Boots staff data breach claim
In early June 2023, Boots informed staff that Zellis, a company providing it with payroll support services, had suffered a cyber-attack. As a result, the personal data of some current and former Boots staff paid in the UK held by Zellis had been hacked. The personal data included title, first name, surname, employee number, date of birth, email address, the first line of home address, national insurance number and employment start and end date.
Investigations into the cause and consequences of the data breach are continuing. However, for hackers to be able to access this personal data, something has clearly gone very badly wrong. It will be important to critically review the adequacy or otherwise of the security measures in place and identify who bears responsibility for any shortcomings identified. If these security measures were not adequate, those affected are likely to be entitled to compensation for the distress caused by the breach as well as any financial losses that they may have suffered.
About the data breach claim
Organisations need to ensure that all personal data that they hold is held securely – including taking steps to protect this information from cyber-attacks. This does not appear to have happened in this case. If you are a current or former member of Boots staff who has been notified that your personal data has been affected by the data breach, you could be entitled to compensation for any distress caused or financial losses suffered.
Leigh Day's data protection experts are currently investigating claims on behalf of Boots staff affected by the data breach. Get in touch today to find out how you can join the data breach claim.
In early June 2023, Boots contacted current and former staff stating that it had been notified by Zellis, a company providing it with payroll support services, that it had experienced a cyber-security incident which had led to a disclosure of personal information of staff paid through Boots’s payroll. Zellis also issued a statement confirming that it had suffered a data breach affecting a number of its customers.
Boots stated that the incident happened as a result of a vulnerability in a widely used file transfer tool called MOVEit, supplied by Progress Software, used by Zellis. The software is used to transfer files between and within organisations.
The notification continued that Boots understood that the personal data affected included title, first name, surname, employee number, date of birth, email address, the first line of home address, national insurance number and employment start and end date.
Join the Boots staff data breach claim
Boots stated that, with Zellis, they had set up a credit and web monitoring package with Experian that would be available free of charge to those affected for the next 24 months. They also said that they were working with Zellis and their cybersecurity partners to monitor the situation.
As well as signing up to, and using, the credit and web monitoring package with Experian, Boots also encouraged those affected to change passwords on important online services, be cautious of any unsolicited and unexpected communications that ask for personal information or refer to a web page asking for personal information and avoid responding to or clicking on links or downloading attachments from suspicious email addresses.
Microsoft and IT specialists have attributed the cyber-attack to the notorious Russian ransomware group C10p (Clop), on the basis of its similarity to previous attacks by the group. Clop have also posted a notice on their darknet site stating that they had exploited vulnerabilities in the MOVEit software to download data from “hundreds of companies”, without naming them, and warned affected organisations to contact them to agree a ransom payment or they would start publishing the stolen data.
Following the expiry of the deadline for contacting them, Clop have started posting data from certain companies, including Shell and Aon, on their website. At the time of writing, no data relating to Boots staff appears to have been posted.
How do I join the claim?
We are currently investigating bringing a claim for compensation on behalf of affected Boots staff. If you are one of the current or former members of Boots staff affected by the data breach, you can join the claim here. Fill in our short form today.
What our lawyers say
This is a serious data breach, particularly in the cases where financial information has been taken. Clearly, for hackers to be able to access this personal data, something has gone badly wrong.
Sean Humber, partner
Join the Boots staff data breach claim
What the directories say
Sean Humber is fantastic at what he does; his professionalism and customer skills are second to none. It's an absolute pleasure having him as my solicitor.
Chambers and partners 2023
Why use Leigh Day?
Experienced
Our human rights team has more than 20 years' experience in data protection and privacy claims. This includes challenging multi-national companies as well as local authorities and the NHS.
Informed
We keep on top of changes to information and data protection law to best advise our clients. We have brought successful compensation claims in cases where others wrongly accessed clients’ personal, medical and financial information.
Top ranked firm
The human rights team has been recognised as a leader in its field for many years. In 2022, we were top ranked in eight practice areas in Chambers and Partners.
What the directories say
Gene Matthews takes really bold cases on serious issues and has a habit of winning them.
Chambers and partners 2023
Related news
Further companies affected by Clop MOVEit cyber-attack
Leading data breach lawyers have confirmed that recent announcements that employee and customer information from more companies has been hacked by Clop as a result of the MOVEit cyber-attack may lead to claims for compensation by those affected.
Serious data breach affects personal information of tens of thousands of British Airways, Boots and BBC staff
Leading data breach lawyers say that the recent announcements by British Airways, Boots and BBC that their staff’s personal information has been hacked, are likely to lead to substantial claims for compensation by those affected.
Shell latest company to confirm that employee and customer data are affected by Clop cyber-attack
Leading data breach lawyers say the recent announcement by Shell that employee and customer information has been hacked may lead to claims for compensation by those affected.
Hacking announcements by DHL, Transport for London, Ofcom and Ernst & Young likely to lead to substantial claims for compensation
Leading data breach lawyers say that the recent announcements by further organisations, including DHL, Transport for London, Ofcom and Ernst & Young, that staff and other personal information has been hacked, are likely to lead to substantial claims for compensation by those affected.
Submit your information
We are acting for affected clients on a so called “no win no fee” basis, which will ensure that they receive at least 75% of any compensation they are awarded if the claim is successful. Clients will not be required to make any up-front payment or similar.
If you have been notified by Boots that your personal information was accessed as a result of the cyber attack and wish us to investigate a claim, you can start the process today.
Similarly, if you have any queries or problems completing the sign-up process or would prefer to be taken through the sign-up process by telephone, please email us at bootsstaffdatabreach@leighday.co.uk or call 0203 780 0376 and a member of our legal team will contact you to arrange a convenient time to speak with you.
