Tag: security

Cyber Security and Resilience Bill in Parliament 

On 12th November 2025, the Government introduced the Cyber Security and Resilience (Network and Information Systems) Bill in the House of Commons. This is an important development in the evolution of the UK’s cyber security regulation. The Bill is currently at the Committee stage.

The Bill was trailed in the King’s Speech of July 2024, and was followed by the Government publishing its Cyber security and resilience policy statement. The Bill is designed to update the existing Network and Information Systems Regulations 2018 to raise cyber resilience across key parts of the economy, and to give government and regulators more agile powers to respond to evolving threats. Amongst other things, it will expand cyber security regulation to cover more digital services and supply chains, and mandate increased incident reporting to improve the government’s response to cyber-attacks including where a company has been held to ransom. 

The Bill imposes new maximum penalties similar to GDPR levels. For more serious breaches, the maximum penalty is up to £17 million, or 4% of a regulated entity’s worldwide turnover, whichever is higher. For other breaches, the maximum penalty is up to £10 million, or 2% of a regulated entity’s worldwide turnover, whichever is higher. 

Key Provisions 

Expanded Regulatory Scope: The Bill will broaden the range of organisations and sectors under regulatory oversight, extending beyond essential services and digital providers to include a wider array of entities integral to national infrastructure. ​ 

Enhanced Regulatory Powers: Regulators will receive increased authority to ensure compliance with cybersecurity standards, including proactive investigation capabilities and mechanisms for cost recovery to support their activities. ​ 

Mandatory Incident Reporting: The Bill mandates comprehensive reporting of cyber incidents, notably ransomware attacks, to improve national threat assessment and response strategies. ​ 

Supply Chain Security: The Bill introduces measures to strengthen supply chain security, granting regulators the power to designate ‘Critical Suppliers’ whose services are integral to public sector operations. ​ 

Regulatory Oversight: The Information Commissioner’s Office will gain greater authority to investigate and enforce compliance among digital service providers, including those that supply technology to the public sector. ​ The ICO recently published its response to the Bill. 

For a detailed analysis of the Bill, read this article by law firm Clifford Chance. 

We have two workshops coming up (How to Increase Cyber Security in your Organisation and Cyber Security for DPOs) which are ideal for organisations who wish to upskill their employees about cyber security. See also our Managing Personal Data Breaches Workshop.

Retail Under Siege Through AI Enabled Cyber Attacks 

The UK retail sector has come under siege in 2025, with an unprecedented wave of cyber attacks. After the Ticketmaster breach in 2024 where millions of users were affected, one would assume retailers had taken note. However, From Marks & Spencer to Louis Vuitton, companies large and small are grappling with relentless, tech-enhanced intrusions that threaten customer trust and digital resilience. It’s almost a daily occurrence these days receiving an email from a company apologising for a data breach. There also seems to be no retailer safe regardless of their size or stature. Sometimes it is a retailer that you may not have even shopped with for a number of years at which point I’m sure you must be thinking, ‘What’s their data retention policy?’ 
 
Below we take a look at some of the major breaches and attacks of 2025 and what you can do to protect your information online. 

High-Profile Retail Cyberattacks of 2025 

Here’s a snapshot of the most disruptive recent cyber incidents: 

Company Date Attack Type Impact & Highlights 
Louis Vuitton UK July 2025 Data breach Customer contact details & purchase history stolen; phishing scams followed 
Marks & Spencer April 2025 Ransomware £3.8M/day in lost revenue; £700M market value wiped; credential theft via vendor 
Harrods May 2025 Attempted breach Real-time containment; no confirmed data loss but serious operational disruption 
Co-op UK May 2025 Ransomware Customer data compromised; back-office systems disabled 
Peter Green Chilled May 2025 Ransomware Disrupted cold-chain deliveries to Tesco, Aldi, Waitrose 
Victoria’s Secret Spring 2025 Web attack E-commerce platform outage during peak shopping period 

These incidents underscore one clear truth: cybercrime is evolving, and no retailer, no matter its size or prestige, is immune. What is worrying is, companies with infinite resources are still extremely vulnerable. 

