In March 2019, The Police Federation of England and Wales (PFEW) experienced two ransomware cyber-attacks. During the attacks, cybercriminals gained access to databases containing the personal information of around 130,000 police officers.
Following the PFEW data breach, our firm launched a group action to help victims of this privacy violation claim compensation. In this comprehensive guide, we explain what happened, who was affected, and how victims of this breach can secure justice and compensation for the violation of their data protection rights.
In March 2019, the Police Federation of England and Wales (PFEW) suffered a severe data breach across several of its databases and servers. The first attack occurred on 9 March 2019 when entry to the PFEW’s network was gained via a “password spraying” attack. This happens when common username and password combinations are used to gain access to a system or network. A robust password protocol should have stopped this initial attack from being successful.
Following the initial attack, on the 21 March the Federation was subjected to a further, multi-pronged, sustained ransom-attack. Early indications showed that the attack was different from the first and affected the wider Federation network. This entry point was via a remote access support tool used by an IT service provider.
During the attacks, the hackers accessed the PFEW’s systems and encrypted several of its databases, making them inaccessible to the PFEW. These databases held the personal information of around 130,000 members, with officers at all levels affected.
The information compromised in the PFEW data breach includes:
Your data might have been compromised in this attack if any of the following apply:
As well as serving officers, officers who retired before 2019 and were – or had previously been – a PFEW member, could also be involved in this data privacy violation. Even if they were not PFEW members at the time of the breach. This is because the Federation holds officer data until their death (or their 100th birthday). But the PFEW has failed to notify retired police officers of the attacks directly. This is a significant failure by the PFEW.
At KP Law, we are running the PFEW data breach action on a no-win, no-fee basis. This means you won’t pay a penny towards your case if your claim is unsuccessful. There are no hidden charges or fees.
If your claim is successful, you will pay a success fee to cover our costs. We take this fee from your compensation. It is the only thing you will pay if you win. The following is an example of how our success fee works. In this case, our success fee is 25% of the compensation awarded to you.
If your claim is successful, and you are awarded £2,000* compensation.
*For illustration purposes only.
In March 2022, three years after the incident, the PFEW finally admitted liability for unlawfully processing police officers’ personal data by not having the appropriate technical and organisational measures in place. Nevertheless, the PFEW claims there is no evidence that data was taken.
On its website, the PFEW states that it is highly unlikely that personal data has been “exfiltrated”. It claims that, without proof of exfiltration, PFEW members and retired officers do not have a claim for compensation.
This is simply not true!
The PFEW admits to the unlawful processing of data by allowing criminals access its network. During the attacks we know data was accessed, lost and destroyed. For these reasons claimants are entitled to bring claims and seek damages.
What’s more, although the PFEW continues to claim that there is ‘no evidence’ that data was taken by cybercriminals during the attacks, it cannot say for sure. In a similar way, the PFEW has no idea if your data was copied.
What we do know is that, if the PFEW could get rid of the claims by providing evidence that data had not been exfiltrated, it would have done so by now.
This uncertainly is a key feature of these data security incidents. Because years later, the PFEW still hasn’t been able to tell members affected by the data breaches what exactly happened.
While criminals are behind the violation, where personal and sensitive information is held, significant and robust processes must be in place to secure that data, and to prevent successful cyberattacks.
In our experience, it is unlikely that hackers would have gained control if sufficient and acceptable security measures had been in place. On this occasion, this did not happen, so the PFEW must be held responsible.
Under the GDPR, a ‘personal data breach’ is any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
For this reason, and because of the distress caused by the data breach, we believe that affected PFEW members have valid compensation claims.
In addition, although the PFEW notified a small proportion of its members directly, it did not notify all its members who were affected by the attacks. Under the GDPR, the PFEW was required to notify all those affected ‘without undue delay’.
At KP Law, we have seen victims of similar data breaches become the target of cybercriminals, with instances of phishing, fraud, and identity theft. By failing to take sufficient steps to notify all those affected, PFEW members were left exposed as they were not given the opportunity to protect themselves from such threats. This added to victims’ worry when they eventually found out about the breach.
Years later, we are still receiving enquiries from police officers who were never notified about the breach. We think this is unacceptable.
A data breach can result in both financial and identity theft. With enough stolen information, cybercriminals can apply for credit in your name, set up fraudulent bank accounts, use your cards to make payments, and access your existing accounts. Criminals also use financial data in scams designed to extract additional information from victims (e.g., banking passwords). And hackers often sell stolen financial data to other criminals for future scams.
Simply knowing that your details could be in the hands of cybercriminals can lead to anxiety and distress.
More than 130,000 Police Officers have been impacted by this data breach and we represent a significant proportion of this cohort. All of our clients have suffered distress, and some have been the victims of spam emails or and/or fraudulent transactions. In extreme circumstances, some of our clients have suffered personal injury and require medical expert reports to help quantify their claim.
