed the Arnold Clark cyberattack in UK Tech News.
Partner and Head of Data and Privacy Litigation, Kingsley Hayes, examined the growing cybersecurity threat to UK businesses in light of The Guardian ransomware attack. Kingsley’s article was published in New Law Journal and can be found here.
In April 2023, we were pleased to be shortlisted for the ‘Litigation Boutique Firm of the Year’ category at The Lawyer Awards 2023.
The Lawyer Awards recognise the UK’s most exceptional legal talent for two decades, and are among the most prestigious awards ceremonies in the British legal sector. We were delighted to have been identified as an outstanding performer in this category.
In January 2023, Cambian Group, which is one of the largest children’s social care providers in the UK, discovered “unauthorised activity” on its computer systems.
Cambian is owned by CareTech. It operates a network of hospitals, schools, and homes for children and adults with learning disabilities, autism, and mental health conditions. Cambian currently looks after 2,100 children across the UK, and its services have a specific focus on individuals who present with high-severity needs. By the Bridge Fostering – part of the Cambian Group – is also affected by this data security incident.
We launched an investigation to find out how this data privacy breach was allowed to happen, and how the security incident affects those who use Cambian’s services.
Head of Data and Privacy Litigation, Kingsley Hayes, commented on how TikTok’s £12.7 million fine by the ICO represented a clear neglect to protect young children in the UK after unlawfully processing their data. Kingsley’s comments were published in the International Business Times, April 11 2023, here, and in UK Tech News, April 13 2023, here.
Associate Bill Singer provided details on the extent of Arnold Clark’s data breach and the harm this has caused for many customers. Bill’s comments were published in The Sunday Post, 23rd April 2023, and can be read here.
In February 2023, Lagan SCG – a Belfast headquartered construction business – experienced a data breach following a cyberattack. A significant amount of sensitive and confidential employee data was compromised because of the hack and later found on the dark web.
In May, we launched a group action to find out how this data privacy breach was allowed to happen, and how the security incident affects Lagan SCG employees. We encourage affected employees to join our action and claim compensation for the failure to protect their data.
In March 2023, Capita experienced a ransomware cyber-attack. Following the security incident, criminals exfiltrated some data from Capita’s servers. Over half a million UK pension holders could be affected by this data security incident.
The second data breach involves benefits data which was uncovered on publicly accessible “unsafe storage” provided by Capita. This data security incident is believed to affect several local authorities including councils in Colchester, Coventry, Derby, Adur and Worthing, Rochford, and South Staffordshire.
Our cyber experts are investigating these breaches to find out what happened, which pension plans and local authorities are involved, and how the breaches affect victims.
New York-founded law firm Cadwalader, Wickersham & Taft experienced a cyberattack leading to a data breach. And, according to a proposed class action in the US, the firm is at fault for exposing personal data.
In the US, victims of this breach are being urged to join the class action and claim compensation. It is thought that more than 93,000 people could have had their personal data compromised in this attack.
As Cadwalader, Wickersham & Taft is a large international law firm, we would urge UK-based clients affected by this breach to sign with us, as we look to launch a no-win, no-fee group action compensation claim in England & Wales.
In April, our data breach team launched a group action to support victims of the Cambian Group data breach. Cambian is one of the largest children’s social care providers in the UK.
In May, we revealed that stolen information about foster parents had been found on the dark web because of this breach.
We were delighted to receive a commendation for ‘Litigation Boutique Firm of the Year’ at The Lawyer Awards 2023. The Lawyer Awards recognise the UK’s most exceptional legal talent, and are among the most prestigious awards ceremonies in the British legal sector. Our commendation in this category is testament to the continued success and dedication of our outstanding team.
In June 2023, hackers exploited a security flaw in the MOVEit file transfer software. The breach affects several global organisations that use this software. Payroll provider Zellis is one organisation affected. Zellis provides payroll support services to hundreds of companies in the UK. Eight of its clients are said to be impacted by the breach, including British Airways. Other organisations are also affected.
Our cyber experts are investigating the breach to find out what happened, which organisations are involved, and how the breach affects their employees. If you receive notification that you are affected by this data breach, register with us to make a no-win, no-fee compensation claim.
Associate James Kelliher discussed how the ICO reprimands are failing to hold those responsible for data breaches to account. James’s comments were published in Computer Weekly and can be found here.
Associate Bill Singer commented on the ongoing Arnold Clark data breach claim and the fraud risks to those impacted. Bill’s comments were published in Computer Weekly and can be read here.
Partner and Head of Data and Privacy Litigation, Kingsley Hayes, commented on the hack of payroll service provider Zellis via third-party file transfer software MOVEit in Infosecurity Magazine. Kingsley’s comments were also published in The Stack, Employer News and UK Tech News.
Kingsley Hayes also discussed the regulatory hole surrounding the use of live facial recognition in the UK. Kingsley’s article was published in Computer Weekly, and can be found here.
In addition, Kingsley Hayes discussed the High Court’s judgment in the Prismall v. Google case and its future implications for data privacy group litigation. Kingsley’s article was published in Law360.
In July, we revealed that our Capita action now represented clients across 23 separate pension schemes, with more joining our action daily. In addition, we shared that two leading Unions had appointed our firm to provide legal assistance to their members.
As well as helping claimants get justice and compensation through our group action, in July, we launched a crisis response service to offer support to pension schemes suffering the consequences of the Capita data breach through no fault of their own.
