Customers of the conveyancing firm Simplify Group are planning to launch legal action after some have seen their property purchases stalled for more than a month following a data breach.
The firm’s systems were shut down on 8 November after what appears to have been a cyber security incident, leaving some customers unable to exchange, complete or move home.
Now, a law firm is working with customers of the group – whose brands include Premier Property Lawyers, JS Law, DC Law and Advantage Property Lawyers – with a view to bringing a compensation claim against Simplify.
Hayes Connor, which specialises in data breaches, said it had been contacted by a number of customers who were worried about the impact the breach could have on them.
Simplify Group conveyancing customers have experienced delays in their house purchases and sales following a security incident in November, and it is unclear whether their data is safe
Customers were initially concerned that money they had transferred to their solicitor may have been stolen by hackers.
Simplify Group and the Council for Licensed Conveyancers, the regulator which has been monitoring the situation, have since stated that all customer funds are safe.
However, there are still unaddressed concerns about the safety of customers’ personal data, as many had given over bank details, addresses and copies of driving licences or passports in order to buy or sell their homes.
Fraudsters can use this information to make applications for credit in customers’ names.
Hayes Connor is collecting evidence from customers with a view to bringing a group litigation claim against Simplify, This is Money understands.
‘Buying or selling a home is one of the most stressful times for anyone at the best of times, so to be facing extra worry is something none of these people want – especially just before Christmas,’ said Richard Forrest, Legal Director at Hayes Connor.
Simplify Group conveyancing firms are recommended to home buyers by the likes of estate agents Purplebricks, Strike, Yopa and Fine & Country, among others
‘To make matters worse we are still unclear exactly what has happened and what data has been breached.
‘Home moves involve a huge amount of personal data which can be very valuable to the wrong sort of people so Simplify have a duty to all of their customers to let people know what has happened, why and how exactly they have been affected, and to do so immediately.
‘Any further delay will just add to the worry people are already suffering just when they least need that extra stress.’
‘Simplify Group should put its money where its mouth is’
First-time buyer and Premier Property Lawyers customer Monika Kujur first started the conveyancing process on her future home in June, but is yet to complete almost six months later.
She is still paying rent on her current home, and says she is feeling anxious about the whole situation. Monika says:
‘Not only did they take much longer than the expected 12-16 weeks to finalise this property sale, due to their incompetence and lack of intiative in following up on conveyancing tasks, but their IT systems outage has now caused me to have to pay at least a month’s extra rent for accommodation.
‘I believe their systems outage occurred around 8 November, and I had no visibility and no progress for over a month.
All we want is a roof over our heads, but the conveyancing firms fob us off with legalese when we complain
‘They have added charges for exceptional market conditions to my bill, although I see nothing to suggest paying a premium added to their expediency.
‘If I hired a new conveyancing firm, I would likely spend another 3-4 months in limbo, further inflating my rent costs and losing my mortgage offer.
‘I am close to exchange now, but I think we, the property buyers and sellers, are quite powerless in these situations.
‘All we want is a roof over our heads. Our life savings are ploughed into the agreed sale price.
‘This is an anxious time for me especially as a first time buyer, and these conveyancing firms just fob us off with legalese when we protest we are not getting the services we paid for.
‘I do hope there is some way to set things right, and they are made to put their money where their mouth is.’
The amount of compensation that customers may receive, if an eventual claim is successful, will depend on what data has been exposed.
It will also depend on the distress that has been caused to them by the situation, which can vary from person to person.
Hayes Connor is calling for Simplify to provide an update on the safety of customers’ personal information, saying customers have been met with a ‘wall of silence’ so far.
While Simplify has said that it is now at ‘close to business as usual capacity,’ some customers have told This is Money that their transactions have still not been completed.
A typical property purchase or sale takes around 12 weeks to complete.
The nature of the security breach has not been made public, but Simplify has confirmed to This is Money that it is the subject of an ‘ongoing criminal investigation’.