Following the PFEW data breach, our clients have told us that they:
The PFEW data breach could have severe consequences for those affected. Officers who think they might be involved should be extra vigilant. Here are some top tips from the data protection experts at KP Law on how to do this:
Contact your bank or credit card provider immediately if you spot any unfamiliar transactions or suspicious activity. It’s also worth keeping an eye on your credit score for any unexpected dips and contacting all the major credit reference agencies to ensure credit isn’t taken out in your name.
Be on your guard in case criminals try to use the information stolen in the breach to try and extract additional information from you.
If you are concerned that your data might be at risk, there are some steps you can take to stop the threat from escalating. For example, you could register with the Cifas protective registration service. You should also change your passwords and make sure your devices are protected by up-to-date internet security software.
A criminal investigation has been launched into the Police Federation cyber-attack. The Information Commissioner’s Office (ICO) – the UK’s data protection regulator – is also aware of the situation.
However, while it has the power to impose hefty fines on organisations who fail to meet their data protection requirements, the ICO does not award compensation. Instead, any penalties paid by the PFEW will go to HMRC. The only way to receive compensation and justice is to make a data breach compensation claim.
Despite repeated attempts to open negotiations with the PFEW, it has consistently refused to engage with our data breach solicitors about the claim. In response, KP Law had no choice but to take this matter to Court.
While the PFEW is attempting to discredit the affected officers’ right to claim compensation for this breach, it has admitted to several facts that we believe strengthen our case. For example:
Our data protection solicitors have listed some helpful links to ensure victims of the PFEW data breach know where they can turn.
The leading independent victim’s charity in England and Wales for people affected by crime and traumatic incidents.
If you are struggling emotionally after a data breach, you can call the Samaritans free from any phone.
Provides advice, information, onward referral, and holistic support to people experiencing mental ill-health and drug/alcohol difficulties (which could be exacerbated following the PFEW hack). The service also supports people who have been a victim of crime.
A source of unbiased, factual, and easy-to-understand information on online safety with guidance to protect you from fraud, identity theft and abuse.
Impartial advice to help everyone in the UK protect themselves against financial fraud.
Victims of online offences such as scams and financial/identity fraud following the PFEW data hack should contact Action Fraud to report their loss.
At KP Law, we understand that choosing a data breach solicitor can be daunting. How do you know if it is the right firm for you, and can you be sure that you will not have to pay any unforeseen costs? To make the process a little bit easier, here are some questions you should ask when choosing a PFEW data breach lawyer.
Data breach and cybercrime are relatively new and evolving areas of law. Most firms do not have lawyers who are experts in this field, but at KP Law, we have a dedicated team of data protection experts. Furthermore, because we understand the minutiae of data breach law, we know what it takes to make a successful data breach claim.
Many firms will offer their services on a no-win, no-fee basis. In such cases, if you do not win, you do not have to pay a penny. When appointing a data breach lawyer, check the T&Cs to make sure no-win, no-fee does not exclude costs. At KP Law, we also take out insurance to protect our clients from any legal costs should they lose. It is also worth looking at what you will be charged if you win.
If your claim is successful, you will have to contribute towards your lawyer’s costs. This ‘success fee’ is taken from the compensation awarded to you, and in some cases, it can be much higher than you expected. Our success fee is one of the most competitive around, and there are no hidden fees or admin charges. If you win, our success fee is the only thing you will pay.
Several UK firms have knowledge of multi-claimant litigation, but it is worth checking to see if they have experience in multiple data breach group actions. At KP Law, we are currently managing several significant data breach group actions. And we have secured settlements against big players such as British Airways and Ticketmaster.
When it comes to legal support, large organisations are smarter and better resourced than ever before. And it can be difficult for some law firms to stand up to such strength when representing clients after a data breach. At KP Law, we have the legal expertise and resources necessary to take on corporate giants with deep pockets.
If the PFEW has informed you in writing that you were involved in the breach, we can use this confirmation to start your claim. But, as we have established, the PFEW did not notify everyone affected.
If you were a serving police officer during March 2019 and a Police Federation member, we can find out if you were involved.
Once we have confirmed that the PFEW breached your data, you can join our claim. If the breach has harmed you in some way, we will also ask for evidence to prove this. For example, if you experience emotional distress because of this data breach, please keep any details about medical appointments/prescriptions that relate to this data breach.
At KP Law, we are representing police officers in this case on a no-win, no-fee basis to ensure they have access to the absolute best lawyers without worrying about legal fees. Any members who wish to join or claim, or invite friends and colleagues to join this action can do
KP Law has some of the most skilled data breach lawyers in England and Wales. Here are just some of our success stories.
KP Law is a founding member of the Collective Redress Lawyers Association (CORLA). CORLA aims to improve access to justice for claimants by way of collective redress.
