Twitch Data Breach: UK GDPR and the cost of human error
This week, the livestreaming site Twitch, which is owned by Amazon, announced that a “server configuration change” led to approximately 135GB of data being posted online.
What happened & why is it a data breach?
This week, the live streaming site Twitch, which is owned by Amazon, announced that a “server configuration change” led to approximately 135GB of data being posted online.
The data breach resulted in the unauthorised disclosure of commercially sensitive personal data containing the names of top streamers and their earnings from the site, together with Twitch’s own internal source code.
Early signs suggest that the data breach was caused by human error in the configuration of Twitch’s servers. Worryingly, some of the data leaked dates back three years, giving rise to concern that the Twitch servers may have been accessible for longer than the last few days.
Details about how long the servers were accessible for and whether human error was the cause of the breach have yet to be confirmed by the livestreaming giant. It would also seem that the breach has not yet been reported to the Information Commissioners Office (“ICO”), but it is anticipated that this will happen soon.
This severe data breach by Twitch follows another incident two weeks ago in which the Ministry of Defence (“MOD”) team responsible for the UK's Afghan Relocations and Assistance Policy mistakenly copied more than 250 former Afghan interpreters seeking relocation to the UK into an email. This resulted in the email addresses, names and profile pictures of each recipient being visible for all other recipients to see.
Both the Twitch hacking incident and the erroneous MOD email constitute a data breach under the UK’s version of the General Data Protection Regulation (“UK GDPR”). In this article, we consider why this matters – and what to do if a similar thing happens to your organisation.
Why is this important & how does it link to my business?
Twitch and the Ministry of Defence, like most other organisations, have to comply with the UK GDPR. The UK GDPR contains certain data protection principles which must be followed, including maintaining the integrity and confidentiality of personal data. This includes taking measures to protect against unauthorised or unlawful processing, and also against accidental disclosure of personal data.
In 2019, 90% of cyber data breaches in the UK were caused by human error. One major example involved Virgin Media, where a database containing the personal data of 900,000 people was left unsecured for 10 months. Virgin stated this occurred as the database had been incorrectly configured by a member of staff, who did not follow the correct procedure. Since April, 2,552 data security incidents have been reported to the ICO, whilst it is estimated that there can be up to 65,000 attempts, and 4,500 successful attacks on businesses per day, equivalent to one every 19 seconds.
The cost of a data breach, especially those which lead to the disclosure of sensitive personal information, is not limited to personal and financial loss. It can often cause severe damage to a business' reputation, leading to bad publicity and in some cases, losing customers and staff. In view of this, businesses should make avoiding data breaches a key operational objective.
What to do if your business suffers a data breach
It is a common myth that all data breaches must be reported. Rather, under the UK GDPR, a data breach only needs to be reported to the ICO where there is a risk to the individuals’ whose personal data has been breached. Whether or not there is such a risk will be a matter of fact, but organisations must consider:
- The number of affected individuals;
- The nature and sensitivity of the information in question;
- The volume of personal data breached;
- The identity of the unauthorised recipient of the data.
Where the data breach is reportable to the ICO, organisations must report the data breaches to the ICO without undue delay and not later than 72 hours after becoming aware of the breach.
In certain circumstances, organisations are also required to report the breach to the individuals whose data has been compromised. This is necessary where:
- there is a high risk to the individuals in question; and
- there were not appropriate technical and organisational measures in place at the time of the incident or reporting would trigger disproportionate effect.
Where the data breach is reportable to the affected individuals, the organisation must report to those individuals without “undue delay” (albeit that there is no strict timescale imposed). Of course, organisations would also need to consider whether reporting to the affected individuals – even not required under the UK GDPR – is a matter of good commercial practice.
How to avoid a data breach or, if a data breach occurs, how to mitigate risk
It is a matter of fact that most (if not all) businesses will at some point suffer a data breach. However, an organisation’s best chance to avoid a data breach is to (a) ensure that all personnel using personal information know what constitutes a breach; and (b) clear policies, procedures and mechanisms are in place to catch the breach before it happens.
Firstly, organisations must ensure that staff know what amounts to a data breach. For example, staff may not be aware that sending an email to the wrong person is a data breach under the UK GDPR. The definition – and practical examples – of a data breach should be clearly set out in the organisation’s internal policies. If an organisation’s staff do not know when a data breach has been committed, then they will not be in a position to take the necessary reporting measures.
Secondly, organisations should invest in having the necessary policies, procedures and mechanisms in place to catch a data breach before it happens. For example, this may include technological solutions (i.e. software checking that the email address used is correct).
However, it is almost impossible to entirely eliminate human error within the workforce, so it is important to ensure that staff know what to do in the event of a data breach, in order to mitigate risk.
Organisations in which there is a no-blame culture tend to be better-placed to ensure that staff own-up to their errors as soon as possible, rather than attempting to cover-up for fear of criticism. If the organisation does not know that the data breach is occurred, then it will not be able to comply with its obligations under the UK GDPR. This is especially vital given that failure to report a breach to the ICO, or complying with the other obligations under the UK GDPR, could result in a fine of up to £17.5 million or 4 per cent of the organisation’s global turnover.
