DPD staff data breach claim

In late June 2023, DPD informed staff that it had been informed by AON, one of its suppliers, that AON had suffered a cyber-attack. As a result, the My Benefits platform which AON provided to DPD and its employees had been hacked. The employee personal data affected included full name, National Insurance no., date of birth, marital status, gender, home address, employment position at DPD, base salary, location of work, working hours, work and personal email address, DPD employee number and types of benefit signed up to via the My Benefits platform.

Investigations into the cause and consequences of the data breach are continuing. However, for hackers to be able to access this personal data, something has clearly gone very badly wrong. It will be important to critically review the adequacy or otherwise of the security measures in place and identify who bears responsibility for any shortcomings identified. If these security measures were not adequate, those affected are likely to be entitled to compensation for the distress caused by the breach as well as any financial losses that they may have suffered.

DPD gave no details of the cyber-attack but it is thought that the incident happened as a result of a vulnerability in a widely used file transfer tool called MOVEit, supplied by Progress Software, used by AON. The software is used to transfer files between and within organisations.

DPD stated that they were taking the data breach extremely seriously and that they had informed the Information Commissioner’s Office and National Cyber Security Centre of the incident and were monitoring the situation.

DPD stated that cyber-criminals profit by selling stolen personal data, typically in a place on the internet called the ‘dark web’. Stolen emails, usernames and passwords can be used to access other online accounts, which helps cyber-criminals steal identities, a crucial step in committing fraud or theft. When a cyber-criminal steals a person’s identity, they may try to open credit cards in their name, commit insurance fraud or similar activity.

DPD also stated that they had set up a credit monitoring package with Experian that would be available free of charge to those affected for the next 12 months.

As well as signing up to, and using, the credit monitoring package, DPD also encouraged those affected to be cautious of any unsolicited and unexpected communications, including official-sounding messages about resetting passwords, receiving compensation, scanning devices or missed deliveries, emails or calls full of tech speak designed to sound more convincing or being urged to act immediately or within a limited timeframe.

Microsoft and IT specialists have attributed the cyber-attack to the notorious Russian ransomware group C10p (Clop), on the basis of its similarity to previous attacks by the group. Clop have also posted a notice on their darknet site stating that they had exploited vulnerabilities in the MOVEit software to download data from “hundreds of companies”, without naming them, and warned affected organisations to contact them to agree a ransom payment or they would start publishing the stolen data.

Following the expiry of the deadline for contacting them, Clop have started posting data from certain companies, including AON, on their website. It is not clear whether this includes the personal data of DPD employees.

Those affected by the data breach may have claims against DPD and / or AON and / or Progress Software for failing to take the necessary action to keep their personal data safe and obtain compensation for the distress and / or any financial losses that this has caused.

While investigations are at an early stage, issues that will need to be considered include the adequacy of the design and maintenance of the software, any failure to identify and promptly notify customers of flaws in the software and provide necessary upgrades / patches, any failure of customers to promptly install any upgrades / patches, any failure to monitor indicators of unauthorised access or suspicious activity and take action as well as the appropriateness of using the software for the tasks for which it was used, and / or the failure to take additional security measures.

On the present information, there may be grounds for bringing a claim for breach of the UK General Data Protection Regulation and / or the Data Protection Act 2018, misuse of your private information, breach of confidence and negligence.

DPD appear to have notified current or former staff affected by the data breach in or about late June 2023.

If you were notified by DPD that your personal data has been affected by the data breach in or about June 2023, you may have a claim for compensation if you have suffered distress and / or any financial loss as a result of the data breach. You can claim for compensation for the distress caused by the data breach even if you have not lost any money.

How much compensation you can claim may depend on specific factors of your case, such as:

• The personal information accessed, including whether this included your bank account details.
• How many people had unauthorised access to your personal information and for how long.
• The emotional distress caused by the breach.
• Any financial losses experienced as a result of the data breach.

On the information currently available, we consider that the value of affected customers’ compensation claims could be over a thousand pounds.

We will obtain a more detailed assessment of the value of the claims from the barristers specialising in data breach matters that we will be instructing in this matter after we have completed our investigations.

It’s too early to provide a timescale for when the matter will be resolved and you may receive any compensation for the data breach. To an extent, this will depend on how DPD / AON / Progress Software respond and whether they wish to mediate the claim.

We understand this can be frustrating, but we will keep our clients updated every step of the way via email. You can also reach out to us by emailing dpdstaffdatabreach@leighday.co.uk

We are acting for affected clients on a so called “no win no fee” basis, which will ensure that they receive at least 75% of any compensation they are awarded if the claim is successful. Clients will not be required to make any up-front payment or similar.

We are responding to form completions within a few days. If you have submitted your form during the weekend, please allow an extra day for a response, as we won’t see your details until the following Monday morning.

If you are still to receive a response, please email us at dpdstaffdatabreach@leighday.co.uk to check that the details we hold for you are correct.

The data breach claim is still at an early stage, so no compensation has been given out at the time of writing. However, please be assured that we will keep our clients updated via email.

You can also reach out if you need assistance at any point of the claims process by emailing dpdstaffdatabreach@leighday.co.uk.