The Role of AI  

In many of these data breaches, AI was used by hackers to accelerate and deepen the damage. Their tactics included: 

  • Hyper-Personalised Phishing: AI-generated messages mimicked trusted communications, referencing recent purchases to trick recipients. Louis Vuitton customers received convincing fake discount offers. 
  • Credential Cracking and MFA Bypass: AI automated brute-force login attacks, while adversary-in-the-middle techniques stole session tokens to sidestep multi-factor authentication. 
  • Network Reconnaissance: Malicious bots used AI to scan retail systems, identify vulnerabilities, and map out supply chains for deeper impact. 
  • Autonomous Ransomware: Sophisticated strains like DragonForce adapted in real time to avoid detection and self-propagate through connected systems. 
  • Voice Phishing (Vishing): AI-generated voices impersonated IT staff to deceive employees into disclosing access credentials; a tactic especially potent in luxury retail. 

AI has supercharged cybercrime, making attacks faster, more targeted, and far harder to detect. With the emergence of (RaaS) ransomware as a service and (DLS) there is now a marketplace for our data that is much more accessible. 

How Consumers Can Protect Their Data 

While companies bear the financial burden of breaches, consumers often suffer the most; through stolen data, financial fraud, and disrupted services. Lessons for consumers include: 

  • Even luxury brands are vulnerable – don’t assume prestige equals protection. 
  • Cyberattacks are increasingly tailored based on what you buy, how often you shop, and where you live. 
  • Supply chains and vendor access are weak points; your data might be exposed even if the retailer itself isn’t directly breached. 

Whether you shop in-store or online, these simple steps can dramatically improve the security of your personal data: 

Digital Defence 

  • Use Strong, Unique Passwords: A password manager can help you avoid reuse and weak combinations. 
  • Enable Multi-Factor Authentication: Critical for accounts tied to payments or personal information. 
  • Monitor Your Financial Activity: Check bank statements and credit reports for irregularities. Set up alerts where possible. 
  • Be Phishing-Aware: Always verify communications by visiting the retailer’s official website. Don’t click suspicious links or download unexpected attachments. 
  • Don’t Save Your Payment Data: If you can avoid saving your payment/address details with a retailer online then always avoid.  

Data Discipline 

  • Limit the Personal Data You Share: Don’t offer extra details to loyalty schemes or retailers unless absolutely necessary. 
  • Freeze Your Credit (If Breached): Prevent identity thieves from opening new accounts using your stolen details. 

Payment Hygiene 

  • Use Credit Cards Online: They offer better fraud protection and don’t expose your actual bank balance. In addition, you have certain buyer protections when buying on credit card
  • Avoid Public Wi-Fi for Shopping: Use a VPN or shop from secure, private networks. 

The digital age has made shopping easier; but also riskier. Cybersecurity now requires a partnership between retailers and consumers. Companies must implement
zero-trust architectures. AI-powered threat detection and employee cyber-awareness training. Meanwhile, consumers should stay informed, cautious, and quick to respond when their personal data is at risk. 

According to Stanford University’s recent study, human error accounted for 88% of data breaches and a recent Accenture study found that there has been a 97% increase in cyber threats since the start of the Russia/Ukraine war.  
 
We have two workshops coming up (How to Increase Cyber Security in your Organisation and Cyber Security for DPOs) which are ideal for organisations who wish to upskill their employees about cyber security. 

The MoD Afghan Data Breach: Could the Information Commissioner have done more? 

On Tuesday, the High Court lifted a superinjunction that prevented scrutiny of one of the most serious personal data breaches involving a UK Government department. In February 2022, a Ministry of Defence (MoD) official mistakenly emailed a spreadsheet containing personal details of over 18,000 Afghan nationals who had applied to move to the UK under the Afghan Relocations and Assistance Policy (ARAP).  

The breach was only discovered in August 2023, when excerpts of the data appeared on Facebook. By then, the damage was done. A new resettlement scheme for those on the leaked list was set up and has seen 4,500 Afghans arrive in the UK so far. The Afghan Relocation Route has cost £400m so far, and the Government has said it is expected to cost a further £450m. Interesting that that the High Court in May 2024 heard it could cost “several billions”. 

Shockingly, people whose details were leaked were only informed on Tuesday. A review of the incident carried out on behalf of the MoD found it was “highly unlikely” an individual would have been targeted solely because of the leaked data, which “may not have spread nearly as widely as initially feared”. On Wednesday though, the Defence Secretary said he was “unable to say for sure” whether anyone had been killed as a result of the data breach. The daughter of an Afghan translator whose details were leaked told the BBC that her whole family “panicked”.  

“No one knows where the data has been sent to – it could be sent to the Taliban, they could have their hands on it,” she said. Her grandmother, who is still in Afghanistan, is “completely vulnerable”, she added. 

This is not the first time the MoD has mishandled Afghan data. In December 2023, it was fined £350,000  for disclosing details of people seeking relocation to the UK shortly after the Taliban took control of Afghanistan in 2021. The MoD sent an email to a distribution list of Afghan nationals eligible for evacuation using the ‘To’ field, with personal information relating to 245 people being inadvertently disclosed. The email addresses could be seen by all recipients, with 55 people having thumbnail pictures on their email profiles.  
Two people ‘replied all’ to the entire list of recipients, with one of them providing their location.  

ICO’s Response 

Despite the scale and sensitivity of the latest MoD data breach, the Information Commissioner’s Office (ICO) has decided not to take any regulatory action; no, not even a reprimand! In its press release, the ICO praised the MoD’s internal investigation and mitigation efforts, stating that “no further regulatory action is required at this time”. 

Compare this case to the data breach involving the Police Service of Northern Ireland (PSNI). Last year, the ICO fined the PSNI £750,000 after staff mistakenly divulged the surnames of more than 9,483 PSNI officers and staff, their initials and other data in response to a Freedom of Information (FoI) request. The request, via the What Do They Know.Com website, had asked the PSNI for a breakdown of all staff rank and grades. But as well as publishing a table containing the number of people holding positions such as constable, a spreadsheet was included. The information was published on the WDTK website for more than two hours, leaving many fearing for their safety. 

In September las year it was announced that a mediation process involving the PSNI is to take place to attempt to agree the amount of damages to be paid to up to 7,000 staff impacted by the data breach. The final bill could be as much as £240m, according to previous reports. Compare that with the impact and cost of the latest MoD data breach. 

Other ICO enforcement actions in the past few years for security failures include: 

  • Cabinet Office (2020): Fined £500,000 for publishing New Year Honours list online. Cause? Spreadsheet error. 
  • HIV Scotland (2021): Fined £10,000 when it sent an email to 105 people living with HIV. All the email addresses were visible to all recipients, and 65 of the addresses identified people by name. From the personal data disclosed, an assumption could be made about individuals’ HIV status or risk.   
  • Mermaids (2021): Fined £25,000 for failing to implement an appropriate level of security to its internal email systems, which resulted in documents or emails containing personal data being searchable and viewable online by third parties through internet search engine results.  

In the MoD case, the ICO claims it considered the “critical need to share data urgently” and the MoD’s “steps to protect those most affected”. But urgency wasn’t the issue; it was negligence. The breach occurred during routine verification, not a crisis. Even more concerning, the ICO’s own guidance states that breaches involving unauthorised disclosure of sensitive data, especially where lives are at risk, should trigger enforcement action. 

This lack of action by the ICO raises serious questions about the ICO’s independence and willingness to challenge government departments. Even if it felt a fine was not appropriate, a report to Parliament (under Section 139(3) of Data Protection Act 2018) would have highlighted the seriousness of the issues raised and consequently allowed MP’s to scrutinise the MoD’s actions.  

This breach is a national scandal; not just for its scale, but for the lack of transparency, accountability, and regulatory action. If the UK is serious about data protection, it must demand more from its regulator. Otherwise, the next breach may be even worse and just as quietly buried. 

Yesterday, the Commons Defence Committee confirmed it would launch its own inquiry, and Dame Chi Onwurah, chair of the Commons Committee for Science Innovation and Technology, said that it is writing to the Information Commissioner pushing for an investigation. Watch this space! 

STOP PRESS: This afternoon the BBC reports that the data breach was much worse than previously thought: it contained personal details of more than 100 British officials including those whose identities are most closely guarded – special forces and spies. Is an ICO u turn incoming?

We have two workshops coming up (How to Increase Cyber Security in your Organisation and Cyber Security for DPOs) which are ideal for organisations who wish to upskill their employees about cyber security.

ICO Reprimands Law Firm for GDPR Breach 

Last week, the Information Commissioner’s Office (ICO) issued a reprimand to a Hampshire law firm following a data breach that affected over 8,000 individuals. 

Levales Solicitors LLP, a law firm specialising in criminal and military law, was reprimanded after an unknown cyber-attacker gained access to its secure cloud-based server.
The attacker used legitimate credentials to infiltrate the system, eventually leaking personal data on the dark web including  

  • Name, Address, Date of Birth
  • National Insurance Numbers 
  • Criminal data, including allegations, investigations, and prosecutions 
  • Details of complainants, victims (including children), and legally privileged information 
  • Prisoner Numbers, Health Status, and previous convictions 

A total of 8,234 data subjects were affected by the breach, with 863 individuals considered at high risk of harm due to the nature of the sensitive data involved.
This included data related to serious offences such as murder, terrorism, sexual offences, and matters involving vulnerable adults or children. 

The ICO’s reprimand focuses on the infringement of two key articles of the UK GDPR: 

  • Article 32(1)(b): The need to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems. 
  • Article 32(1)(d): The requirement to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks involved. 

What Went Wrong? 

The ICO found that Levales Solicitors LLP failed to ensure the ongoing confidentiality of its systems, making it vulnerable to the cyberattack (Article 32(1)(b)). Several critical issues were identified by the ICO: 

No Multi-Factor Authentication (MFA): MFA, a basic yet crucial security measure, was not in place for the domain account affected by the breach. This allowed the attacker to access the system using stolen credentials. Despite its simplicity, MFA is considered one of the most effective ways to prevent unauthorised access. 

Weak Password Management: Levales had no clear password policy in place at the time of the breach, relying instead on computer prompts to guide password strength and updates. The lack of a formalised approach to password management further exposed the firm’s systems to risk. 

Unknown Point of Compromise: Levales Solicitors LLP was unable to determine how the attacker obtained the credentials, demonstrating a lack of sufficient oversight into how the breach occurred. 

The ICO also criticised Levales for failing to implement appropriate technical and organisational security measures (Article 32(1)(d)). Notably: 

Outsourced IT Management: Levales had outsourced its IT management but had not reviewed or updated security measures since 2012. The firm was unaware of basic security processes, such as detection, prevention, and monitoring systems in place with their third-party provider. 

Inadequate Contract Reviews: The ICO expects that organisations outsourcing services conduct regular reviews to ensure security measures are up-to-date and appropriate. Levales had not reassessed their IT service contract since signing it, leaving potential vulnerabilities unchecked. 

The National Cyber Security Centre (NCSC) provides a 12-step guide on supply chain security, which advises that vulnerabilities within contracts can be easily exploited if the responsibilities and security measures between the provider and controller are not clearly defined or regularly reviewed. 

Despite these significant failings, the ICO did acknowledge that Levales had taken remedial steps following the breach, including: 

  • Introducing Multi-Factor Authentication (MFA) for all user accounts. 
  • Updating service contracts with third-party providers to ensure better security. 
  • Conducting a comprehensive review of existing systems and prioritising firewall upgrades. 

After taking all factors into consideration, including the remedial steps taken by Levales, the ICO decided to issue a formal reprimand under Article 58(2)(b) of the UK GDPR.  

Key Takeaways  

The decision reflects the seriousness of the firm’s failings in securing sensitive personal data and underscores the importance of robust data security practices for all organisations, particularly those handling highly sensitive information. All businesses are advised to take the following steps to comply with GDPR requirements: 

  • Implement Multi-Factor Authentication (MFA) for all accounts to reduce the risk of credential theft. 
  • Ensure that password policies are robust and regularly reviewed. 
  • Review contracts with third-party service providers to confirm that appropriate security measures are in place and understood by both parties. 
  • Regularly assess and update security systems to ensure they remain effective against evolving cyber threats. 
  • Document and monitor the security measures in place, ensuring that they are tailored to the specific risks associated with the data being processed. 

This is not the first time that a law firm has been found to be in breach of GDPR.
In 2022 fined Tuckers Solicitors LLP £98,000 for a data breach of GDPR.
The fine followed a ransomware attack on the firm’s IT systems which saw the attacker had encrypting 972,191 files, of which 24,712 related to court bundles.  60 of those were exfiltrated by the attacker and released on the dark web.  Some of the files included Special Category Data. Tuckers reported the breach to the ICO as well as affected individuals through various means including social media.  

The ICO concluded that were a number of areas in which Tuckers had failed to comply with, and to demonstrate that it complied, with the Security Principle. Their technical and organisational measures were, over the relevant period, inadequate.
Amongst other things the lack of Multi-Factor Authentication was highlighted by the ICO. 

Data security is a cornerstone of GDPR compliance, and reprimand involving Levales Solicitors LLP highlights the potential consequences of not taking proper precautions. Organisations should treat this as a wake-up call to evaluate and strengthen their own data protection measures, particularly in areas where sensitive or high-risk data is involved. 

We have two workshops coming up (How to Increase Cyber Security in your OrganisationandCyber Security for DPOs) which are ideal for organisations who wish to up skill their employees about cyber security. See also ourManaging Personal Data BreachesWorkshop. 

Enjoy reading our blog? Help us reach 10,000 subscribers bysubscribingtoday! 

RAC Employees Sentenced for Selling Personal Data 

On 8th October 2024, two former RAC employees were sentenced for unlawfully copying and selling over 29,500 lines of personal information.  

The two former employees worked as customer service specialists at the RAC’s call centre in Stretford. Their unlawful conduct was discovered by the RAC after it installed new security monitoring software. The software showed employee one of them had unlawfully accessed and copied personal information relating to people involved in road traffic accidents. A subsequent search of  employee one’s mobile phone showed the information was shared in a WhatsApp chat with employee two. Messages indicated that a third party was paying for the information. 

At a hearing at Minshull Street Crown Court on 8 October 2024, both former employees were sentenced to 6 month prison sentences, suspended for 18 months, and each were ordered to complete 150 hours of unpaid work. Both defendants had previously pleaded guilty to offences under the Computer Misuse Act 1990 and Data Protection Act 2018. Prosecution costs will be considered at a Proceeds of Crime hearing listed for 5 March 2025. 

Section 55 of the old Data Protection Act 1998 can still be used to bring a prosecution where an offence pre-dates the current Section 170 of the Data Protection Act 2018, as in the above case. It is interesting to note that the ICO also cited section 1 of the Computer Misuse Act 1990 which carries a maximum of 2 years imprisonment on indictment.   

In June 2023, the Information Commissioner’s Office (ICO) disclosed that, since 1st June 2018, 92 cases involving Section 170 offences were investigated by its Criminal Investigations Team. The most recent of these was in September 2024, when an employee pleaded guilty to retaining and selling 3,600 pieces of customer records obtained from the car leasing company he worked for. He was ordered to pay a fine of £1,200 and £300 costs. 

It is important to note that, if a disgruntled or rogue employee commits a data protection offence, the employer may also be liable for the consequences. More on our recent blog on this subject. 

Enjoy reading our blog? Help us reach 10,000 subscribers by subscribing today! 

Transport for London Cyber Attack 

Transport for London (TfL) is currently dealing with a cyber attack that has targeted its computer systems. Sources within TfL have revealed that staff have been encouraged to work from home where possible, as the attack primarily affects the transport provider’s back-office systems at its corporate headquarters. TfL is collaborating closely with the National Crime Agency and the National Cyber Security Centre to respond to the incident. 

Shashi Verma, TfL’s Chief Technology Officer, said: 

“We have implemented several measures to address an ongoing cybersecurity incident within our internal systems. The security of our systems and customer data is of utmost importance, and we are continuously assessing the situation throughout this incident.”  

Mr Verma emphasised that, although a complete assessment is still underway, there is no current evidence of customer data being compromised. If it turns out that any personal data has been compromised, whether employee or customer data,  of course TfL will need to consider reporting the matter to the Information Commissioner’s Office (ICO) as a personal data breach under Article 33 of the UK GDPR. As a statutory body, failure to do so could lead to TfL being fined up to £8.7 million. If the ICO investigates and finds a breach of the DP Principles (e.g. security) this could rise to £17.5 million. 

Back in the day major cyber incidents involving personal data were sure to be the subject of an ICO fine. In 2018, British Airways and  Marriott International were fined £20 million and  £18.4 million respectively. More recently the ICO has issued more reprimands in line with its policy on public sector enforcement. It recently issued a reprimand to the Electoral Commission following the discovery that unspecified “hostile actors” had managed to gain access to copies of the electoral registers, from August 2021. On 26th June 2024, the ICO announced that it will now review the two-year trial before making a decision on the public sector approach in the autumn.  

This is not the first cyber attack on a major public service provider in the capital.  Last month the ICO announced that it had issued a GDPR Notice of Intent of £6.09 million to an NHS IT supplier. This comes after its findings that the company failed to adequately protect the personal data of 82,946 individuals in breach of Article 32 of the UK GDPR.  As a key IT and software provider for the NHS and other healthcare organisations across the country, Advanced often holds role of Data Processor for many of its clients. The breach in question occurred during a ransomware attack in August 2022. Hackers exploited a vulnerability through a customer account that lacked multi-factor authentication, gaining access to multiple health and care systems operated by Advanced. The compromised data included phone numbers, medical records, and even details on how to access the homes of 890 individuals receiving at-home care. 

We have two workshops coming up (How to Increase Cyber Security in your Organisation and Cyber Security for DPOs) which are ideal for organisations who wish to up skill their employees about cyber security. See also our Managing Personal Data Breaches Workshop

London Hospitals Hit By Major Cyber Attack

The Independent reports this afternoon that two major London hospital trusts have had to cancel all non-emergency operations and blood tests due to a significant cyber attack. Both King’s College Hospital Foundation Trust and Guy’s and St Thomas’ Hospitals Foundation Trusts have seen their pathology systems compromised by malware.

Synnovis, the service provider responsible for blood tests, swabs, bowel tests, and other critical services for these hospitals, was targeted in this attack. The impact is widespread, affecting NHS patients across six London boroughs. The affected hospitals include Guy’s Hospital, which operates the Evelina children’s hospital, Harefield Hospital, King’s College Hospital, Princess Royal University Hospital, Royal Brompton Hospital, and St Thomas’ Hospital.

On Monday, Synnovis confirmed the severity of the attack, which has disrupted services for tens of thousands of patients. As the hospitals work to mitigate the damage and restore services, the incident highlights the vulnerability of healthcare systems to cyber threats and the far-reaching consequences such attacks can have on patient care.

The Information Commissioner’s Office is yet to comment. 

We have two workshops coming up in September (Introduction to Cyber Security and Cyber Security for DPOs) which are ideal for organisations who wish to up skill their employees about data security. See also our Managing Personal Data Breaches Workshop.  

MOD Payroll Data Hacked

The government has raised concerns about a cyber attack on an armed forces payroll system, with indications pointing towards China as the suspected perpetrator. Defence Secretary Grant Shapps is set to address Members of Parliament today, although he is not expected to directly attribute blame to any specific party.
Instead, he is likely to emphasise the threat posed by cyber espionage activities conducted by hostile states.

The affected system, utilised by the Ministry of Defence (MoD), contains sensitive information such as names and bank details of armed forces personnel, with a few instances where personal addresses may also be included. Managed by an external contractor, the breach came to light in recent days, prompting government action, although there’s no evidence suggesting data was actually extracted from the system.

The investigation into the breach is still in its early stages and attributing responsibility can be a complex and time-consuming process. While official accusations may not be made immediately, suspicions are reportedly pointing towards China, given its history of targeting similar datasets.

Those impacted by the breach will receive communication from the government regarding the incident, with a focus on addressing potential fraud risks rather than immediate personal safety concerns.

At the time of writing it is not clear if the MoD has reported the data breach to the ICO as required by the UK GDPR. In December 2023, the MoD was fined £350,000 for disclosing personal information of people seeking relocation to the UK shortly after the Taliban took control of Afghanistan in 2021. 

We have two workshops coming up (How to Increase Cyber Security and Cyber Security for DPOs) which are ideal for organisations who wish to upskill their employees about data security. 

Navigating Turbulence: Qantas App Privacy Breach Sparks Concerns 

Today a number of news outlets are reporting that Australian airline Qantas is investigating a privacy breach on its app. Customers discovered that they had access to the personal details of other travellers, including boarding passes and frequent flyer information. This discovery has raised significant concerns about data security and privacy among Qantas app users. 

Qantas responded to the situation, acknowledging the issue and assuring customers that it was under investigation. Within three hours of the breach being detected, the airline claimed to have resolved the problem and issued a public apology for any inconvenience caused. 

Despite initial fears of a cyberattack, Qantas stated that the breach was likely due to a technology glitch, possibly linked to recent system updates. However, the extent of the breach was troubling, with some users reporting the ability to view multiple passengers’ details with just a few clicks. 

