020 7650 1200

Boots staff data breach claim

In early June 2023, Boots informed staff that Zellis, a company providing it with payroll support services, had suffered a cyber-attack. As a result, the personal data of some current and former Boots staff paid in the UK held by Zellis had been hacked. The personal data included title, first name, surname, employee number, date of birth, email address, the first line of home address, national insurance number and employment start and end date.

Investigations into the cause and consequences of the data breach are continuing. However, for hackers to be able to access this personal data, something has clearly gone very badly wrong. It will be important to critically review the adequacy or otherwise of the security measures in place and identify who bears responsibility for any shortcomings identified. If these security measures were not adequate, those affected are likely to be entitled to compensation for the distress caused by the breach as well as any financial losses that they may have suffered.

About the data breach claim

Organisations need to ensure that all personal data that they hold is held securely – including taking steps to protect this information from cyber-attacks. This does not appear to have happened in this case. If you are a current or former member of Boots staff who has been notified that your personal data has been affected by the data breach, you could be entitled to compensation for any distress caused or financial losses suffered.

Leigh Day's data protection experts are currently investigating claims on behalf of Boots staff affected by the data breach. Get in touch today to find out how you can join the data breach claim.

In early June 2023, Boots contacted current and former staff stating that it had been notified by Zellis, a company providing it with payroll support services, that it had experienced a cyber-security incident which had led to a disclosure of personal information of staff paid through Boots’s payroll. Zellis also issued a statement confirming that it had suffered a data breach affecting a number of its customers.

Boots stated that the incident happened as a result of a vulnerability in a widely used file transfer tool called MOVEit, supplied by Progress Software, used by Zellis. The software is used to transfer files between and within organisations.

The notification continued that Boots understood that the personal data affected included title, first name, surname, employee number, date of birth, email address, the first line of home address, national insurance number and employment start and end date.

Join the Boots staff data breach claim

Boots stated that, with Zellis, they had set up a credit and web monitoring package with Experian that would be available free of charge to those affected for the next 24 months. They also said that they were working with Zellis and their cybersecurity partners to monitor the situation.

As well as signing up to, and using, the credit and web monitoring package with Experian, Boots also encouraged those affected to change passwords on important online services, be cautious of any unsolicited and unexpected communications that ask for personal information or refer to a web page asking for personal information and avoid responding to or clicking on links or downloading attachments from suspicious email addresses.

Microsoft and IT specialists have attributed the cyber-attack to the notorious Russian ransomware group C10p (Clop), on the basis of its similarity to previous attacks by the group. Clop have also posted a notice on their darknet site stating that they had exploited vulnerabilities in the MOVEit software to download data from “hundreds of companies”, without naming them, and warned affected organisations to contact them to agree a ransom payment or they would start publishing the stolen data.

Following the expiry of the deadline for contacting them, Clop have started posting data from certain companies, including Shell and Aon, on their website. At the time of writing, no data relating to Boots staff appears to have been posted.

How do I join the claim?

We are currently investigating bringing a claim for compensation on behalf of affected Boots staff. If you are one of the current or former members of Boots staff affected by the data breach, you can join the claim here. Fill in our short form today.

What our lawyers say

This is a serious data breach, particularly in the cases where financial information has been taken. Clearly, for hackers to be able to access this personal data, something has gone badly wrong.

Sean Humber, partner

Join the Boots staff data breach claim

What the directories say

Sean Humber is fantastic at what he does; his professionalism and customer skills are second to none. It's an absolute pleasure having him as my solicitor.

Chambers and partners 2023

Why use Leigh Day?

Experienced

Our human rights team has more than 20 years' experience in data protection and privacy claims. This includes challenging multi-national companies as well as local authorities and the NHS.

Informed

We keep on top of changes to information and data protection law to best advise our clients. We have brought successful compensation claims in cases where others wrongly accessed clients’ personal, medical and financial information.

Top ranked firm

The human rights team has been recognised as a leader in its field for many years. In 2022, we were top ranked in eight practice areas in Chambers and Partners.

