Data Breach
Year in Review 2021

A message from Kingsley Hayes

As we continued to deal with the ongoing Covid pandemic, 2021 was another noteworthy year for data protection. The challenges of keeping personal information safe – especially with a sizeable at-home workforce – continued. However, despite having months to step up to the challenge, too many organisations failed to put the necessary data protection processes and training in place. Worryingly, most UK businesses and individuals experienced at least one data breach during the pandemic.

One of the many lessons highlighted over the past year, is the inextricable link between health and data, with effective use of the latter undoubtedly helping to save many lives. However, long-term use of NHS information remains contentious, especially when it comes to data sharing. Ultimately, key questions remain, including what does an individual know about the consent they have given for processing their data, where will their data be used, and how many times?

In more positive news, 2021 saw record data protection fines issued by the regulators.

In January, in the first significant tech GDPR case, Twitter was fined €450,000 by the Irish Data Protection Commissioner (DPC) for privacy breaches. This was the first time a multinational tech firm had been held to account by the Irish regulator since GDPR. In July, Luxembourg’s data protection regulator stated its intention to fine Amazon £636 million. This was the biggest GDPR penalty issued to date at more than double every other GDPR fine combined. Fifteen times larger than the previous record fine issued by France’s data protection regulator against Google, this was good news for consumers as it demonstrated a willingness to scrutinise and punish large tech companies over privacy and misinformation concerns.

Championing individual data protection rights, in June, the British Airways (BA) data breach was resolved on confidential terms following successful mediation and negotiation. We represented many clients in this case. We would encourage anyone who has suffered a GDPR violation to talk to our specialist lawyers and benefit from an experienced firm with a proven track record in holding well-funded organisations to account.

In our 2021 Year in Review report, our expert data protection lawyers look at some of the key cases and developments that occurred in the world of data breach law over the last 12 months.

Kingsley Hayes bio image

Kingsley Hayes


January 2021

Transform Hospital Group suffered a cyberattack resulting in the theft of extremely sensitive customer data

On 22 December 2020, Transform admitted to a data security incident. The REvil ransomware group, which has previously attempted to extort companies and public figures including Donald Trump, Lady Gaga and Madonna, was responsible. The group said it had obtained some of “the most important documents, personal data of customers, as well as intimate photos of these customers (this is not a completely pleasant sight)”.

In January 2021, we launched a group action to help affected patients claim compensation.


Data stolen from Foxtons for sale on the dark web

Estate agent Foxtons discovered that it had experienced a huge data breach. Despite an investigation finding 16,000 card details, addresses and correspondence related to this violation on the dark web, Foxtons decided not to warn its customers.


In other data breach news...

People’s Energy data breach affected 270,000 customers

People’s Energy experienced a data breach when hackers stole a database from the company. Two hundred and seventy thousand people had their personal data compromised.

30,000 were at risk following pension data breach

Just before Christmas 2020, NOW: Pensions experienced a serious data breach. In January, it was revealed that the privacy failure put 30,000 customers at risk after sensitive personal details were posted on the internet.

Blackpool Council leaked details of more than 400 landlords

Blackpool Council experienced a data protection failure when it accidentally breached the data of 428 people, including some personal information about local landlords.

Twitter was fined €450,000 by Irish data regulator

In the first major tech GDPR case, Twitter was fined €450,000 by the Irish Data Protection Commissioner (DPC). The penalty was issued as Twitter failed to promptly declare and properly document a data breach.

February 2021

We moved forward with our BA group action

Our firm took significant steps forward in our claim against British Airways when we issued against the airline, making us one of only two firms in the UK acting against BA at that time.

British Airways Group Action

Data breach at Total Fitness

Total Fitness emailed customers to let them know that some personal data had been breached, including bank account information. According to Total Fitness, its IT systems were “attacked by a highly sophisticated international organised cyber-crime network”.
Total Fitness Data Breach

Uber lost a judgment over algorithmic firings

Uber lost a judgment in the Netherlands where it was challenged over drivers’ alleged ‘robo-firings’. The Court of Amsterdam ordered Uber to reinstate six drivers who claimed they were unfairly terminated “by algorithmic means.” Uber was also ordered to pay the fired drivers compensation.

We support Uber drivers in England & Wales who have GDPR concerns over Uber’s facial recognition software, algorithmic accountability, and automated decision-making processes.

