Originally Posted by binman

No,this is a self inflicted wound by a company with a long history of IT failures and contempt for customers. The law is clear and they have failed to follow the regulations. In particular they have failed to provide the absolute minimum information in their email to those affected which should have included.

"What information must we provide to individuals when telling them about a breach?

You need to describe, in clear and plain language, the nature of the personal data breach and, at least:

• the name and contact details of your data protection officer (if your organisation has one) or other contact point where more information can be obtained;
• a description of the likely consequences of the personal data breach; and
• a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects."

Given their size and resources the email sent is unacceptable. Only by pushing back will anything change.