In early June 2023, DHL informed staff that Zellis, a company providing it with payroll support services, had suffered a cyber-attack. As a result, the personal data of some current and former DHL staff paid in the UK held by Zellis had been hacked. The personal data included employees’ DHL payroll number, first name, surname, date of birth, National Insurance Number, first line of address and employment start date and employment end date (for leavers).
Investigations into the cause and consequences of the data breach are continuing. However, for hackers to be able to access this personal data, something has clearly gone very badly wrong. It will be important to critically review the adequacy or otherwise of the security measures in place and identify who bears responsibility for any shortcomings identified. If these security measures were not adequate, those affected are likely to be entitled to compensation for the distress caused by the breach as well as any financial losses that they may have suffered.
About the data breach claim
Organisations need to ensure that all personal data that they hold is held securely – including taking steps to protect this information from cyber-attacks. This does not appear to have happened in this case. If you are a current or former member of DHL staff who has been notified that your personal data has been affected by the data breach, you could be entitled to compensation for any distress caused or financial losses suffered.
Leigh Day's data protection experts are currently investigating claims on behalf of DHL staff affected by the data breach. Get in touch today to find out how you can join the data breach claim.
In early June 2023, DHL contacted current and former staff stating that it had been notified by Zellis, a company providing it with payroll support services, that it had experienced a cyber-security incident which had led to a disclosure of personal information of some current and former staff of DHL Services Limited paid through DHL’s payroll in the UK. In some cases, current and former staff were first informed that they may have been affected before being told that they had been affected. Zellis also issued a statement confirming that it had suffered a data breach affecting a number of its customers.
DHL stated that the incident happened as a result of a vulnerability in a widely used file transfer tool called MOVEit, supplied by Progress Software, used by Zellis. The software is used to transfer files between and within organisations.
The notification continued that DHL understood that employees’ DHL payroll number, first name, surname, date of birth, National Insurance Number, first line of address and employment start date and employment end date (for leavers) had been compromised.
Join the DHL staff data breach claim
DHL stated that they were taking the data breach extremely seriously and that they had informed the Information Commissioner’s Office of the incident and were monitoring the situation.
DHL also stated that they had set up a credit and web monitoring package with Experian that would be available free of charge to those affected for the next 12 months. They also said that they were working with Zellis and their cybersecurity partners to monitor the situation.
As well as signing up to, and using, the credit and web monitoring package with Experian, DHL also encouraged those affected to be cautious of any unsolicited and unexpected communications, avoid responding to or downloading attachments or clicking on links from suspicious or unknown email addresses, create strong, complex passwords for different online accounts, avoid giving personal information in passwords and avoid giving personal details over the phone unless sure who speaking with. DHL also stated that victims of fraud should report the matter to Action Fraud.
Microsoft and IT specialists have attributed the cyber-attack to the notorious Russian ransomware group C10p (Clop), on the basis of its similarity to previous attacks by the group. Clop have also posted a notice on their darknet site stating that they had exploited vulnerabilities in the MOVEit software to download data from “hundreds of companies”, without naming them, and warned affected organisations to contact them to agree a ransom payment or they would start publishing the stolen data.
Following the expiry of the deadline for contacting them, Clop have started posting data from certain companies, including Shell and Aon, on their website. At the time of writing, no data relating to DHL staff appears to have been posted.
How do I join the claim?
We are currently investigating bringing a claim for compensation on behalf of affected DHL staff. If you are one of the current or former members of DHL staff affected by the data breach, you can join the claim here. Fill in our short form today.
What our lawyers say
This is a serious data breach, particularly in the cases where financial information has been taken. Clearly, for hackers to be able to access this personal data, something has gone badly wrong.
Sean Humber, partner
Join the DHL staff data breach claim
What the directories say
Sean Humber is fantastic at what he does; his professionalism and customer skills are second to none. It's an absolute pleasure having him as my solicitor.
Chambers and partners 2023
Why use Leigh Day?
Experienced
Our human rights team has more than 20 years' experience in data protection and privacy claims. This includes challenging multi-national companies as well as local authorities and the NHS.