Uber image

March 2021

Vulnerable children exposed in Birmingham Council data breach

A serious data breach at Birmingham Council allegedly put the personal information of vulnerable children at risk. This took place when the Council erroneously published the details of thousands of children on a publicly accessible part of its website.

FatFace asked customers to keep data breach confidential

Fashion retailer FatFace suffered a significant data breach when an unauthorised third party accessed some employee and customer information. To make a bad situation worse, FatFace faced a backlash on social media after the retailer asked customers to keep news of the hack “strictly confidential”.

April 2021

Serious data breach at Upstox

Indian stock trading firm Upstox suffered a severe security breach. Millions of customers – including those in the UK – could have had their personal information compromised after hackers targeted the business.

DivideBuy faced legal action after data breach

Interest free credit provider DivideBuy was the latest fintech company facing legal action after the business failed to protect its customer data.

May 2021

We issued a claim against Equiniti in the High Court

Almost 500 British police officers issued a compensation claim in the High Court against Paymaster 1836, the pensions part of Equiniti Group.

“This data breach has had a significant impact on the individuals affected. Equiniti has thus far failed to recognise the seriousness of the data violation and the consequences on the many police officers involved. The breach included highly confidential information, which, placed in the wrong hands, could have significant repercussions, including identity theft, fraudulent activities resulting in financial losses, and emotional distress. Equiniti had a duty to protect this information and should be held accountable for its failure. It should compensate victims fairly.”

Kingsley Hayes, Head of Data Breach


June 2021

British Airways case settled

The British Airways data breach action was resolved on confidential terms following successful mediation and negotiation. We represented many clients in this case, and we were delighted to have secured a settlement for those affected.
British Airways Group Action

Huge LinkedIn breach exposed user salary expectations

LinkedIn suffered a massive data breach affecting 700 million people. In total, 92% of LinkedIn users were reportedly affected by this breach. The data exposed was significant.

Linkedin editorial

Special forces data breach action

Over 100 special forces troops were publicly identified in an email security breach. Given that the names of those in special forces units are strictly protected, this was a severe breach that could have serious repercussions on UK intelligence and those whose data was revealed. 

Military Pensions Misselling

Lawsuit goes after the entire online advertising industry

The Interactive Advertising Bureau (IAB) and others were sued over what was described as “the world’s largest data breach”. The IAB is the industry body for digital advertising. Members include Facebook, Google, and Amazon. The case focused on real-time bidding, a multi-million-dollar industry in which advertising space is auctioned on a webpage or app as it loads.

“The data captured in real-time bidding helps to build a unique user profile, which can include things like a person’s sexual orientation, religion, political persuasion, location, debts, income, health concerns, and what they are reading, watching, and listening to. This is a huge amount of information to hold and share on an individual without their consent. When you consider that most people are not aware that their data is being captured and shared in this way, this is a problem.”

Kingsley Hayes, Head of Data Breach
lady justice London

In other data breach news...

Law firm Gateley hit by cybercriminals

Legal and professional services firm Gateley experienced a significant cyberattack. Client data was stolen in the attack by an external source.

Carnival Corp. cruise customers and employees had their personal information stolen

Some customers and employees of Carnival Corp. cruise lines had their personal information stolen. The brands affected by the cruise data breach included Carnival Cruise Line, Holland America Line and Princess Cruises.

UK data protection watchdog expressed deep concerns over live facial recognition technology

Elizabeth Denham, the then UK Information Commissioner, said she was “deeply concerned” about the use of live facial recognition (LFR) in public spaces. Commenting in a blog post, Ms Denham said that when “technology and its algorithms are used to scan people’s faces in real time and in more public contexts, the risks to people’s privacy increases.” She also said she was concerned that LFR might be used “inappropriately, excessively or even recklessly”.

July 2021

Amazon fined £636 million for GDPR breach

Amazon faced a fine of £636 million by Luxembourg’s data protection regulator for breaching the GDPR. The huge fine was the biggest GDPR penalty to date and more than double every other GDPR fine combined.


Mermaids fined £25,000 for data breach

Mermaids UK, a charity that supports transgender children and young people, was fined £25,000 by the ICO for failing to keep personal data secure. A privacy violation at Mermaids exposed thousands of private emails made between the charity and parents. In total, 780 pages of confidential emails – including angst-ridden messages from parents about their children’s anguish – were online for anyone to view for nearly three years.