Empowering scheme administrators to take charge of the rectification process on their members’ behalf, we provided legal services to scheme members and helped schemes to support their members’ compensation claims for damages against Capita.
In August 2023, the Metropolitan Police (the Met) experienced a data breach after a cyber security incident. The breach happened after an unauthorised party gained access to the systems of one of the force’s suppliers. The security failure involved Digital ID, a company which makes warrant cards and identification badges. Other forces may also have been affected. Our firm began investigating this incident.
Associate Lucy Burrows examined the ICO’s warning to businesses over the data privacy risks that generative AI poses. Lucy’s article was published in Data Centre Review.
Partner and Head of Data and Privacy Litigation Kingsley Hayes commented on the roll-out of the Act and its implications for Big Tech. Kingsley’s comments were published in Reuters and can be found here.
Associate James Kelliher considered the main takeaways from the ICO’s action in the Farage/NatWest privacy dispute. James’s article was published in Law360 and can be read here.
We were delighted to be ranked Tier 1 in The Legal 500 UK 2024 guide for Group Litigation: Claimant.
The guide recognised our Firm’s “bespoke and individualised service”, commending the team for our sharp client focus and ability to represent customers and workers against large and well-resourced organisations.
Our Managing Director Andrew Nugent Smith was also recognised as a Leading Individual in this field. Other members of our talented team were also commended in the 2024 guide. This included Partners Mark Kenkre and Kingsley Hayes, as well as our Legal Director (now Partner) Hannah Wright Jones. Senior Associates Nathaniel Barber and Lesley-Ann Ainsworth were also noted as key lawyers.
Also this month, we were ranked Band 2 in the Chambers and Partners UK 2024 Guide for Group Litigation: Claimant.
The guide noted our experience in representing consumer classes, affirming that we are “well equipped to handle complex and substantial group claims across a broad spectrum, including workers’ rights, emissions litigation, data breaches and financial mis-selling.”
In October, our Data Breach team launched two new group actions:
Spanish airline Air Europa suffered a cyberattack on its online payment system. Some customers’ credit card details have been exposed in the breach.
Customers of Lyca Mobile may have had their personal information exposed following a cyberattack. The breach happened after hackers broke into the mobile operators’ systems. While not confirmed, it is thought this might have been a ransomware attack.
Senior Associate Matthew Evans wrote on how the rapidly growing use of smart doorbells in UK homes may lead to potential breaches of data protection. Matthew’s article was published in Police Professional.
The Information Commissioner’s Office (ICO) ensures that organisations in the UK follow the latest data protection rules. It has the power to impose substantial fines on organisations that don’t take their data protection responsibilities seriously, but it doesn’t always issue a fine if an organisation gets something wrong.
In Data Protection Fining Guidance (currently in draft format), the ICO has outlined its process for determining whether to punish companies that have failed to safeguard personal data. In November, we looked at this guidance in more detail.
After Sky News reported on the state of ‘revenge porn’ in the UK. – focusing on the work of the Revenge Porn Helpline – we looked at what can happen when someone uploads private, often sexual, content online without consent, and the devastation image-based sexual abuse is causing across the UK. FIND OUT MORE
As we approached the end of another year, we wished all our clients a joyful and healthy Christmas and New Year.
We value the relationships we have built with you and are truly grateful for the opportunity to represent you. We look forward to continuing to work hard for you next year.
Thank you once again for choosing us as your data-champion law firm. May you find peace and happiness in the company of family and friends, and may the new year bring you prosperity, good health, and success.
When it comes to legal support, large organisations are smarter and better resourced than ever before. And it can be difficult for some law firms to stand up to such strength when representing clients after a data breach.
Our data breach team has the legal expertise and resources necessary to take on the corporate giants. We have supported thousands of multi-claimant and group-action data breach clients, and we can do the same for you.
We are one of the most experienced multi-claimant law firms in the UK.
We represent clients in group actions with innovation, resources, and expertise.
We work with expert barristers to ensure you get the very best level of legal support available.
We have all the resources and global expertise necessary to take on complicated cases and win.
We have offices in London, Liverpool, Manchester, and Birmingham, and the technology to provide a nationwide service to clients across England & Wales.
We use technology to deliver a better legal experience to our clients.
We work on a no-win, no-fee basis.
We make the process straightforward and hassle-free.
As a direct result of admin errors and poor data security processes, privacy violations are causing considerable distress, upset, embarrassment and harm. The consequences of these errors are often far-reaching, and you have a legal right to hold the guilty party to account.
Too many companies fall short when it comes to data security. This makes it easier for criminals to exploit your data. We help people make successful cybercrime claims against companies that have failed in their data protection responsibilities.
The ugly truth is that big companies are collecting and misusing personal data in many different ways. But you can claim compensation if a company has breached your data protection or privacy rights.
Even if you get your money back, the impact of cryptocurrency breach can be devastating. Our cybercrime experts help to recover losses where crypto/NFT fraud can be linked to a data breach or hack.
Our expert data protection lawyers have all the legal expertise needed to take on corporate giants and large organisations and win. In addition to our own legal know-how, we also work with expert barristers to help us win our group action cases.
Click on a link below to find out more about any particular KP Law group action.
KP Law has some of the most skilled data breach lawyers in England and Wales. Here are just some of our success stories.
KP Law is a founding member of the Collective Redress Lawyers Association (CORLA). CORLA aims to improve access to justice for claimants by way of collective redress.