Customers love us

  • uuid 74e1a1a5 6f40 4028 a6a6 852a295ec504 | H&M Data Breach
    Thousands of clients trust us
  • uuid 0e2bb2d2 15e1 4782 aac7 89df887ba2c3 | H&M Data Breach
    No upfront fee
  • uuid 53eb1ec5 b283 4f79 98a2 fb5815c90cd3 | H&M Data Breach
    ≈ 85% success rate
  • uuid 84ea24a3 acf6 4503 9ece 393ddb536ba0 | H&M Data Breach
    We are international

Intro

In 2019, Swedish clothing giant H&M faced a significant security breach, exposing its employees’ sensitive personal data due to a configuration error. This breach laid bare personal information ranging from medical conditions to vacation experiences, collected for work evaluation purposes. With around 179,000 employees affected, the incident drew widespread attention and prompted an investigation by the Hamburg Commissioner for Data Protection and Freedom of Information. Delve into the timeline and implications of this breach below.

The H&M Data Breach Explained

What Happened?

In 2019, Swedish clothing retail company H&M experienced a security breach concerning its employees’ personal data and information. The company’s extensive employee database became available for the whole company for a few hours because of a configuration error. 

The database contained sensitive personal information, such as religious beliefs, medical conditions, family issues, and even vacation experiences. These pieces of information were collected through interviews and talks with the employees’ supervisors, which would then be used to evaluate work performance. As of the date of the incident, around 179,000 H&M employees had allegedly been affected by the H&M data leak.

This H&M data breach garnered media attention and led the Hamburg Commissioner for Data Protection and Freedom of Information to investigate the matter. The latter started an investigation at H&M’s service center, where the breach happened.

Timeline

  • 2019 (October) – Configuration error that resulted in H&M’s database being viewable company-wide.
  • 2014 – H&M started the massive collection of data and personal information of its employees.

Will there be a compensation?

It’s common for large-scale data breaches to result in compensation for affected individuals. The exact H&M settlement amount may vary based on factors like the user’s location and the extent of the data breach.

zero | H&M Data Breach

No Win, No Fee. Our fees are deducted from the compensation we win for you, so you’ve got nothing to lose. Try it now ➡️

Am I Affected?

If you were affected, you should receive a data breach notification letter within 72 hours of its discovery. But, there have already been cases when these notices don’t get sent out at all, either as part of a cover-up to protect the company’s image or to avoid identifying users who might be entitled to compensation. So in case of a data leak, it’s a smart move to fill out the form and join the claim regardless. 

What To Do?

Whether you believe you were affected or are just exploring your options, you can quickly and easily check your eligibility and compensation amount with our quick data breach checker. In under two minutes, you’ll know how much money you can get and will be able to claim compensation. Give it a try!

Legal Proceedings and H&M Settlement

The Hamburg Commissioner for Data Protection and Freedom of Information, also called the Regulator, found several violations committed by the Swedish retailer concerning excessive data collection. As a result, 60GB of company data was analyzed in this investigation, including a review of company policies and witness interviews. 

According to the results of the investigation, H&M has been collecting personal employee information since 2014 through interviews and surveys. The collected data is stored in the company’s system and made available to H&M managers. These pieces of employee information are then used to make work evaluations and decisions regarding their employment status. 

The Regulator found that collecting details about employees’ private lives and recording their activities was an intensive encroachment of employees’ civil rights. Under the GDPR Enforcement Tracker, personal data should be processed transparently and lawfully, there must be a clear purpose for collecting the data, and the data collected must not be more than what is required according to the stated purpose. H&M violated these principles when it excessively collected personal information without transparency as to what its purpose should be. The lack of a specific purpose made the scope of collected data too broad. 

The Regulator issued H&M a €35.3 Million (approximately $41.5 Million) fine due to these violations, the second largest fine imposed under the GDPR. In addition, the Swedish clothing company said it was going to financially compensate its employees for this incident. Employees who have been with the company for at least one month from May 2018 are entitled to the said compensation for this H&M breach of privacy.

No class action lawsuit has been initiated yet, but being fined by the Regulator does not exactly mean that another financial settlement is not possible in the future. A claim or another financial litigation led by affected employees after further investigation is still possible. 

How to Claim H&M Compensation

If you want to get compensation for the data breach, you need to join a group lawsuit, also known as a class action. When you do this, you’ll work with a financial litigation partner who handles everything for you. That is us! Your task is just to apply and then wait to get money

Remunzo handles all the hard work. We set up the lawsuit and take the corporation to court for you. Corporations don’t want to pay money easily, but Remunzo will fight hard to get your settlement payout. When joining thousands of others in a lawsuit like this, the corporation is more likely to pay and the settlement payment amount per person i.e. how much will you get tends to be higher.

Remunzo will keep you updated about the settlement status. But you need to be patient because it can take months till the settlement payments are done and you get paid

Quickly check your eligibility and compensation amount with our simple data leak checker. In under 2 minutes, you’ll know how much money you can get and will be able to claim compensation. Give it a try!

attention | H&M Data Breach

Claim your data breach compensation! Fill out our simple form in two minutes and discover your potential payout.

Impact on H&M Users

The H&M data breach reveals poor data collection practices by the company against its employees. The company took responsibility by abiding by the imposition of fines and fully compensating the affected employees. 

The company said in a press release posted on its website:

“The incident revealed practices for processing employees’ personal data that were not in line with H&M’s guidelines and instructions. H&M takes full responsibility and wishes to make an unreserved apology to the employees at the service centre in Nuremberg.” 

