Latest Data Breach Round-Up – June 2024


In our regular update, we provide a roundup of some of the data breaches that occurred over the last few months.   

Southern Water

Earlier this year, Southern Water revealed that some of its data had been breached. The security violation happened following an “illegal intrusion” into the company’s IT systems. In other words, a cyber-attack.   Data belonging to 5-10% of customers has been stolen in the cyber-attack. However, Southern Water provides essential water services to 2.5 million customers and wastewater services to more than 4.7 million customers, so this has the potential to be a far-reaching data breach. 

Our data protection lawyers are investigating this incident. If we believe poor security processes at Southern Water led to this data breach, we will launch a no-win, no-fee compensation claim. 



The Information Commissioner’s Office (ICO) has launched a joint investigation into the 23andMe data breach with the Office of the Privacy Commissioner of Canada (OPC).   The news of the joint investigation into the data breach implies that weaknesses in 23andMe’s data security processes did exist. In our opinion, the ICO is notoriously under resourced and is unlikely to launch an investigation into a hack without cause to do so.   



In May 2023, 2plan discovered a cyberattack. The firm alerted the FCA, the Information Commissioner’s Office, advisors, and some clients about the breach. In March 2024, 2plan contacted more clients to warn them that their data may also have been stolen in the ‘cyber incident’. 

Ministry of Defence

Earlier this year, the personal information of serving UK military personnel was accessed in a significant data breach. The hack targeted a payroll system used by the Ministry of Defence (MoD). The Chinese state is reported to be behind the attack.   

In 2023, payroll provider Zellis was hacked after cybercriminals – believed to be part of a Russian crime group – exploited a security flaw in the MOVEit software.    

Lewisham Council

In May 2024, the BBC revealed that Lewisham Council published personal resident data on its website for almost a year. The information related to people who had commented on a planning application. The names, addresses and contact details of 156 people were publicly available online for 11 months.  

NHS Dumfries and Galloway

A hacker group gained possession of some patient data after a cyber-attack against NHS Dumfries and Galloway. A darknet post by Inc Ransom alleged that it had stolen three terabytes of data from NHS Scotland. The hackers posted a “proof pack” of some of the data, which has been confirmed as genuine. 

In March 2024, our firm changed its name to KP Law. 

Share this article: