In May 2020, the company disclosed a cyber attack which took place from late March to early May 2020 and affected the confidentiality and availability of up to 113,000 current and former employees' personal data after bad actors exploited "negligent security practices within the network to unlawfully access and encrypt personal data" according to the UK's Information Commissioner.
The compromised information included telephone numbers, email addresses, national insurance numbers, bank account details, marital status, birth date, education, country of birth, gender, number of dependents, emergency contact information and salary. For some individuals, also special category personal data was accessed including ethnic origin, religion, details of disabilities, sexual orientation and health information relevant to ill-health retirement applications.
In October 2022, the ICO issued a Penalty Notice under section 155 of the Data Protection Act 2018 setting out the company's contraventions from March 2019 to December 2020 where they had failed to process personal data in a manner that ensured adequate security of the data (which the Commissioner noted was in contradiction to the company's own documented standards) and which ultimately rendered them vulnerable to the 2020 incident.
In August 2023, it was reported that the incident had cost the company £11 million to remediate.
Want to discuss this case? You can purchase a 30 minute conference call with our analysts to discuss this case and the implications it has for your organisation. Just select the time and date that works for you: