New Skills Academy, an online education provider with over 800,000 students, has recently fallen foul of a significant data breach, raising serious concerns over the organization’s compliance.
This incident follows a number of high-profile organizations in the UK that are simply failing to comply with data protection laws. On 6th July it was announced that British Airways had settled a civil action brought following a breach of its security systems in 2018 that caused the personal data of 420,000 staff and customers to be leaked. The same breach resulted in a regulatory fine of £20m from the Information Commissioner’s Office.
On 30th June 2021, New Skills Academy emailed users of its services to inform them that it had been targeted by a third party looking to acquire its users’ data. It said that its investigation revealed that “some customer account information may have been exposed to unauthorized sources”, but did not indicate when the incident occurred nor when it was discovered.
The potential exposure included usernames, email addresses, and encrypted passwords, but the organization went on to say that it does not store any financial/credit card data. This directly conflicts with its own privacy notice which states that it may collect, use, store and transfer financial data including bank account, payment card, and electronic payment details, plus transaction data including details about payments. The notice also states that the company may receive personal data about users from third parties such as “Contact, Financial and Transaction Data from providers of technical, payment and delivery services”. UK organizations have 72 hours in which to inform the Information Commissioner’s Office (ICO) of a reportable breach. It is unclear from New Skills Academy’s emails if, and when, it informed the ICO.
Mark Gleeson, a partner at law firm Brandsmiths and an expert in data protection and cybersecurity law, has over 20 years’ experience including in data breach management and data protection disputes.
Gleeson comments: “The New Skills Academy security breach raises a number of concerns about the company’s compliance with data protection laws including the UK’s General Data Protection Regulation. This incident appears to be a clear breach of the legal requirement to ensure appropriate security of the personal data of users against unauthorized or unlawful processing. What is also troubling is that the company’s email notification, which directly contradicts its own privacy notice may give customers a false sense of reassurance about the security of their financial information”.
Consumers are trusting more and more organizations with increasing amounts of data but have clear rights to expect that their data is protected and only used in accordance with the law. New Skills Academy did not specify how the data came to be exposed to unauthorized sources but, where data rights are infringed, either by a sophisticated hacker stealing the data or by an employee carelessly handling information, there is a mechanism in place to compensate those who suffer damage or loss as a result.
Gleeson adds: “We recommend users of New Skills Academy to be extra-vigilant when reading emails or downloading files as well as changing any passwords. Our team of expert, lawyers are always on hand to assess and pursue claims for those whose data rights having been infringed.”