Twitch Data Breach: UK GDPR and the cost of human error
This week, the livestreaming site Twitch, which is owned by Amazon, announced that a “server configuration change” led to approximately 135GB of data being posted online.
What happened & why is it a data breach?
This week, the live streaming site Twitch, which is owned by Amazon, announced that a “server configuration change” led to approximately 135GB of data being posted online.
The data breach resulted in the unauthorised disclosure of commercially sensitive personal data containing the names of top streamers and their earnings from the site, together with Twitch’s own internal source code.
Early signs suggest that the data breach was caused by human error in the configuration of Twitch’s servers. Worryingly, some of the data leaked dates back three years, giving rise to concern that the Twitch servers may have been accessible for longer than the last few days.
Details about how long the servers were accessible for and whether human error was the cause of the breach have yet to be confirmed by the livestreaming giant. It would also seem that the breach has not yet been reported to the Information Commissioners Office (“ICO”), but it is anticipated that this will happen soon.
This severe data breach by Twitch follows another incident two weeks ago in which the Ministry of Defence (“MOD”) team responsible for the UK's Afghan Relocations and Assistance Policy mistakenly copied more than 250 former Afghan interpreters seeking relocation to the UK into an email. This resulted in the email addresses, names and profile pictures of each recipient being visible for all other recipients to see.
Both the Twitch hacking incident and the erroneous MOD email constitute a data breach under the UK’s version of the General Data Protection Regulation (“UK GDPR”). In this article, we consider why this matters – and what to do if a similar thing happens to your organisation.
Why is this important & how does it link to my business?
Twitch and the Ministry of Defence, like most other organisations, have to comply with the UK GDPR. The UK GDPR contains certain data protection principles which must be followed, including maintaining the integrity and confidentiality of personal data. This includes taking measures to protect against unauthorised or unlawful processing, and also against accidental disclosure of personal data.
In 2019, 90% of cyber data breaches in the UK were caused by human error. One major example involved Virgin Media, where a database containing the personal data of 900,000 people was left unsecured for 10 months. Virgin stated this occurred as the database had been incorrectly configured by a member of staff, who did not follow the correct procedure. Since April, 2,552 data security incidents have been reported to the ICO, whilst it is estimated that there can be up to 65,000 attempts, and 4,500 successful attacks on businesses per day, equivalent to one every 19 seconds.
The cost of a data breach, especially those which lead to the disclosure of sensitive personal information, is not limited to personal and financial loss. It can often cause severe damage to a business' reputation, leading to bad publicity and in some cases, losing customers and staff. In view of this, businesses should make avoiding data breaches a key operational objective.
What to do if your business suffers a data breach
It is a common myth that all data breaches must be reported. Rather, under the UK GDPR, a data breach only needs to be reported to the ICO where there is a risk to the individuals’ whose personal data has been breached. Whether or not there is such a risk will be a matter of fact, but organisations must consider:
- The number of affected individuals;
- The nature and sensitivity of the information in question;
- The volume of personal data breached;
- The identity of the unauthorised recipient of the data.
Where the data breach is reportable to the ICO, organisations must report the data breaches to the ICO without undue delay and not later than 72 hours after becoming aware of the breach.
In certain circumstances, organisations are also required to report the breach to the individuals whose data has been compromised. This is necessary where:
- there is a high risk to the individuals in question; and
- there were not appropriate technical and organisational measures in place at the time of the incident or reporting would trigger disproportionate effect.
Where the data breach is reportable to the affected individuals, the organisation must report to those individuals without “undue delay” (albeit that there is no strict timescale imposed). Of course, organisations would also need to consider whether reporting to the affected individuals – even not required under the UK GDPR – is a matter of good commercial practice.
How to avoid a data breach or, if a data breach occurs, how to mitigate risk
It is a matter of fact that most (if not all) businesses will at some point suffer a data breach. However, an organisation’s best chance to avoid a data breach is to (a) ensure that all personnel using personal information know what constitutes a breach; and (b) clear policies, procedures and mechanisms are in place to catch the breach before it happens.
Firstly, organisations must ensure that staff know what amounts to a data breach. For example, staff may not be aware that sending an email to the wrong person is a data breach under the UK GDPR. The definition – and practical examples – of a data breach should be clearly set out in the organisation’s internal policies. If an organisation’s staff do not know when a data breach has been committed, then they will not be in a position to take the necessary reporting measures.
Secondly, organisations should invest in having the necessary policies, procedures and mechanisms in place to catch a data breach before it happens. For example, this may include technological solutions (i.e. software checking that the email address used is correct).
