The PFEW doesn’t think it owes its members data breach compensation. The PFEW is WRONG!   

UK Police officers

In March 2019, The Police Federation of England and Wales (PFEW) suffered two ransomware cyber-attacks. During these attacks, hackers accessed the Federation’s systems and encrypted several of its databases, making them inaccessible. The cybercriminals also had access to these databases, which contained the personal information of around 130,000 police officers. 

In March 2022, three years after the incidents, the PFEW finally admitted liability for unlawfully processing police officers’ personal data by not having the appropriate technical and organisational measures in place. 

However, the PFEW still does not believe that it owes affected members compensation for violating their data protection rights.  

We do not agree.  

What does the PFEW say?

On its website, the PFEW states that external cyber forensics specialists have confirmed that it is unlikely that any personal data was accessed or taken by attackers during those incidents. It claims that, without proof of exfiltration, and “despite experiencing the cyber incidents, PFEW does not believe that members have a legal entitlement to compensation”. 

We believe the PFEW is wrong, and its words and analysis of these claims are misleading and unhelpful. 

The PFEW admits to the unlawful processing of data by allowing criminals access its network. During the attacks we know data was accessed, lost and destroyed. For these reasons claimants are entitled to bring claims and seek damages. 

What’s more, although the PFEW continues to claim that there is ‘no evidence’ that data was taken by cybercriminals during the attacks, it cannot say for sure. In a similar way, the PFEW has no idea if your data was copied.  

What we do know is that, if the PFEW could get rid of the claims by providing evidence that data had not been exfiltrated, it would have done so by now. 

This uncertainly is a key feature of these data security incidents. Because some four years later, the PFEW still hasn’t been able to tell members affected by the data breaches what exactly happened.   

PFEW members have experienced distress

Our PFEW clients have experienced significant and lasting distress as a result of these cyberattacks. They have told us about experiencing fear, anxiety and stress because of the violation; others have had their existing conditions exacerbated. Not knowing how cybercriminals were able to access their sensitive details, or what they have done with this data has caused our clients considerable distress – especially given the nature of their jobs. 

The lack of answers from the PFEW following the breaches has also added to our clients’ distress. They are simply unable to get an explanation for why this breach was allowed to happen. 

"Police officers deserve to have the highest possible level of protection when it comes to their valuable personal data. Criminals could use this extremely sensitive information to cause serious harm.

“The impact of the PFEW’s data protection failure has had a significant effect on those affected, and the lack of care shown by the federation after the incident has raised further questions about what happened.

"We are helping a significant number of police federation members who have been notified that they are affected by the data protection failure, and we can help you too.”
Kingsley Hayes bio image

The PFEW owes its members justice and compensation for breaching their data protection rights

Even if member data was not stolen by the cybercriminals (and the PFEW can’t promise this didn’t happen), “exfiltration” is not the legal basis for our action against the PFEW.   

Under the GDPR, a ‘personal data breach’ is any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed. 

The mere fact that the PFEW’s databases were encrypted by the cybercriminals shows that personal data was unlawfully processed – and PFEW has admitted that it failed to take appropriate technical measures to protect its members’ data!  

The PFEW has admitted that it cannot recover much of the data, that data has been lost, and that data has been destroyed because of the cyber-attacks.  

For these reasons, and because of the distress caused by not knowing what has happened to the compromised data, affected members and former officers have valid compensation claims against PFEW.  It is misleading., and the PFEW does its members a disservice, to suggest otherwise.   

Join our action and get the compensation and justice you deserve!

Our case is progressing through the Court, and we are currently representing 13,000 PFEW members on a no-win, no-fee basis. This ensures they have access to the absolute best lawyers without worrying about legal fees.  

It’s not too late to join our action and we would encourage any members who wish to sign up – or to invite friends and colleagues to join our fight – to do so. 

In March 2024, our firm changed its name to KP Law. 

Share this article: