Customers of the conveyancing firm Simplify Group are planning to launch legal action after some have seen their property purchases stalled for more than a month following a data breach.
The firm’s systems were shut down on 8 November after what appears to have been a cyber security incident, leaving some customers unable to exchange, complete or move home.
Now, a law firm is working with customers of the group – whose brands include Premier Property Lawyers, JS Law, DC Law and Advantage Property Lawyers – with a view to bringing a compensation claim against Simplify.
Hayes Connor, which specialises in data breaches, said it had been contacted by a number of customers who were worried about the impact the breach could have on them.
Simplify Group conveyancing customers have experienced delays in their house purchases and sales following a security incident in November, and it is unclear whether their data is safe
Customers were initially concerned that money they had transferred to their solicitor may have been stolen by hackers.
Simplify Group and the Council for Licensed Conveyancers, the regulator which has been monitoring the situation, have since stated that all customer funds are safe.
However, there are still unaddressed concerns about the safety of customers’ personal data, as many had given over bank details, addresses and copies of driving licences or passports in order to buy or sell their homes.
Fraudsters can use this information to make applications for credit in customers’ names.
Hayes Connor is collecting evidence from customers with a view to bringing a group litigation claim against Simplify, This is Money understands.
‘Buying or selling a home is one of the most stressful times for anyone at the best of times, so to be facing extra worry is something none of these people want – especially just before Christmas,’ said Richard Forrest, Legal Director at Hayes Connor.
Simplify Group conveyancing firms are recommended to home buyers by the likes of estate agents Purplebricks, Strike, Yopa and Fine & Country, among others
‘To make matters worse we are still unclear exactly what has happened and what data has been breached.
‘Home moves involve a huge amount of personal data which can be very valuable to the wrong sort of people so Simplify have a duty to all of their customers to let people know what has happened, why and how exactly they have been affected, and to do so immediately.
‘Any further delay will just add to the worry people are already suffering just when they least need that extra stress.’
The amount of compensation that customers may receive, if an eventual claim is successful, will depend on what data has been exposed.
It will also depend on the distress that has been caused to them by the situation, which can vary from person to person.
Hayes Connor is calling for Simplify to provide an update on the safety of customers’ personal information, saying customers have been met with a ‘wall of silence’ so far.
While Simplify has said that it is now at ‘close to business as usual capacity,’ some customers have told This is Money that their transactions have still not been completed.
A typical property purchase or sale takes around 12 weeks to complete.
The nature of the security breach has not been made public, but Simplify has confirmed to This is Money that it is the subject of an ‘ongoing criminal investigation’.
Security incident: The nature of the data breach at Simplify has still not been confirmed,but the group has said that it is the subject of an ongoing criminal investigation
While the Hayes Connor claim would be likely to come under data breach legislation, This is Money understands that there could also be a case for a professional negligence claim to be brought against Simplify.
All contracts provide for a situation where the completion is delayed, with customers potentially able to bring claims for some of the costs incurred. These would usually be settled via their lawyer’s professional indemnity insurance.
Simplify firms are recommended to home buyers by the likes of estate agents Purplebricks, Strike, Yopa and Fine & Country, among others.
Together, it is estimated that they are involved in around five per cent of property transactions – spelling disruption for those who are in chains with Simplify Group customers, as well as the customers themselves.
The breach led to clients being unable to complete or exchange on their purchases, with some on the brink of completion when the inicident occured saying they were stuck with all their possessions in a removal van and with nowhere to stay.
One even told us that he had been forced to sleep in his car.
With websites down and phone lines congested when the breach first happened, many were unable to contact their conveyancer to find out the status of their sale or purchase, and some are still facing long waits to hear back from them.
Some buyers have told This is Money that their transactions have fallen through because the other parties in the transaction refused to wait any longer and pulled out.
Other than saying that those who switched conveyancers would not need to pay for Simplify’s previous work, the firm has not made clear if it will voluntarily provide any compensation for customers who have seen their house purchases fall through.
In late November, regulator the Council for Licensed Conveyancers told those who had not exchanged to consider switching to a different conveyancing firm in order to progress.
A spokesman for Simplify told This is Money: ‘We understand that, during the period where systems were unavailable, clients may have experienced delays to their transactions but we expect that, from early in the new year things will start to feel normal for clients, both existing and new.
‘Simplify continues to do everything possible to minimise any impact on our customers and prioritise their needs.
‘This incident is the subject of a criminal investigation that limits how much information we can provide at this time, however we can confirm that this investigation is making progress.
‘Importantly, we are adding additional layers of security, in order to protect against the continued and growing cyber threats that all businesses in our sector (and many others) are now unfortunately exposed to.’
While the law does not stipulate a time limit on when Simplify would need to give customers information about the nature of the incident and whether their data was safe, Forrest said companies were encouraged by the Information Commissioners’ Office to let them know as soon as possible.
However, Forrest conceded that Simplify itself may still not be fully aware of what information had been exposed.
‘It has all the hallmarks of an external attack on their systems,’ he said. ‘I can’t think what else it would be’.
One type of security breach is a ransomware attack, where fraudsters hack in to a company’s systems and encrypt its data.
They then demand a payment, upon receipt of which they will restore access to the information.
Recent examples of this include the payroll systems firm Kronos, which is used to log staff hours at Sainsbury’s among other large businesses; and the retailer Spar, which was forced to close some stores temporarily earlier this month after a ransomware attack.