Data Breach
Year in Review 2023

A message from Kingsley Hayes

Kingsley Hayes bio image

In 2023, we have continued to witness a tumultuous landscape of cybersecurity breaches, with many high-profile organisations affected, including Arnold Clark, Capita, Cambian, Parasol, The Metropolitan Police, and more. With a growing prevalence of ransom demands by hackers, and threats to release sensitive personal data onto the dark web, millions of individuals are at risk.

A true data protection champion, we acted promptly and proactively to address the aftermath and implications of these breaches, offering legal counsel and support to affected parties where appropriate, and emphasising the critical need for immediate protection. In particular, we were delighted to successfully settle our hard-fought claim against Equifax this year, securing compensation and justice for thousands of affected clients.

Over the past twelve months, in addition to representing clients in various data breach class actions, our team also attended industry events such as the CORLA Annual General Meeting, further solidifying our commitment to collective redress and access to justice. We also achieved significant legal commentary in key publications, as our data protection experts provided valuable insights into the implications of cybersecurity incidents, data protection fines, and regulatory gaps.

Our high-profile data breach and cybercrime claims following breaches at British Airways, EasyJet, Equifax, Ticketmaster and Equiniti were pivotal in establishing our firm’s rankings in both the Legal 500 and Chambers and Partners. Such recognition speaks volumes about our firm’s approach and our prowess in advocating for clients against well-resourced entities. On a personal note, I was delighted to be recommended in the Legal 500 this year.

For more detailed insights into each month’s specific legal actions, developments, industry recognitions, and ongoing efforts in addressing cybersecurity incidents, please refer to the respective sections within this report.

Kingsley Hayes


January 2023

Staff at the Guardian had personal and confidential information accessed in a sophisticated cyberattack.

The compromised data included the names, addresses, bank account information, salaries, and passport documents of Guardian reporters.

Hackers targeted Arnold Clark and demanded that the car dealer group pay a multi-million-pound ransom.

If they were not paid, the cybercriminal said they would upload customer information to the dark web. Tens of thousands of people were thought to be at risk.

JD Sports experienced a cyber-attack that put ten million customers at risk.

According to the sportswear chain, hackers may have accessed customer names, addresses, email accounts, phone numbers, order details, and the final four digits of customer bank cards.

Air France and KLM customers had their accounts hacked

According to a statement by Air France and KLM, customers of these two airlines had their accounts breached when hackers managed to break into the Flying Blue loyalty program.

We warned victims of these data breaches that they were at high risk of being targeted by cybercriminals and advised that they take immediate steps to protect themselves. 

Kingsley Hayes examined Meta’s €400mn data protection fine

Partner and Head of Data and Privacy Litigation, Kingsley Hayes, examined the €400mn data protection fine brought against Meta by the Irish Data Protection Commission. Kingsley’s article was published in UK Tech News, 23 January 2023, and can be found here. 

February 2023

We boosted our data breach team with two prestigious new hires

Already boasting some of the most formidable data privacy, cybercrime, and data breach solicitors in the UK, we further strengthened our Data Breach team with two prestigious new hires. 

Associate Bill Singer joined us from Simpson Millar. He has an enviable reputation fighting against unequal odds to advance cases through the courts, and achieving resolution via negotiated settlements. Associate James Kelliher also joined us from Hayes Connor Solicitors. James has vast experience in data breach law, and has been successful on a number of multi-claimant and group action claims. We are delighted that James and Bill have joined our team as our firm goes from strength to strength.  

We discovered that Arnold Clark hackers had shared another 30GB of stolen customer data on the dark web

Following the initial hack, our data security experts launched an investigation into the Arnold Clark data breach, and we discovered that – in addition to the initial 15 gigabytes – a further 30GB of stolen data had been uploaded to the dark web.  

We discussed Twitter’s latest hacking scandal in Law360

We examined the lessons to be learned from Twitter’s latest hacking scandal in Law360. You can read the article here. 