Firearms dealer data breach causes significant distress for gun owners

Guntrader.co.uk experienced a serious data breach. In total, around 111,000 records were stolen, and thousands of customers had their names and addresses published on the dark web.

Our firm was contacted by many gun owners who were extremely worried about this breach and the possible impact.

Following the Guntrader data breach, Google took down a CSV file linked to a Google Earth map that showed the exact locations of affected customers’ homes. The map was created by animal rights activists and posted on a blog that encouraged people to “contact as many [gun owners] as you can in your area and ask them if they are involved in shooting animals”.

Housing UK

Latest Hackney Council data breach could have cost lives

An IT blunder at Hackney Council publicly exposed the names and addresses of vulnerable women living in hostels for their own safety. This wasn’t the first time the local authority had been in the headlines for data protection failures. In 2020, Hackney Council suffered another serious cyberattack that affected many of its services and IT systems.
hackney town hall

In the media

Data revealed that the health sector had the highest number of non-cyber related data breach incidents between April and June. The sector was responsible for more than a quarter of all reported incidents (27%). Kingsley Hayes examined data violations in the health sector in Legal Futures.  

Kingsley also discussed the legal obstacles the NHS will need to overcome before it uses algorithmic decision making to tackle record waiting list backlogs. Kingsley’s article was published in ISBuzz news and can be found here.

Kingsley Hayes bio image

August 2021

Our firm was shortlisted for two awards

We were shortlisted at The British Legal Awards 2021 in the ‘Independent Law Firm of the Year’ and the ‘Strategic Legal Operations Team of the Year’ categories.
british law awards

We launched a sports performance data action

Technology is being used to help sportspeople reach their full potential. Everything they do is measured including their health, performance, sleep, and diet. Clubs and sports teams understand that analytics can improve their chances of winning and most players are happy to have their data analysed to benefit their individual and team performance. But their information could be being exploited in ways they have not agreed to.

Protecting the rights of athletes, we launched an action to help them get compensation.

T-Mobile confirmed that it had breached customer data – again

T-Mobile admitted that, once again, hackers had accessed its systems. The confirmation of the latest T-Mobile breach came after some customer data was found for sale on a cybercriminal forum. This was the fifth T-Mobile hack in recent years.

t mobile

Data is stolen from social housing group

Property service company Liberty suffered a cyberattack. Liberty is part of social housing group ForViva, which manages homes on behalf of thousands of tenants across the North West. ForHousing, which is also part of the ForViva group, was also a victim of the ransomware attack. However, ForViva claims that no tenant or staff data from its ForHousing’s systems were accessed.

In the media

Kingsley Hayes discussed the increasing frequency of ransomware attacks. Kingsley’s article was published in Fraud Intelligence and can be found here.
Kingsley also shared his thoughts on this matter in Legal Futures.
Kingsley Hayes bio image

In the media

Kingsley Hayes commented on the DSG Retail (Dixons) judgment.

Kingsley’s comments were published in Global Data Review and can be found here.

Dixons Carphone

September 2021

We were shortlisted for another award

The Lawyer Awards
In September 2021, our firm was shortlisted for ‘Disputes Boutique Firm of the Year’ at this year’s The Lawyer Awards.

Afghan details compromised in MOD data breach

The Ministry of Defence (MoD) experienced two severe data breaches that could put lives at risk. In both cases, people were mistakenly ccd into an email, meaning their email addresses were visible to all the recipients. Not using the bcc functionality when sending to multiple people is a common data privacy mistake, and one that the MoD should have processes in place to prevent. The emails were sent by the Afghan Relocations Assistance Policy (ARAP), the team charged with facilitating the evacuation operation. If this data falls into the hands of the Taliban, the consequences could be fatal. 


MoD Afghan interpreter’s

In the media

Computer Weekly published an article reporting on the second MoD data breach, which revealed the names and email addresses of those who may be eligible to relocate to the UK.

Kingsley Hayes commented: “The Ministry of Defence has launched an investigation into the data privacy failures and has reportedly taken steps ‘to ensure this does not happen in the future’. But with two serious data breaches happening within days, and another breach happening only a few months ago when a member of the public discovered sensitive documents at a bus stop, serious questions must be asked about how such violations are allowed to happen. 

“Furthermore, while the immediate priority must be to secure the safety of those put at risk by the MoD’s haphazard email processes, those responsible must ultimately be held to account. Lives have been put at risk and this is simply unforgivable.”

Kingsley’s comments were published in Computer Weekly and can be found here.