However, it is almost impossible to entirely eliminate human error within the workforce, so it is important to ensure that staff know what to do in the event of a data breach, in order to mitigate risk.
Organisations in which there is a no-blame culture tend to be better-placed to ensure that staff own-up to their errors as soon as possible, rather than attempting to cover-up for fear of criticism. If the organisation does not know that the data breach is occurred, then it will not be able to comply with its obligations under the UK GDPR. This is especially vital given that failure to report a breach to the ICO, or complying with the other obligations under the UK GDPR, could result in a fine of up to £17.5 million or 4 per cent of the organisation’s global turnover.
It goes without saying that the data breaches committed by Twitch and the MOD were particularly serious, given the nature and scope of the information. However, data breaches will likely be committed by all organisations of different sizes, so it is crucial that you know what to do, and when, to avoid falling foul of the fines and other sanctions under the UK GDPR.
If you and your company need any advice relating to data protection, data breaches, or require any data protection policies, please contact a member of our Data Protection Team by email or by calling 01603 610911.
UK GDPR Update: What the Data (Use and Access) Act 2025 Means for Organisations
While several updates under the Data (Use and Access) Act 2025 came into force on 5 February 2026, the next key development for organisations is still to come. From 19 June 2026, organisations will be legally required to implement a formal complaint handling process for data protection matters. This is a significant shift, placing greater emphasis on resolving issues internally before they escalate to the regulator.
.jpg)
Selling a Probate Property: A Guide for Executors
Acting as an Executor can feel daunting, especially if there is a property which needs to be sold as part of the estate administration process. If you have been appointed as an Executor and you are unsure where to begin, here are some key things to consider.
%20website.jpg)
UK GDPR Update: What the Data (Use and Access) Act 2025 Means for Organisations
While several updates under the Data (Use and Access) Act 2025 came into force on 5 February 2026, the next key development for organisations is still to come. From 19 June 2026, organisations will be legally required to implement a formal complaint handling process for data protection matters. This is a significant shift, placing greater emphasis on resolving issues internally before they escalate to the regulator.
Selling a Probate Property: A Guide for Executors
Acting as an Executor can feel daunting, especially if there is a property which needs to be sold as part of the estate administration process. If you have been appointed as an Executor and you are unsure where to begin, here are some key things to consider.
Leathes Prior's Personal Injury & Clinical Negligence Team Secure Settlement for Client
Kate Smith (Senior Associate) and Kimberley Nelson (Paralegal) were instructed in relation to a workplace personal injury claim, and successfully secured a five-figure settled for the client.
.jpg)
New Restrictions to Charitable Giving: What You Need to Know
Changes to UK tax law regarding charitable giving took effect from 6 April 2026. Following legislative amendments in the Finance Act 2025-26, the generous tax exemptions associated with charitable gifts - specifically Inheritance Tax (IHT) exemptions - will be restricted to gifts to UK-registered charities. Ejike Ndaiji, Partner in our Wills, Trusts, & Probate and Charities Team explains...
Employment Rights Act 2026: The New Trade Union Right Of Access - Will it matter?
The Government has now published its response to the “Make Work Pay: Trade Union Right of Access” consultation which means we are now one step closer to properly understanding what these new access rights really will be.
%20cropped.jpg)
-3.jpg)
.jpg)
Spring Statement 2026 - An Overview
With the Government having restricted itself to one fiscal event a year in the form of the Autumn Budget, the Spring Statement is perhaps not the dramatic moment it used to be. It is more a chance for the Government to respond to events and economic forecasts than to set policy for the future.
Charity of the Month: Sue Lambert Trust
Leathes Prior is delighted to be supporting the Sue Lambert Trust as our Charity of the Month for February 2026. Sue Lambert Trust is a leading charity in Norfolk offering free therapeutic counselling and support services to survivors of sexual violence and abuse.
Supreme Court ruling set to impact NHS - Children injured by NHS can claim damages for lifetime lost earnings
In February 2026, the Supreme Court passed a ruling which is set to significantly increase the amount of damages the NHS may have to pay for claims brought in respect of children injured at birth, as a result of medical negligence.
.jpg)
The Value of Planning Ahead: LPAs & Court of Protection
Putting LPAs in place allows you to choose trusted people to make decisions for you if you lose capacity in the future. This avoids the need for loved ones to make a costly and time-consuming deputyship application to the Court of Protection. With more people likely to experience conditions affecting capacity, more families may need to turn to the Court for support where no LPAs are in place.