March 2023

We discovered a further 475GB of data on the dark web following the Arnold Clark data breach

In early 2023, hackers targeted car dealership Arnold Clark and threatened to release a huge amount of customer information onto the dark web unless they were paid a multi-million-pound crypto-currency ransom. The cybercriminals released an initial 15 gigabytes of sensitive data on 17 January 2023. A further 30 gigabytes of data was posted on the dark web on 14 February 2023, and on 31 March 2023, our data security experts discovered another 475 gigabytes of data on the dark web.  

Representatives from our firm attended the CORLA Annual General Meeting

Representatives, including Associate Nathaniel Barber, attended the Annual General Meeting of the Collective Redress Lawyers Association (CORLA) at the Law Society.  

Established in November 2021, CORLA was founded by a group of law firms that are deeply committed to improving access to justice for claimants by way of collective redress. Our firm is a founding member of CORLA, alongside Edwin Coe, Hausfeld, Leigh Day, Milberg London, and PGMBM. Nathaniel is CORLA’s Membership Secretary.

We celebrated IWD

In March 2023, our Women’s Network hosted a series of events, including a panel event to celebrate IWD2023.

Highly Commended in the Modern Law Awards 2023

We were absolutely delighted to have been Highly Commended at the 2023 Modern Law Awards for the Boutique Law Firm of the Year (11+ employees) category. The awards celebrate the best talent in the UK legal industry.

‘D&I Initiative of the Year’ at the Women, Influence and Power in Law Awards

We were thrilled to win ‘D&I Initiative of the Year’ at this year’s Women, Influence and Power in Law Awards. Hosted by Law.com, these awards celebrate top female lawyers who have made invaluable contributions in making the UK legal profession increasingly more diverse in the past year. 

‘Race Equality Initiative of the Year’ at the Women & Diversity in Law Awards

We were absolutely delighted to win ‘Race Equality Initiative of the Year’ at the Women & Diversity in Law Awards 2023. Hosted by Global Legal Post, these awards celebrate those working in the UK legal sector who have made invaluable contributions to facilitating change and promoting diversity, equity and inclusion. 

We warned retired police officers that they could be affected by the PFEW data breach

police data claim

In March, as part of our investigations into the Police Federation of England & Wales (PFEW) data breach, we uncovered that the PFEW failed to notify retired police officers directly of the attacks – even if their personal data was compromised in the data security failure. In response, we reached out to retired officers to encourage them to sign up to our PFEW action. 

Bill Singer and Kingsley Hayes commented on the Arnold Clark data breach

Bill Singer commented on the damaging leak of Arnold Clark customers’ personal data in Car Dealer Magazine. While Head of Data and Privacy Litigation, Kingsley Hayes, discussed the Arnold Clark cyberattack in UK Tech News.

Kingsley Hayes discussed the ransomware attack on The Guardian in New Law Journal

Partner and Head of Data and Privacy Litigation, Kingsley Hayes, examined the growing cybersecurity threat to UK businesses in light of The Guardian ransomware attack. Kingsley’s article was published in New Law Journal and can be found here. 

April 2023

Shortlisted at The Lawyer Awards 2023

In April 2023, we were pleased to be shortlisted for the ‘Litigation Boutique Firm of the Year’ category at The Lawyer Awards 2023.

The Lawyer Awards recognise the UK’s most exceptional legal talent for two decades, and are among the most prestigious awards ceremonies in the British legal sector. We were delighted to have been identified as an outstanding performer in this category.

We launched a data breach group action against Cambian Group

In January 2023, Cambian Group, which is one of the largest children’s social care providers in the UK, discovered “unauthorised activity” on its computer systems.   

Cambian is owned by CareTech. It operates a network of hospitals, schools, and homes for children and adults with learning disabilities, autism, and mental health conditions. Cambian currently looks after 2,100 children across the UK, and its services have a specific focus on individuals who present with high-severity needs. By the Bridge Fostering – part of the Cambian Group – is also affected by this data security incident.   

We launched an investigation to find out how this data privacy breach was allowed to happen, and how the security incident affects those who use Cambian’s services.   

Kingsley Hayes commented on TikTok’s ICO fine in the International Business Times and UK Tech News

Head of Data and Privacy Litigation, Kingsley Hayes, commented on how TikTok’s £12.7 million fine by the ICO represented a clear neglect to protect young children in the UK after unlawfully processing their data. Kingsley’s comments were published in the International Business Times, April 11 2023, here, and in UK Tech News, April 13 2023, here. 

Associate Bill Singer commented in The Sunday Post on the extent of Arnold Clark’s data breach

Associate Bill Singer provided details on the extent of Arnold Clark’s data breach and the harm this has caused for many customers. Bill’s comments were published in The Sunday Post, 23rd April 2023, and can be read here. 

May 2023

We launched three new data breach group actions

Lagan Specialist Contracting Group (SCG)

In February 2023, Lagan SCG – a Belfast headquartered construction business – experienced a data breach following a cyberattack.  A significant amount of sensitive and confidential employee data was compromised because of the hack and later found on the dark web.  

In May, we launched a group action to find out how this data privacy breach was allowed to happen, and how the security incident affects Lagan SCG employees. We encourage affected employees to join our action and claim compensation for the failure to protect their data. 


In March 2023, Capita experienced a ransomware cyber-attack. Following the security incident, criminals exfiltrated some data from Capita’s servers. Over half a million UK pension holders could be affected by this data security incident.  

The second data breach involves benefits data which was uncovered on publicly accessible “unsafe storage” provided by Capita. This data security incident is believed to affect several local authorities including councils in Colchester, Coventry, Derby, Adur and Worthing, Rochford, and South Staffordshire.  

Our cyber experts are investigating these breaches to find out what happened, which pension plans and local authorities are involved, and how the breaches affect victims. 

Cadwalader Wickersham & Taft LLP

New York-founded law firm Cadwalader, Wickersham & Taft experienced a cyberattack leading to a data breach. And, according to a proposed class action in the US, the firm is at fault for exposing personal data.  

In the US, victims of this breach are being urged to join the class action and claim compensation. It is thought that more than 93,000 people could have had their personal data compromised in this attack.  

As Cadwalader, Wickersham & Taft is a large international law firm, we would urge UK-based clients affected by this breach to sign with us, as we look to launch a no-win, no-fee group action compensation claim in England & Wales.  

We shared more information about the Cambian data breach

In April, our data breach team launched a group action to support victims of the Cambian Group data breach. Cambian is one of the largest children’s social care providers in the UK. 

In May, we revealed that stolen information about foster parents had been found on the dark web because of this breach.

Our data breach team commented on the European Court of Justice’s GDPR compensation threshold ruling

We discussed the implications of the European Court of Justice’s recent refusal to set a minimum threshold for data protection compensation claims. Our comments were published in The Register, in Law360 and in Legal Futures.

June 2023

Lawyer Awards 2023 Commendation

Commended at The Lawyer Awards 2023

We were delighted to receive a commendation for ‘Litigation Boutique Firm of the Year’ at The Lawyer Awards 2023. The Lawyer Awards recognise the UK’s most exceptional legal talent, and are among the most prestigious awards ceremonies in the British legal sector. Our commendation in this category is testament to the continued success and dedication of our outstanding team. 

We launched a new group action following the MOVEit/Zellis data breach

In June 2023, hackers exploited a security flaw in the MOVEit file transfer software. The breach affects several global organisations that use this software. Payroll provider Zellis is one organisation affected. Zellis provides payroll support services to hundreds of companies in the UK. Eight of its clients are said to be impacted by the breach, including British Airways. Other organisations are also affected. 

Our cyber experts are investigating the breach to find out what happened, which organisations are involved, and how the breach affects their employees. If you receive notification that you are affected by this data breach, register with us to make a no-win, no-fee compensation claim. 

James Kelliher commented on recent ICO reprimands for individual data breaches

Associate James Kelliher discussed how the ICO reprimands are failing to hold those responsible for data breaches to account. James’s comments were published in Computer Weekly and can be found here. 

Bill Singer commented on the Arnold Clark data breach claim

Associate Bill Singer commented on the ongoing Arnold Clark data breach claim and the fraud risks to those impacted. Bill’s comments were published in Computer Weekly and can be read here. 