October 2021

HIV Scotland fined £10,000 for data breach

HIV Scotland was fined £10,000 by the ICO following a 2020 data breach. The fine came after the charity sent an email containing personal information to over 100 people without using the bcc function. As such, all the email addresses and some names were visible to the recipients. Because of what HIV Scotland does, the people who received the email could assume the HIV status or risk of the individuals who had their details disclosed.
ICO screen numbers

In the media

Kingsley Hayes explored the impact of NHS data sharing on privacy rights in The Barrister. Kingsley’s article was published in print. Kingsley’s comments can be found here.

November 2021

The Labour Party experienced a data breach

The Labour Party experienced a data security incident involving “a significant quantity of party data”. The data privacy failure occurred when a third party that handles data on behalf of the Labour Party was subject to a cyber incident. While the Party was made aware of the incident on 29 October 2021, it took five days to inform those who could be affected.

We launched an action to help those involved in this data privacy failure.

Labour Party Data Breach

In the media

Kingsley Hayes commented on the Labour Party data breach which revealed information regarding the Party’s members and supporters. He said: 

“We do know that the privacy violation only affects a third party’s systems and that the Labour Party’s own data and systems are unaffected. However, this is likely to be of little comfort to anyone whose personal data has been compromised. The fact that people have been put in this position in the first place is a serious failure.” 

Kingsley’s comments were published in Information Security Buzz News and can be found here.

Google won at the Supreme Court

A data protection case against Google (Lloyd vs Google) resulted in disappointing news for data privacy rights. Lord Leggatt, one of the five Supreme Court justices who considered the case said that it was “unsustainable” that individuals affected by the data breach could be awarded a uniform sum, without having to prove financial loss or mental distress.

The judgement could impact some current data breach actions. However, this decision does not mean that individuals cannot hold organisations to account for personal data protection failures. People still have a right to compensation if they have suffered actual, or potential, financial loss or psychological injury following a data breach.

computer user

In the media

Kingsley Hayes commented on the Lloyd v Google judgment. Kingsley’s comments were published in Global Data Review and can be found here.

Simplify security incident resulted in conveyancing chaos

Simplify Group, a company that provides conveyancing services to several leading agencies, experienced a ‘major security breach’. Simplify was forced to take down many of its online systems after the incident- thought to be a cyber-attack. As a result, sellers and buyers across the UK were left in conveyancing chaos as they could not proceed with or complete their transactions.

We launched a group action compensation claim after multiple conveyancing firms were affected including Premier Property Lawyers, JS Law, DC Law, and Advantage Property Lawyers.

Housing UK

December 2021

In the media

Kingsley Hayes highlighted the importance of data security for charities. Kingsley’s article was published in Information Security Buzz and can be found hereA different version of Kingsley’s article was published in Data Centre Dynamics and can be found here.

About Us

When it comes to legal support, large organisations are smarter and better resourced than ever before. And it can be difficult for some law firms to stand up to such strength when representing clients after a data breach.

Our data breach team has the legal expertise and resources necessary to take on the corporate giants. We have supported thousands of multi-claimant and group-action data breach clients, and we can do the same for you.

We are one of the most experienced multi-claimant law firms in the UK.

We represent clients in group actions with innovation, resources, and expertise.

We work with expert barristers to ensure you get the very best level of legal support available.

We have all the resources and global expertise necessary to take on complicated cases and win.

We have offices in London, Liverpool, Manchester, and Birmingham, and the technology to provide a nationwide service to clients across England & Wales.

We use technology to deliver a better legal experience to our clients.

We work on a no-win, no-fee basis.

We make the process straightforward and hassle-free.

How can we help you?

We have one of the most experienced data breach teams in the UK. And because we also possess significant multi-claimant experience, this is a formidable combination when it comes to taking on big players and complicated group actions.

Data breaches are on the rise. And no organisation – regardless of size or type – is safe. Our expert lawyers help clients make successful personal data breach claims across a vast range of sectors.


Too many companies are falling short when it comes to data security, and this is making it easier for online criminals to exploit your data. We help clients make successful cybercrime claims against companies that have failed in their data protection responsibilities.


Data protection matters, so we make sure our clients are compensated for any GDPR violations that impact their legal rights. Our expert data rights lawyers help clients make a wide range of successful GDPR claims – including automated decision-making violations and facial recognition infringements.

Talk to an expert data rights lawyer today

Find out more about making a no-win, no-fee claim.