For data breaches identified by third parties, what does this mean for the victim or victims, and what questions do we need to ask as part of a case?
Many of those that we represent are involved in cases and actions where the breach itself was revealed by someone other than the organisation that has committed the breach. In those sorts of cases, there are questions to be asked about how this is the case.
As a leading firm of data breach compensation lawyers, we may be able to help you.
Data breaches identified by third parties – what this means
Data breaches identified by third parties before the organisation that has committed the breach even knows about it can lead to added cause for concern. There shouldn’t be a breach in the first place but, when the incident itself is identified by someone other than the organisation affected, there are more questions to be asked.
The obvious one is why the organisation was unable to know that they had been breached in the first place. How was it that it took a third party to have to tell them that there is an issue?
We saw this in one of the major group actions that we are pursuing for our clients. In the case of the Virgin Media data leak, the exposed information was found by a third-party security researcher. This meant that the data had been left exposed for a period of ten months between April 2019 and February 2020.
In the context of a legal case for compensation, this can mean that there is a greater chance of success. If information has been left exposed for a long period of time and was not even identified by the organisation itself, this can demonstrate just how poor their approach is to information security.
There should be measures in place to prevent breaches but also to ensure that any risk or actual exposure of information is identified and rectified fast.
Are organisations being ignorant?
Sometimes, the damage from data breaches identified by security researchers, or even members of the public, could have been completely avoidable had warnings been heeded.
Many security researchers are constantly looking at the dark web, and when they see patterns or evidence that suggests a breach may have occurred, they will often notify the companies that may be involved. Unfortunately, not all of them take note; in fact, there has been suggestions in the past that many organisations are just ignoring the warnings that they receive. What they ought to be doing is taking steps to ensure that there has not been a breach, even if it just means being on the safe side.
In the Ticketmaster data breach compensation action that we represent clients for, it has been previously suggested that they were warned about the breach before it was discovered. It has been reported that Monzo Bank warned of the existence of the cyberattack in April before it was revealed two months later, basing their warnings on issues some of their customers had experienced.
Although after the fact, security researchers had suggested that the massive British Airways data breach event could have been avoided with a simple bug bounty costing as little as £10,000. It all shows that there is too little proactivity, and when data breaches identified by third parties are brought to the fore, it’s only right that more questions are asked.
Data breach rights enshrined in law
Data breach rights are enshrined in law. Victims can be entitled to claim compensation with us on a No Win, No Fee basis.
For free, no-obligation advice today, please don’t hesitate to contact the team here.