Kingsley Hayes discussed the Zellis data breach

Partner and Head of Data and Privacy Litigation, Kingsley Hayes, commented on the hack of payroll service provider Zellis via third-party file transfer software MOVEit in Infosecurity Magazine. Kingsley’s comments were also published in The Stack, Employer News and UK Tech News. 

Kingsley Hayes argued for live facial recognition regulation

Kingsley Hayes also discussed the regulatory hole surrounding the use of live facial recognition in the UK. Kingsley’s article was published in Computer Weekly, and can be found here. 

Kingsley Hayes discussed the class action data privacy implications of Prismall v Google

In addition, Kingsley Hayes discussed the High Court’s judgment in the Prismall v. Google case and its future implications for data privacy group litigation. Kingsley’s article was published in Law360.

July 2023

Our Capita data breach case went from strength to strength

In July, we revealed that our Capita action now represented clients across 23 separate pension schemes, with more joining our action daily. In addition, we shared that two leading Unions had appointed our firm to provide legal assistance to their members.

We launched a crisis response service for pension providers affected by the Capita data breach

As well as helping claimants get justice and compensation through our group action, in July, we launched a crisis response service to offer support to pension schemes suffering the consequences of the Capita data breach through no fault of their own.

Empowering scheme administrators to take charge of the rectification process on their members’ behalf, we provided legal services to scheme members and helped schemes to support their members’ compensation claims for damages against Capita.

August 2023

We launched a group action and investigation following the Metropolitan Police data breach

In August 2023, the Metropolitan Police (the Met) experienced a data breach after a cyber security incident. The breach happened after an unauthorised party gained access to the systems of one of the force’s suppliers. The security failure involved Digital ID, a company which makes warrant cards and identification badges. Other forces may also have been affected. Our firm began investigating this incident.


Lucy Burrows discussed the ICO’s warning to firms over generative AI risks

Associate Lucy Burrows examined the ICO’s warning to businesses over the data privacy risks that generative AI poses. Lucy’s article was published in Data Centre Review.

Kingsley Hayes commented on the EU Digital Services Act

Partner and Head of Data and Privacy Litigation Kingsley Hayes commented on the roll-out of the Act and its implications for Big Tech. Kingsley’s comments were published in Reuters and can be found here. 

James Kelliher discussed the ICO’s intervention in the Farage/NatWest privacy dispute

Associate James Kelliher considered the main takeaways from the ICO’s action in the Farage/NatWest privacy dispute. James’s article was published in Law360 and can be read here. 

September 2023

We launched a Fresca Group data breach action

Our data protection lawyers were alerted to a data breach at Fresca Group. The largest privately-owned supplier of fruit and vegetables in the UK, Fresca Group is a parent and holding company for a mix of wholly owned and joint venture trading businesses.     

October 2023

Ranked Tier 1 for Group Litigation: Claimant in The Legal 500 UK Guide 2024

We were delighted to be ranked Tier 1 in The Legal 500 UK 2024 guide for Group Litigation: Claimant.

The guide recognised our Firm’s “bespoke and individualised service”, commending the team for our sharp client focus and ability to represent customers and workers against large and well-resourced organisations.

Our Managing Director Andrew Nugent Smith was also recognised as a Leading Individual in this field. Other members of our talented team were also commended in the 2024 guide. This included Partners Mark Kenkre and Kingsley Hayes, as well as our Legal Director (now Partner) Hannah Wright Jones. Senior Associates Nathaniel Barber and Lesley-Ann Ainsworth were also noted as key lawyers.

Ranked in the Chambers and Partners UK 2024 Guide

Also this month, we were ranked Band 2 in the Chambers and Partners UK 2024 Guide for Group Litigation: Claimant.

The guide noted our experience in representing consumer classes, affirming that we are “well equipped to handle complex and substantial group claims across a broad spectrum, including workers’ rights, emissions litigation, data breaches and financial mis-selling.”

