New Skills Academy, an online education provider with over 800,000 students, has recently fallen foul of a significant data breach, raising serious concerns over the organisation’s compliance.
This incident follows a number of high-profile organisations in the UK that are simply failing to comply with data protection laws. On 6th July it was announced that British Airways had settled a civil action brought following a breach of its security systems in 2018 that caused the personal data of 420,000 staff and customers to be leaked. The same breach resulted in a regulatory fine of £20m from the Information Commissioner’s Office.
On 30th June 2021, New Skills Academy emailed users of its services to inform them that it had been targeted by a third party looking to acquire its users’ data. It said that its investigation revealed that “some customer account information may have been exposed to unauthorised sources”, but did not indicate when the incident occurred nor when it was discovered.
The potential exposure included usernames, email addresses and encrypted passwords, but the organisation went on to say that it does not store any financial/credit card data. This directly conflicts with its own privacy notice which states that it may collect, use, store and transfer financial data including bank account, payment card and electronic payment details, plus transaction data including details about payments. The notice also states that the company may receive personal data about users from third parties such as “Contact, Financial and Transaction Data from providers of technical, payment and delivery services”. UK organisations have 72 hours in which to inform the Information Commissioner’s Office (ICO) of a reportable breach. It is unclear from New Skills Academy’s emails if, and when, it informed the ICO.
Mark Gleeson, a partner at law firm Brandsmiths and an expert in data protection and cyber security law, has over 20 years’ experience including in data breach management and data protection disputes.
Gleeson comments: “The New Skills Academy security breach raises a number of concerns about the company’s compliance with data protection laws including the UK’s General Data Protection Regulation. This incident appears to be a clear breach of the legal requirement to ensure appropriate security of the personal data of users against unauthorized or unlawful processing. What is also troubling is that the company’s email notification, which directly contradicts its own privacy notice, may give customers a false sense of reassurance about the security of their financial information”.
Consumers are trusting more and more organisations with increasing amounts of data but have clear rights to expect that their data is protected and only used in accordance with the law. New Skills Academy did not specify how the data came to be exposed to unauthorised sources but, where data rights are infringed, either by a sophisticated hacker stealing the data or by an employee carelessly handling information, there is a mechanism in place to compensate those who suffer damage or loss as a result.
Gleeson adds: “We recommend users of New Skills Academy to be extra-vigilant when reading emails or downloading files as well as changing any passwords. Our team of expert lawyers are always on hand to assess and pursue claims for those whose data rights having been infringed.”
— ENDS —
FOR MORE INFORMATION CONTACT:-
Jamie White at Overture London
T: +44(0)203 817 8383.
E: [email protected]
NOTE TO EDITORS /
Founded by ex-Mishcon de Reya Partner Adam Morallee in 2014, Brandsmiths is the law firm for IP-rich businesses. It has developed a reputation for being a vital commercial advisor for entrepreneurial genius, but it is also increasingly recognised as the go-to team for established brands who value fresh thinking and a contemporary attitude. From offices in London and Manchester a dedicated team represent clients in a range of sectors, particularly platforms, ecommerce, sport, technology and FMCG. Clients include Microsoft, BMW, Trivago, Hunter, Mini, Umbro, Puregym, Missguided and a range of tomorrow’s major players. Brandsmiths is increasingly recognised as a leading firm in the creation, exploitation, extension and protection of value. It is naturally more agile and flexible than many of its larger rivals, with a culture and operating structure designed to allow the best and brightest lawyers to excel.