Informed
We keep on top of changes to information and data protection law to best advise our clients. We have brought successful compensation claims in cases where others wrongly accessed clients’ personal, medical and financial information.
Top ranked firm
The human rights team has been recognised as a leader in its field for many years. In 2022, we were top ranked in eight practice areas in Chambers and Partners.
What the directories say
Gene Matthews takes really bold cases on serious issues and has a habit of winning them.
Chambers and partners 2023
Related news
Further companies affected by Clop MOVEit cyber-attack
Leading data breach lawyers have confirmed that recent announcements that employee and customer information from more companies has been hacked by Clop as a result of the MOVEit cyber-attack may lead to claims for compensation by those affected.
Shell latest company to confirm that employee and customer data are affected by Clop cyber-attack
Leading data breach lawyers say the recent announcement by Shell that employee and customer information has been hacked may lead to claims for compensation by those affected.
Serious data breach affects personal information of tens of thousands of British Airways, Boots and BBC staff
Leading data breach lawyers say that the recent announcements by British Airways, Boots and BBC that their staff’s personal information has been hacked, are likely to lead to substantial claims for compensation by those affected.
Hacking announcements by DHL, Transport for London, Ofcom and Ernst & Young likely to lead to substantial claims for compensation
Leading data breach lawyers say that the recent announcements by further organisations, including DHL, Transport for London, Ofcom and Ernst & Young, that staff and other personal information has been hacked, are likely to lead to substantial claims for compensation by those affected.
Submit your information
We are acting for affected clients on a so called “no win no fee” basis, which will ensure that they receive at least 75% of any compensation they are awarded if the claim is successful. Clients will not be required to make any up-front payment or similar.
If you have been notified by DHL that your personal information was accessed as a result of the cyber attack and wish us to investigate a claim, you can start the process today.
Similarly, if you have any queries or problems completing the sign-up process or would prefer to be taken through the sign-up process by telephone, please email us at dhlstaffdatabreach@leighday.co.uk or call us on 020 3780 0376 and a member of our legal team will contact you to arrange a convenient time to speak with you.
Our human rights team challenge multi-million-pound corporations who have unlawfully shared their customers' information or failed to invest in adequate security measures, resulting in a data breach.
Contact the team by telephone on 020 3780 0376 or send an email.
Contact the team
Sean Humber
Sean is an experienced human rights lawyer and privacy breach compensation claims specialist
Gene Matthews
Gene specialises in consumer law, product liability and data protection claims mainly brought as group claims/ multi-party actions
FAQs
In early June 2023, DHL contacted current and former staff stating that it had been notified by Zellis, a company providing it with payroll support services, that it had experienced a cyber-security incident which had led to a disclosure of personal information of some current and former staff of DHL Services Limited paid through DHL’s payroll in the UK. In some cases, current and former staff were first informed that they may have been affected before being told that they had been affected. Zellis also issued a statement confirming that it had suffered a data breach affecting a number of its customers.
DHL stated that the incident happened as a result of a vulnerability in a widely used file transfer tool called MOVEit, supplied by Progress Software, used by Zellis. The software is used to transfer files between and within organisations.
The notification continued that DHL understood that employees’ DHL payroll number, first name, surname, date of birth, National Insurance Number, first line of address and employment start date and employment end date (for leavers) had been compromised.
DHL stated that they were taking the data breach extremely seriously and that they had informed the Information Commissioner’s Office of the incident and were monitoring the situation.
DHL also stated that they had set up a credit and web monitoring package with Experian that would be available free of charge to those affected for the next 12 months. They also said that they were working with Zellis and their cybersecurity partners to monitor the situation.
As well as signing up to, and using, the credit and web monitoring package with Experian, DHL also encouraged those affected to be cautious of any unsolicited and unexpected communications, avoid responding to or downloading attachments or clicking on links from suspicious or unknown email addresses, create strong, complex passwords for different online accounts, avoid giving personal information in passwords and avoid giving personal details over the phone unless sure who speaking with. DHL also stated that victims of fraud should report the matter to Action Fraud.
Microsoft and IT specialists have attributed the cyber-attack to the notorious Russian ransomware group C10p (Clop), on the basis of its similarity to previous attacks by the group. Clop have also posted a notice on their darknet site stating that they had exploited vulnerabilities in the MOVEit software to download data from “hundreds of companies”, without naming them, and warned affected organisations to contact them to agree a ransom payment or they would start publishing the stolen data.
Following the expiry of the deadline for contacting them, Clop have started posting data from certain companies, including Shell and Aon, on their website. At the time of writing, no data relating to DHL staff appears to have been posted.
Those affected by the data breach may have claims against DHL and / or Zellis and / or Progress Software for failing to take the necessary action to keep their personal data safe and obtain compensation for the distress and / or any financial losses that this has caused.
While investigations are at an early stage, issues that will need to be considered include the adequacy of the design and maintenance of the software, any failure to identify and promptly notify customers of flaws in the software and provide necessary upgrades / patches, any failure of customers to promptly install any upgrades / patches, any failure to monitor indicators of unauthorised access or suspicious activity and take action as well as the appropriateness of using the software for the tasks for which it was used, and / or the failure to take additional security measures.
On the present information, there may be grounds for bringing a claim for breach of the UK General Data Protection Regulation and / or the Data Protection Act 2018, misuse of your private information, breach of confidence and negligence.
DHL appear to have notified current or former staff affected by the data breach in early June 2023.
If you were notified by DHL that your personal data has been affected by the data breach in or about June 2023, you may have a claim for compensation if you have suffered distress and / or any financial loss as a result of the data breach. You can claim for compensation for the distress caused by the data breach even if you have not lost any money.
How much compensation you can claim may depend on specific factors of your case, such as:
- The personal information accessed, including whether this included your bank account details.
- How many people had unauthorised access to your personal information and for how long.
- The emotional distress caused by the breach.
- Any financial losses experienced as a result of the data breach.
On the information currently available, we consider that the value of affected customers’ compensation claims could be over a thousand pounds.
We will obtain a more detailed assessment of the value of the claims from the barristers specialising in data breach matters that we will be instructing in this matter after we have completed our investigations.
It’s too early to provide a timescale for when the matter will be resolved and you may receive any compensation for the data breach. To an extent, this will depend on how DHL / Zellis / Progress Software respond and whether they wish to mediate the claim.
We understand this can be frustrating, but we will keep our clients updated every step of the way via email. You can also reach out to us by emailing dhlstaffdatabreach@leighday.co.uk
We are acting for affected clients on a so called “no win no fee” basis, which will ensure that they receive at least 75% of any compensation they are awarded if the claim is successful. Clients will not be required to make any up-front payment or similar.
We are responding to form completions within a few days. If you have submitted your form during the weekend, please allow an extra day for a response, as we won’t see your details until the following Monday morning.
If you are still to receive a response, please email us at dhlstaffdatabreach@leighday.co.uk to check that the details we hold for you are correct.
The data breach claim is still at an early stage, so no compensation has been given out at the time of writing. However, please be assured that we will keep our clients updated via email.
You can also reach out if you need assistance at any point of the claims process by emailing dhlstaffdatabreach@leighday.co.uk.
What the directories say
Sean Humber is fantastic at what he does; his professionalism and customer skills are second to none. It's an absolute pleasure having him as my solicitor.
Chambers and partners 2023 - Sean Humber - Data Protection & Information Law
What the directories say
Sean Humber is instructed by clients seeking advice on data breaches involving sensitive personal data. He represents individual claimants as well as companies. He's very responsive, professional, innovative and looks for solutions for his clients. He's a great strategic thinker and lawyer.
Chambers and partners 2022 - Sean Humber - Data Protection & Information Law
What the directories say
Gene Matthews takes really bold cases on serious issues and has a habit of winning them.
Chambers and partners 2023
- Mass hack at BBC, British Airways, Boots and DHL sparks class action lawsuit probe Morning Star 20.7.23
- BA, BBC and Boots hit by cyber security breach with contact and bank details exposed Sky News 5.6.23
- What does the BBC, Boots and British Airways cyber attack mean for HR? People Management 8.6.23
- MOVEit hack: BBC, BA and Boots among cyber attack victims BBC 5.6.23