What the directories say

Gene Matthews takes really bold cases on serious issues and has a habit of winning them.

Chambers and partners 2023

Related news

News Article
Computer Keyboard
Human rights Data breach

Further companies affected by Clop MOVEit cyber-attack

Leading data breach lawyers have confirmed that recent announcements that employee and customer information from more companies has been hacked by Clop as a result of the MOVEit cyber-attack may lead to claims for compensation by those affected.

News Article
Data Security
Data breach Human rights

Serious data breach affects personal information of tens of thousands of British Airways, Boots and BBC staff

Leading data breach lawyers say that the recent announcements by British Airways, Boots and BBC that their staff’s personal information has been hacked, are likely to lead to substantial claims for compensation by those affected.

News Article
Hacker Typing
Data protection and privacy Shell Human rights

Shell latest company to confirm that employee and customer data are affected by Clop cyber-attack

Leading data breach lawyers say the recent announcement by Shell that employee and customer information has been hacked may lead to claims for compensation by those affected.

News Article
Data Security

Hacking announcements by DHL, Transport for London, Ofcom and Ernst & Young likely to lead to substantial claims for compensation

Leading data breach lawyers say that the recent announcements by further organisations, including DHL, Transport for London, Ofcom and Ernst & Young, that staff and other personal information has been hacked, are likely to lead to substantial claims for compensation by those affected.

Submit your information

We are acting for affected clients on a so called “no win no fee” basis, which will ensure that they receive at least 75% of any compensation they are awarded if the claim is successful. Clients will not be required to make any up-front payment or similar.

If you have been notified by Boots that your personal information was accessed as a result of the cyber attack and wish us to investigate a claim, you can start the process today.

Similarly, if you have any queries or problems completing the sign-up process or would prefer to be taken through the sign-up process by telephone, please email us at bootsstaffdatabreach@leighday.co.uk or call 0203 780 0376 and a member of our legal team will contact you to arrange a convenient time to speak with you.

Filling In An Online Form

Our human rights team challenge multi-million-pound corporations who have unlawfully shared their customers' information or failed to invest in adequate security measures, resulting in a data breach.

Contact the team by telephone on 0203 780 0376 or send an email.

Contact the team

Profile
Sean Humber
Data protection and privacy Discrimination Environment Human rights Judicial review

Sean Humber

Sean is an experienced human rights lawyer and privacy breach compensation claims specialist

Profile
Gene Matthews
Clinical trials Data protection and privacy Diesel emissions claims Group claims Human rights Medical devices Product safety

Gene Matthews

Gene specialises in consumer law, product liability and data protection claims mainly brought as group claims/ multi-party actions

FAQs

In early June 2023, Boots contacted current and former staff stating that it had been notified by Zellis, a company providing it with payroll support services, that it had experienced a cyber-security incident which had led to a disclosure of personal information of staff paid through Boots’s payroll. Zellis also issued a statement confirming that it had suffered a data breach affecting a number of its customers.

Boots stated that the incident happened as a result of a vulnerability in a widely used file transfer tool called MOVEit, supplied by Progress Software, used by Zellis. The software is used to transfer files between and within organisations.

The notification continued that Boots understood that the personal data affected included title, first name, surname, employee number, date of birth, email address, the first line of home address, national insurance number and employment start and end date.

Boots stated that, with Zellis, they had set up a credit and web monitoring package with Experian that would be available free of charge to those affected for the next 24 months. They also said that they were working with Zellis and their cybersecurity partners to monitor the situation.

As well as signing up to, and using, the credit and web monitoring package with Experian, Boots also encouraged those affected to change passwords on important online services, be cautious of any unsolicited and unexpected communications that ask for personal information or refer to a web page asking for personal information and avoid responding to or clicking on links or downloading attachments from suspicious email addresses.

Microsoft and IT specialists have attributed the cyber-attack to the notorious Russian ransomware group C10p (Clop), on the basis of its similarity to previous attacks by the group. Clop have also posted a notice on their darknet site stating that they had exploited vulnerabilities in the MOVEit software to download data from “hundreds of companies”, without naming them, and warned affected organisations to contact them to agree a ransom payment or they would start publishing the stolen data.

Following the expiry of the deadline for contacting them, Clop have started posting data from certain companies, including Shell and Aon, on their website. At the time of writing, no data relating to Boots staff appears to have been posted.

Those affected by the data breach may have claims against Boots and / or Zellis and / or Progress Software for failing to take the necessary action to keep their personal data safe and obtain compensation for the distress and / or any financial losses that this has caused.

While investigations are at an early stage, issues that will need to be considered include the adequacy of the design and maintenance of the software, any failure to identify and promptly notify customers of flaws in the software and provide necessary upgrades / patches, any failure of customers to promptly install any upgrades / patches, any failure to monitor indicators of unauthorised access or suspicious activity and take action as well as the appropriateness of using the software for the tasks for which it was used, and / or the failure to take additional security measures.

On the present information, there may be grounds for bringing a claim for breach of the UK General Data Protection Regulation and / or the Data Protection Act 2018, misuse of private information, breach of confidence and negligence.

Boots appear to have notified current or former staff affected by the data breach in early June 2023.

If you were notified by Boots that your personal data has been affected by the data breach in or about June 2023, you may have a claim for compensation if you have suffered distress and / or any financial, loss as a result of the data breach. You can claim for compensation for the distress caused by the data breach even if you have not lost any money.

How much compensation you can claim may depend on specific factors of your case, such as:

  • The personal information accessed, including whether this included your bank account details.
  • How many people had unauthorised access to your personal information and for how long.
  • The emotional distress caused by the breach.
  • Any financial losses experienced as a result of the data breach.

We will obtain a more detailed assessment of the value of the claims from the barristers specialising in data breach matters that we will be instructing in this matter after we have completed our investigations.

It’s too early to provide a timescale for when the matter will be resolved and you may receive any compensation for the data breach. To an extent, this will depend on how Boots / Zellis / Progress Software respond and whether they wish to mediate the claim.

We understand this can be frustrating, but we will keep our clients updated every step of the way via email. You can also reach out to us by emailing bootsstaffdatabreach@leighday.co.uk

We are acting for affected clients on a so called “no win no fee” basis, which will ensure that they receive at least 75% of any compensation they are awarded if the claim is successful. Clients will not be required to make any up-front payment or similar.

We are responding to form completions within a few days. If you have submitted your form during the weekend, please allow an extra day for a response, as we won’t see your details until the following Monday morning.

If you are still to receive a response, please email us at bootsstaffdatabreach@leighday.co.uk to check that the details we hold for you are correct.

The data breach claim is still at an early stage, so no compensation has been given out at the time of writing. However, please be assured that we will keep our clients updated via email.

You can also reach out if you need assistance at any point of the claims process by emailing bootsstaffdatabreach@leighday.co.uk.

What the directories say

Sean Humber is fantastic at what he does; his professionalism and customer skills are second to none. It's an absolute pleasure having him as my solicitor.

Chambers and partners 2023 - Sean Humber - Data Protection & Information Law

What the directories say

Gene Matthews takes really bold cases on serious issues and has a habit of winning them.

Chambers and partners 2023

What the directories say

Sean Humber is instructed by clients seeking advice on data breaches involving sensitive personal data. He represents individual claimants as well as companies. He's very responsive, professional, innovative and looks for solutions for his clients. He's a great strategic thinker and lawyer.

Chambers and partners 2022 - Sean Humber - Data Protection & Information Law

  • Mass hack at BBC, British Airways, Boots and DHL sparks class action lawsuit probe Morning Star 20.7.23
  • BA, BBC and Boots hit by cyber security breach with contact and bank details exposed Sky News 5.6.23
  • What does the BBC, Boots and British Airways cyber attack mean for HR? People Management 8.6.23
  • MOVEit hack: BBC, BA and Boots among cyber attack victims BBC 5.6.23