H&M’s Response and Changes in Data Security

The management was ordered to have the database frozen and released by the Hamburg Commissioner for Data Protection upon learning of the breach. H&M was also quick to think of and launch a comprehensive action plan following the incident. The company targeted to implement a better internal auditing system to comply with data privacy laws. It further aimed to educate and train staff to create a safe work environment in terms of data protection. 

H&M also stated that the company started implementing the following:

  • Personnel changes at the management level at the service center in Nuremberg;
  • Additional training for leaders in relation to data privacy and labor law;
  • Revised instructions for managers;
  • Creation of a new role with specific responsibilities to audit, follow up, educate, and continuously improve data privacy processes;
  • Enhanced data cleansing processes;
  • Improved IT solutions supporting compliant storage of personal data, training, and leadership. 

No other settlement has been initiated yet by affected employees, but this does not close the possibility of a civil action in a regular court in the future.

Future Implications and Impact on the Industry

The H&M data breach could be regarded as an incident of poor system handling causing the data leak, which then resulted in the revelation of the company’s illegal data collection. It serves as a reminder to other companies to be wary of the scope of data they are collecting from their employees and clients. This is especially true for employers offering hybrid and work-from-home setups, who are requiring tracking software to be installed on their employees’ personal computers to monitor work performance.

Other Famous Incidences of Privacy Breaches

H&M is not the only one that got its data stolen. Hundreds of other companies have faced or will face data breaches in the future. Therefore, we strongly suggest using our Compensation Calculator. This tool will help you find out how many compensation claims you are eligible for and how much money you might get—and we can help you easily get it.

Conclusion

In conclusion, the 2019 H&M data breach resulted in serious ramifications, including a significant fine of €35.3 Million for violating data protection laws. The breach raised concerns about the extensive collection of personal employee information and its use in work evaluations. While H&M responded swiftly with corrective measures and compensation plans, the incident underscores the importance of robust data security protocols and adherence to privacy regulations. Moving forward, H&M has committed to enhancing its data protection measures and fostering a culture of privacy awareness among its staff. Despite initial actions taken, the possibility of further legal action by affected employees remains open, highlighting the ongoing need for vigilance in safeguarding personal data.

Frequently Asked Questions

How to minimize or prevent Data breach impact?

Using virtual payment cards with spending limits and unique email addresses for different services can greatly reduce the risks of data breaches. Disposable virtual cards protect your financial details, while custom email addresses (like “yourname+service@gmail.com”) help identify compromised services. These strategies add security layers, minimizing the impact of breaches on your personal and financial data.

What to do after a data breach?

In case of a data breach, promptly change your passwords on the affected accounts, making them strong and unique. Activate two-factor authentication for added security. Monitor your financial statements and credit reports for any unusual activity. Alert your bank or credit card provider about potential fraud. Be cautious of phishing scams following the breach and consider a credit freeze. Finally, report the incident to the appropriate authorities.

What is a Data breach notice?

A data breach notice is an official alert sent by an organization to individuals whose personal data, including potentially compromised passwords, may have been exposed in a security breach. Such a notice can often follow warnings from services like Apple or Google indicating that “this password appeared in a data leak.” It details the nature of the breach, affected data types, potential risks, and the organization’s remedial actions. The notice advises on protective measures, such as changing passwords and monitoring credit reports to mitigate harm.

Can I sue, and how to join a class action lawsuit?

Yes, you can sue for a data breach. With Remunzo, joining an active class action lawsuit is easy. Check your eligibility on our platform, and if your case is active, you can join the lawsuit. Remunzo handles all legal proceedings and negotiations for a settlement. These processes can take some time, but we keep you updated throughout. Use our Quick Data Leak Checker to see if you qualify to join and claim compensation.

When will I get paid the data breach settlement?

The time it takes to receive a data breach settlement payment varies, often taking several months after a settlement is reached. Factors like case complexity, number of claimants, and legal procedures affect the timeline. Remunzo will keep you informed about the settlement progress, but patience is key as these processes can be lengthy.

Sources

  1. The Seven Principles [Internet]. [cited 2024 Jan 31]. Available from: https://www.uhi.ac.uk/en/about-uhi/governance/policies-and-regulations/data-protection/the-seven-principles/#:~:text=The%20GDPR%20sets%20out%20seven,or%20destruction%20of%20personal%20data
  2. Deutsche Welle. H&M fined €35 million for privacy breaches – DW – 10/01/2020 [Internet]. Deutsche Welle; 2020 [cited 2024 Jan 31]. Available from: https://www.dw.com/en/germany-hm-fined-record-35-million-for-illegal-surveillance-of-employees/a-55123793 
  3. Fine issued against H&M for data protection violations [Internet]. [cited 2024 Jan 31]. Available from: https://www.simmons-simmons.com/en/publications/ckh3lyk2b14oj0917lz7sc9uf/fine-issued-against-h-m-for-data-protection-violations 
  4. H&M has received a decision from the Regional Data Protection Authority in Hamburg, Germany [Internet]. 2021 [cited 2024 Jan 31]. Available from: https://hmgroup.com/news/hm-has-received-a-decision-from-the-regional-data-protection-authority-in-hamburg-germany/ 

Share

newsletter | H&M Data Breach

Stay up to date

    Submiting implies consent to our privacy policy
    | H&M Data Breach

    Author

    Our team counts over 80+ skilled lawyers from 8 countries and has many partner law firms working on your claims. You can trust us to take good care of your claims. We’re working to make a world where taking big companies to court is simple and just a few clicks away for everyone, no matter their budget, skills, or background. Our goal is to build a future where it’s easy for everyone to stand up for their rights and get justice.