We launched two new data breach group actions

In October, our Data Breach team launched two new group actions:  

Air Europa

Spanish airline Air Europa suffered a cyberattack on its online payment system. Some customers’ credit card details have been exposed in the breach.

Lyca Mobile

Customers of Lyca Mobile may have had their personal information exposed following a cyberattack. The breach happened after hackers broke into the mobile operators’ systems. While not confirmed, it is thought this might have been a ransomware attack. 

Matthew Evans discussed the data privacy concerns surrounding smart doorbells

Senior Associate Matthew Evans wrote on how the rapidly growing use of smart doorbells in UK homes may lead to potential breaches of data protection. Matthew’s article was published in Police Professional.

November 2023

We looked at the ICO’s latest draft Data Protection Fining Guidance

The Information Commissioner’s Office (ICO) ensures that organisations in the UK follow the latest data protection rules. It has the power to impose substantial fines on organisations that don’t take their data protection responsibilities seriously, but it doesn’t always issue a fine if an organisation gets something wrong.  

In Data Protection Fining Guidance (currently in draft format), the ICO has outlined its process for determining whether to punish companies that have failed to safeguard personal data. In November, we looked at this guidance in more detail. 

We launched an investigation into the 23andMe data breach

In November, we launched an investigation after genetics testing company 23andMe experienced a serious data breach. Following the breach, the hackers offered the assembled genetic information of thousands of people for sale on the dark web.    

December 2023

With image-based sexual abuse (revenge porn) up 31%, we looked at what victims can do to get justice

After Sky News reported on the state of ‘revenge porn’ in the UK. – focusing on the work of the Revenge Porn Helpline – we looked at what can happen when someone uploads private, often sexual, content online without consent, and the devastation image-based sexual abuse is causing across the UK.  FIND OUT MORE 

We wished all our clients a merry Christmas and a happy New Year!

As we approached the end of another year, we wished all our clients a joyful and healthy Christmas and New Year.  

We value the relationships we have built with you and are truly grateful for the opportunity to represent you. We look forward to continuing to work hard for you next year.  

Thank you once again for choosing us as your data-champion law firm.  May you find peace and happiness in the company of family and friends, and may the new year bring you prosperity, good health, and success.  

About Us

When it comes to legal support, large organisations are smarter and better resourced than ever before. And it can be difficult for some law firms to stand up to such strength when representing clients after a data breach.

Our data breach team has the legal expertise and resources necessary to take on the corporate giants. We have supported thousands of multi-claimant and group-action data breach clients, and we can do the same for you.

We are one of the most experienced multi-claimant law firms in the UK.

We represent clients in group actions with innovation, resources, and expertise.

We work with expert barristers to ensure you get the very best level of legal support available.

We have all the resources and global expertise necessary to take on complicated cases and win.

We have offices in London, Liverpool, Manchester, and Birmingham, and the technology to provide a nationwide service to clients across England & Wales.

We use technology to deliver a better legal experience to our clients.

We work on a no-win, no-fee basis.

We make the process straightforward and hassle-free.

How we help you...

Data breaches caused by human error

As a direct result of admin errors and poor data security processes, privacy violations are causing considerable distress, upset, embarrassment and harm. The consequences of these errors are often far-reaching, and you have a legal right to hold the guilty party to account. 

Data breaches caused by cybercrime

Too many companies fall short when it comes to data security. This makes it easier for criminals to exploit your data. We help people make successful cybercrime claims against companies that have failed in their data protection responsibilities.

Technology privacy violations & abuses

The ugly truth is that big companies are collecting and misusing personal data in many different ways. But you can claim compensation if a company has breached your data protection or privacy rights. 

Cryptocurrency/NFT breaches

Even if you get your money back, the impact of cryptocurrency breach can be devastating. Our cybercrime experts help to recover losses where crypto/NFT fraud can be linked to a data breach or hack. 

Data Breach, GDPR & Cybercrime Group Actions

Our expert data protection lawyers have all the legal expertise needed to take on corporate giants and large organisations and win. In addition to our own legal know-how, we also work with expert barristers to help us win our group action cases. 

Click on a link below to find out more about any particular KP Law group action.