It goes without saying that the data breaches committed by Twitch and the MOD were particularly serious, given the nature and scope of the information. However, data breaches will likely be committed by all organisations of different sizes, so it is crucial that you know what to do, and when, to avoid falling foul of the fines and other sanctions under the UK GDPR.
If you and your company need any advice relating to data protection, data breaches, or require any data protection policies, please contact a member of our Data Protection Team by email or by calling 01603 610911.
The case of the fake cases: another judgment on AI-hallucinations in litigation
The use of AI Large Language Models in litigation continues to generate headlines (and consternation from the judiciary). In 2025, it seemed that rarely a month went by without a new case on fake AI-generated case law. December was no exception, and the High Court has now issued a further warning regarding the use of AI by litigants.
Autumn Budget 2025: Agricultural Property Relief & Business Property Relief Changes
It was announced in the 2025 Budget that from 6 April 2026, changes will be made to agricultural property relief and business property relief. These changes bring APR and BPR in line with the nil-rate band rules, meaning unused allowances can be transferred to a surviving spouse or civil partner. This is a significant step towards making estate planning easier for families who own farms or businesses.
The case of the fake cases: another judgment on AI-hallucinations in litigation
The use of AI Large Language Models in litigation continues to generate headlines (and consternation from the judiciary). In 2025, it seemed that rarely a month went by without a new case on fake AI-generated case law. December was no exception, and the High Court has now issued a further warning regarding the use of AI by litigants.
Autumn Budget 2025: Agricultural Property Relief & Business Property Relief Changes
It was announced in the 2025 Budget that from 6 April 2026, changes will be made to agricultural property relief and business property relief. These changes bring APR and BPR in line with the nil-rate band rules, meaning unused allowances can be transferred to a surviving spouse or civil partner. This is a significant step towards making estate planning easier for families who own farms or businesses.
The Employment Rights Act 2025 is expected to come into force tomorrow (18 December 2025)
After an extended period of back-and-forth amendments between Parliament and the House of Lords, on 16 December 2025, the ERB finally received approval from the House of Lords, with the formality of Royal Assent due to take place tomorrow (18 December 2025). Head of LP Employment, Dan Chapman, explains...
Charity of the Month: The Matthew Project
Leathes Prior is delighted to be supporting The Matthew Project as our Charity of the Month for December 2025. The Matthew Project supports young people and adults across Norfolk, Suffolk, and Essex to overcome issues around drugs, alcohol, and mental health, empowering them to rebuild confidence and lead fulfilling lives.
Leathes Prior’s Milan Pandit appointed President of the Norfolk & Norwich Law Society
Leathes Prior Solicitors is proud to announce that Milan Pandit, Solicitor in our Corporate & Commercial Team, has been appointed President of the Norfolk & Norwich Law Society (NNLS) for 2025/26.
Commercial Lease Renewals: A guide for Landlords & Tenants
Commercial lease renewals are a topic that every commercial landlord and business that rents commercial premises should have at the forefront of their minds. It is essential for good succession planning, though it is often neglected until the expiry of an existing lease term is looming or once the existing term has come to an end and the tenant is holding over. In this article, our newly qualified solicitor, Maggie Berry explores the process that landlords and tenants can expect when navigating this complex area of law.
Our Guidance, Your Legacy: What is a Will, and why should I make one?
Not only is a Will one of the most important steps you can take to protect your loved ones and ensure your wishes are respected, but it also limits the likelihood of a claim/dispute following your death. To ensure your loved ones and the causes you care about benefit from your estate, a Will is essential to ensuring this happens. Find out more in this article.
Lease extensions: The essentials to getting started
Extending your lease can seem complex, but taking the right steps early can make the process much smoother. Jake Mowatt, Associate and Harry Smith, Trainee Solicitor in our Residential Property Team outlines the key essentials every leaseholder should understand prior to extending their lease.
Upcoming changes to bringing employment law claims: What these mean for you
The highly anticipated Employment Rights Bill (ERB) is set to increase the time limits in which employees can bring an employment tribunal claim. Gareth Stevens & Rose Woolterton explain what this means for employers & employees.
Service Charges in Residential Leases: FAQs
Service charges are forever a hot topic in the world of property disputes, and it remains one of the most contentious areas between freeholders and leaseholders, particularly in long residential leases. Danny Turpin, Associate, discusses frequently asked questions regarding service charges on long residential leases.
Leathes Prior winners in nine categories in the prestigious Legal 500 Future Laywer Survey
We are thrilled to announce that the firm has placed once again in the Legal 500 Future Lawyer survey as No.1 in the UK for our Social Life; a ranking we have held in the survey for seven years out of the past nine years.
Jess’s Rule – New Guidelines for GPs
A new initiative is being rolled out across GP practices across England in the hope of preventing serious illnesses being missed by GPs where patients present with the same, or deteriorating, symptoms on multiple occasions. Kimberley Nelson in our Personal Injury & Clinical Negligence Team discusses new guidelines for GPs.
Leathes Prior are excited to announce that four Trainee Solicitors qualify at the firm
Leathes Prior is excited to announce that four of our amazing trainees, Eleanor Chapman, Maggie Berry, Alex Robinson, and Georgia Sartin, have successfully completed their training contracts and are now qualifying as Solicitors at the firm.
