GDPR Radio – Episode 126

Hosted by Founder and Managing Director, Phil Brining, and Data Protection Support Desk Consultant, Joe Kirk.

Picture of woman on a podcast

Recent Data Breaches and Employee Surveillance

Welcome to another episode of GDPR Radio, brought to you by Data Protection People. In today’s episode, we discuss some recent data breaches that have raised concerns about supply chain risks and personal data exposure. Additionally, we delve into the growing issue of employee surveillance in the workplace. Let’s get started!

Data Breach: MOVEit File Transfer Tool Exploited Recent media reports have revealed that cybercriminals successfully exploited a zero-day vulnerability in the MOVEit file transfer tool, affecting thousands of organisations internationally. The breach, attributed to the Russian-speaking ransomware group Clop, compromised personal data, including contact information, National Insurance numbers, and bank details. Progress Software, the provider of MOVEit, promptly patched the vulnerability, but the incident underscores the importance of addressing security flaws and supply chain risks.

Data Breach: Scrubs & Beyond Exposes Customer Data Healthcare retailer Scrubs & Beyond experienced a severe data exposure incident, leading to the public exposure of personally identifiable information and sensitive financial data of its customers. The leaked server contained a wealth of personal information, including names, email addresses, phone numbers, physical addresses, and even internal credentials. The breach also exposed plaintext credit card details and PayPal payment logs, putting affected customers at risk of financial fraud and identity theft. Scrubs & Beyond’s lack of response to the issue raises questions about their commitment to data protection.

Data Breach: GP Data Breach after Capita Cyber-Attack NHS England reported a data breach involving GP information following a cyber-attack on Capita, affecting 90 organisations. Initially downplayed by Capita, it was later revealed that data had been exfiltrated, leading to significant costs associated with recovery and remediation. The breach involved limited optometry information for two patients and accessed files containing names and NHS numbers of deceased and de-registered GP patients. While no health data or other patient data was compromised, the breach highlights the need for organisations to promptly address and report security incidents.

Data Breach: Tesla’s Alleged Data Protection Violations Tesla faced allegations of data protection violations following a data leak reported in Germany. Confidential data, including employee and customer information, was leaked by a whistleblower, potentially violating the GDPR. The leaked files contained personal information of thousands of employees, including Tesla CEO Elon Musk’s social security number, private email addresses, phone numbers, and salary details. The case highlights the need for organisations to implement robust data protection measures and respond promptly to potential vulnerabilities.

Employee Surveillance: The Impact on Privacy and Productivity The growing trend of employee surveillance is raising concerns among workers. Companies have increasingly turned to monitoring tools, such as Hubstaff, to track employees’ activities remotely. However, the constant monitoring can negatively impact employees’ productivity and well-being. Workers feel constantly watched, leading to stress and the need for additional measures to maintain privacy. Transparency and trust between employers and employees are crucial to ensure a healthy work environment.

Regarding the personal data breach query, it is important to assess the incident and take appropriate actions to mitigate the risks and ensure compliance with data protection regulations.

Here are some considerations:

Incident Response: The customer has already taken a step in the right direction by implementing a block to prevent further access to the disclosed information. This helps contain the breach and limit potential harm.

Data Compromised: In this case, personal information such as customer names, contact details, addresses, and property alerts were disclosed. It is essential to assess the sensitivity and potential impact of this information. The fact that the phishing attack targeted banking details suggests the possibility of fraudulent activity beyond the initial breach.

Data Access and Download: Since it is unknown how many files were accessed or if the information was downloaded, it is challenging to determine the full extent of the breach. It is advisable to assume the worst-case scenario and consider that the data may have been compromised.

Risk Assessment: Conduct a risk assessment to evaluate the potential impact on individuals’ privacy and rights. Factors to consider include the sensitivity of the data, the potential harm to affected individuals, and the likelihood of unauthorised access or misuse.

Breach Notification: If it is determined that the breach poses a risk to individuals’ rights and freedoms, it may be necessary to notify the relevant supervisory authority as per the requirements of the applicable data protection regulations, such as the General Data Protection Regulation (GDPR). The specific notification obligations and timelines may vary depending on the jurisdiction.

Communication with Affected Individuals: Promptly inform the affected individuals about the breach, the type of data involved, and the potential risks they may face. Provide guidance on how they can protect themselves from potential harm, such as being vigilant against phishing attempts or monitoring their financial accounts.

Regarding data sharing with the police, here are some points to consider:

Legal Basis: Under the GDPR, data sharing with law enforcement authorities, including the police, may be justified on various legal grounds, such as compliance with a legal obligation or the performance of a task carried out in the public interest.

Purpose Limitation: Data sharing with the police should be limited to the purpose for which it is necessary and relevant. Ensure that the sharing is directly related to the prevention, investigation, detection, or prosecution of criminal offenses.

Lawful Authority: Determine whether there is a legal basis or specific legislation that authorises or mandates the sharing of personal data with the police. Consult applicable laws and regulations in your jurisdiction to understand the requirements and conditions for such sharing.

Data Protection Safeguards: Prior to sharing personal data, consider implementing appropriate safeguards to protect the rights and freedoms of the individuals involved. This may include ensuring data accuracy, implementing security measures, and considering data minimisation and retention principles.

Individual Rights: Inform individuals about the data sharing with the police, their rights regarding their personal data, and how they can exercise those rights. This includes the right to access their data, rectify inaccuracies, and lodge complaints if they believe their rights have been violated.

Data Protection Impact Assessment (DPIA): In cases where the data sharing involves high risks to individuals’ rights and freedoms, conduct a DPIA to assess and mitigate these risks. This is especially important when processing sensitive data or when implementing systematic and extensive surveillance measures.

It is recommended to consult with legal professionals or data protection experts to ensure compliance with the specific requirements of the GDPR and any relevant local data protection laws when dealing with personal data breaches and data sharing with law enforcement authorities.

In conclusion, these recent developments highlight the importance of data protection and the challenges organisations face in maintaining compliance with regulations such as the GDPR. The case involving the Lithuanian app builder and the National Public Health Centre underscores the need to carefully analyse the roles and responsibilities of data controllers in collaborative projects, as well as the requirement for explicit consent in data processing activities.

Furthermore, the Dutch Data Protection Authority’s observation that individuals should assume their personal data has already leaked or will do so at some point emphasises the necessity for individuals and organisations to prioritise data protection measures. Taking proactive steps, such as using unique passwords, implementing secure login methods, and exercising privacy rights, can help mitigate the risks associated with data breaches.

On the regulatory front, the expansion of ICO powers in the UK, as outlined in the DPDI Bill, grants the Information Commissioner’s Office wider investigative capabilities. This may have implications for organisations in terms of their obligations to provide information and documents during investigations, potentially leading to increased resourcing burdens.

In the international landscape, the new partnership agreement between the UK and the US, as established by Prime Minister Rishi Sunak and President Joe Biden, includes a data protection deal that aims to facilitate data sharing between certified US organisations and UK businesses. This agreement is expected to reduce red tape and benefit small firms engaged in transatlantic trade.

Looking ahead, it is crucial for organisations to be prepared for various data protection challenges. The upcoming discussion on rights requests provides an opportunity to delve deeper into the intricacies of individuals’ rights under data protection laws. Hosted by Phil Brining, Joe Kirk, and featuring the return of Jasmine Harrison, this session promises valuable insights and practical guidance. To stay informed about this and other upcoming sessions, visit the events page of the Data Protection People website at

By staying abreast of the evolving data protection landscape, organisations can navigate the complexities of data breaches, data sharing, individual rights, and regulatory compliance, ultimately safeguarding the privacy and security of personal data.