Customers shared their experiences on social media platforms, recounting instances where they were confronted with strangers’ personal information upon opening the app. Concerns were further amplified when reports emerged of individuals being able to manipulate flight bookings, raising questions about the app’s security measures. 

In response to the breach, Qantas advised affected users to log out and log back into the app to mitigate the issue. The airline reassured customers that there were no indications of travellers using incorrect boarding passes as a result of the breach. 

Social media channels buzzed with criticism of Qantas, with users sharing screenshots of the glitch and raising awareness of potential phishing attempts. Allegations surfaced of fake Qantas customer care accounts soliciting personal information from users under the guise of assistance. 

Does the UK GDPR apply here? 

In October 2020, the UK Information Commissioner’s Office fined British Airways £20million, under the GDPR, for a cyber security breach which saw the personal and financial details of more than 400,000 customers being accessed by attackers.   

Whilst Qantas has said that this incident was not due to a cyber-attack, it will certainly face questions about its handling of customer data under Australian data protection laws. It is also possible that Qantas, an Australian company,  is the subject of a probe by the UK Information Commissioner’s Office under the UK GDPR if, as is likely, UK data subjects are affected by the incident.  

Article 3(2) of the UK GDPR gives it an extra territorial effect. It states:  

“This Regulation applies to the relevant processing of personal data of data subjects who are in the United Kingdom by a controller or processor not established in the United Kingdom where the processing activities are related to: 

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the United Kingdom; or 

(b) the monitoring of their behaviour as far as their behaviour takes place within the United Kingdom.” 

Applying this principle, On 4th April 2023, the ICO issued a £12.7 million fine to TikTok, a US company owned whose parent company is owned by Beijing based ByteDance, for a number of breaches of the UK GDPR, including failing to use children’s personal data lawfully.   

As Qantas works to address the fallout from this breach and restore trust among its customer base, the incident serves as a stark reminder of the importance of robust data security measures in the digital age. It highlights the vulnerability of personal data in online platforms and underscores the need for companies to prioritise the protection of customer data. 

We have two workshops coming up (How to Increase Cyber Security and Cyber Security for DPOs) which are ideal for organisations who wish to upskill their employees about data security. We have also just launched our new workshop, Understanding GDPR Accountability and Conducting Data Protection Audits.  

YMCA Fined for HIV Email Data Breach 

Another day and another ICO fine for a data breach involving email! The Central Young Men’s Christian Association (the Central YMCA) of London has been issued with a Monetary Penalty Notice of £7,500 for a data breach when emails intended for those on a HIV support programme were sent to 264 email addresses using CC instead of BCC, revealing the email addresses to all recipients. This resulted in 166 people being identifiable or potentially identifiable. A formal reprimand has also been issued

Failure to use blind carbon copy (BCC) correctly in emails is one of the top data breaches reported to the ICO every year. In December 2023, the ICO fined the Ministry of Defence (MoD) £350,000 for disclosing personal information of people seeking relocation to the UK shortly after the Taliban took control of Afghanistan in 2021. Again the failure to use blind copy when using e mail was a central cause of the data breach. 

Last year the Patient and Client Council (PCC) and the Executive Office were the subject of ICO reprimands for disclosing personal data in this way. In October 2021, HIV Scotland was issued with a £10,000 GDPR fine when it sent an email to 105 people which included patient advocates representing people living with HIV. All the email addresses were visible to all recipients, and 65 of the addresses identified people by name. From the personal data disclosed, an assumption could be made about individuals’ HIV status or risk.  

Organisations must have appropriate policies and training in place to minimise the risks of personal data being inappropriately disclosed via email. To avoid similar incidents, the ICO recommends that organisations should: 

  1. Consider using other secure means to send communications that involve large amounts of data or sensitive information. This could include using bulk email services, mail merge, or secure data transfer services, so information is not shared with people by mistake.  
  1. Consider having appropriate policies in place and training for staff in relation to email communications.  
  1. For non-sensitive communications, organisations that choose to use BCC should do so carefully to ensure personal email addresses are not shared inappropriately with other customers, clients, or other organisations. 

More on email best practice in the ICO’s email and security guidance

We have two workshops coming up (How to Increase Cyber Security and Cyber Security for DPOs) which are ideal for organisations who wish to upskill their employees about data security. We have also just launched our new workshop, Understanding GDPR Accountability and Conducting Data Protection Audits.