Our human rights team challenge multi-million-pound corporations who have unlawfully shared their customers' information or failed to invest in adequate security measures, resulting in a data breach.
Contact the team by telephone on 0203 780 0376 or send an email.
FAQs
In early June 2023, Boots contacted current and former staff stating that it had been notified by Zellis, a company providing it with payroll support services, that it had experienced a cyber-security incident which had led to a disclosure of personal information of staff paid through Boots’s payroll. Zellis also issued a statement confirming that it had suffered a data breach affecting a number of its customers.
Boots stated that the incident happened as a result of a vulnerability in a widely used file transfer tool called MOVEit, supplied by Progress Software, used by Zellis. The software is used to transfer files between and within organisations.
The notification continued that Boots understood that the personal data affected included title, first name, surname, employee number, date of birth, email address, the first line of home address, national insurance number and employment start and end date.
Boots stated that, with Zellis, they had set up a credit and web monitoring package with Experian that would be available free of charge to those affected for the next 24 months. They also said that they were working with Zellis and their cybersecurity partners to monitor the situation.
As well as signing up to, and using, the credit and web monitoring package with Experian, Boots also encouraged those affected to change passwords on important online services, be cautious of any unsolicited and unexpected communications that ask for personal information or refer to a web page asking for personal information and avoid responding to or clicking on links or downloading attachments from suspicious email addresses.
Microsoft and IT specialists have attributed the cyber-attack to the notorious Russian ransomware group C10p (Clop), on the basis of its similarity to previous attacks by the group. Clop have also posted a notice on their darknet site stating that they had exploited vulnerabilities in the MOVEit software to download data from “hundreds of companies”, without naming them, and warned affected organisations to contact them to agree a ransom payment or they would start publishing the stolen data.
Following the expiry of the deadline for contacting them, Clop have started posting data from certain companies, including Shell and Aon, on their website. At the time of writing, no data relating to Boots staff appears to have been posted.
Those affected by the data breach may have claims against Boots and / or Zellis and / or Progress Software for failing to take the necessary action to keep their personal data safe and obtain compensation for the distress and / or any financial losses that this has caused.
While investigations are at an early stage, issues that will need to be considered include the adequacy of the design and maintenance of the software, any failure to identify and promptly notify customers of flaws in the software and provide necessary upgrades / patches, any failure of customers to promptly install any upgrades / patches, any failure to monitor indicators of unauthorised access or suspicious activity and take action as well as the appropriateness of using the software for the tasks for which it was used, and / or the failure to take additional security measures.
On the present information, there may be grounds for bringing a claim for breach of the UK General Data Protection Regulation and / or the Data Protection Act 2018, misuse of private information, breach of confidence and negligence.
Boots appear to have notified current or former staff affected by the data breach in early June 2023.
If you were notified by Boots that your personal data has been affected by the data breach in or about June 2023, you may have a claim for compensation if you have suffered distress and / or any financial, loss as a result of the data breach. You can claim for compensation for the distress caused by the data breach even if you have not lost any money.
How much compensation you can claim may depend on specific factors of your case, such as:
- The personal information accessed, including whether this included your bank account details.
- How many people had unauthorised access to your personal information and for how long.
- The emotional distress caused by the breach.
- Any financial losses experienced as a result of the data breach.
We will obtain a more detailed assessment of the value of the claims from the barristers specialising in data breach matters that we will be instructing in this matter after we have completed our investigations.
It’s too early to provide a timescale for when the matter will be resolved and you may receive any compensation for the data breach. To an extent, this will depend on how Boots / Zellis / Progress Software respond and whether they wish to mediate the claim.
We understand this can be frustrating, but we will keep our clients updated every step of the way via email. You can also reach out to us by emailing bootsstaffdatabreach@leighday.co.uk
We are acting for affected clients on a so called “no win no fee” basis, which will ensure that they receive at least 75% of any compensation they are awarded if the claim is successful. Clients will not be required to make any up-front payment or similar.
We are responding to form completions within a few days. If you have submitted your form during the weekend, please allow an extra day for a response, as we won’t see your details until the following Monday morning.
If you are still to receive a response, please email us at bootsstaffdatabreach@leighday.co.uk to check that the details we hold for you are correct.
The data breach claim is still at an early stage, so no compensation has been given out at the time of writing. However, please be assured that we will keep our clients updated via email.
You can also reach out if you need assistance at any point of the claims process by emailing bootsstaffdatabreach@leighday.co.uk.
What the directories say
Sean Humber is fantastic at what he does; his professionalism and customer skills are second to none. It's an absolute pleasure having him as my solicitor.
Chambers and partners 2023 - Sean Humber - Data Protection & Information Law
What the directories say
Gene Matthews takes really bold cases on serious issues and has a habit of winning them.
Chambers and partners 2023
What the directories say
Sean Humber is instructed by clients seeking advice on data breaches involving sensitive personal data. He represents individual claimants as well as companies. He's very responsive, professional, innovative and looks for solutions for his clients. He's a great strategic thinker and lawyer.
Chambers and partners 2022 - Sean Humber - Data Protection & Information Law
- Mass hack at BBC, British Airways, Boots and DHL sparks class action lawsuit probe Morning Star 20.7.23
- BA, BBC and Boots hit by cyber security breach with contact and bank details exposed Sky News 5.6.23
- What does the BBC, Boots and British Airways cyber attack mean for HR? People Management 8.6.23
- MOVEit hack: BBC, BA and Boots among cyber attack victims BBC 5.6.23