Security incident: The nature of the data breach at Simplify has still not been confirmed,but the group has said that it is the subject of an ongoing criminal investigation
While the Hayes Connor claim would be likely to come under data breach legislation, This is Money understands that there could also be a case for a professional negligence claim to be brought against Simplify.
All contracts provide for a situation where the completion is delayed, with customers potentially able to bring claims for some of the costs incurred. These would usually be settled via their lawyer’s professional indemnity insurance.
Simplify firms are recommended to home buyers by the likes of estate agents Purplebricks, Strike, Yopa and Fine & Country, among others.
Together, it is estimated that they are involved in around five per cent of property transactions – spelling disruption for those who are in chains with Simplify Group customers, as well as the customers themselves.
The breach led to clients being unable to complete or exchange on their purchases, with some on the brink of completion when the inicident occured saying they were stuck with all their possessions in a removal van and with nowhere to stay.
One even told us that he had been forced to sleep in his car.
With websites down and phone lines congested when the breach first happened, many were unable to contact their conveyancer to find out the status of their sale or purchase, and some are still facing long waits to hear back from them.
Some buyers have told This is Money that their transactions have fallen through because the other parties in the transaction refused to wait any longer and pulled out.
‘I lost out on my dream home’
JS Law customer Nasir Aminu from Cardiff is running almost a month late on his initial completion date, as the delays caused his first buyer to pull out.
This also meant that he lost out on the home he wanted to move to. He says:
‘I was referred to JS Law by Purplebricks after I sold my property. I was meant to complete my sale and purchase by the end of November 2021, but JS Law is ruining the whole business.
‘The buyers of my property pulled out, and I have had to withdraw my offer on my own new home.
‘My solicitor does not respond to my polite queries as the paying customer. However, she responds to a third party within a few hours of them asking the same questions.
‘After getting a new offer on my home I have decided to change solicitors, but JS Law is frustrating the process by refusing to send over documents to my new firm.’
Other than saying that those who switched conveyancers would not need to pay for Simplify’s previous work, the firm has not made clear if it will voluntarily provide any compensation for customers who have seen their house purchases fall through.
In late November, regulator the Council for Licensed Conveyancers told those who had not exchanged to consider switching to a different conveyancing firm in order to progress.
A spokesman for Simplify told This is Money: ‘We understand that, during the period where systems were unavailable, clients may have experienced delays to their transactions but we expect that, from early in the new year things will start to feel normal for clients, both existing and new.
‘Simplify continues to do everything possible to minimise any impact on our customers and prioritise their needs.
‘This incident is the subject of a criminal investigation that limits how much information we can provide at this time, however we can confirm that this investigation is making progress.
‘Importantly, we are adding additional layers of security, in order to protect against the continued and growing cyber threats that all businesses in our sector (and many others) are now unfortunately exposed to.’
While the law does not stipulate a time limit on when Simplify would need to give customers information about the nature of the incident and whether their data was safe, Forrest said companies were encouraged by the Information Commissioners’ Office to let them know as soon as possible.
However, Forrest conceded that Simplify itself may still not be fully aware of what information had been exposed.
‘It has all the hallmarks of an external attack on their systems,’ he said. ‘I can’t think what else it would be’.
One type of security breach is a ransomware attack, where fraudsters hack in to a company’s systems and encrypt its data.
They then demand a payment, upon receipt of which they will restore access to the information.
Recent examples of this include the payroll systems firm Kronos, which is used to log staff hours at Sainsbury’s among other large businesses; and the retailer Spar, which was forced to close some stores temporarily earlier this month after a ransomware attack.
How to keep your data safe
A Cifas spokesperson gave This is Money the following tips on securing your personal data if it might have been stolen.
Concern: Customers are urged to monitor their bank accounts carefully and look out for any unauthorised spending
Check for suspicious spending
‘If you think your passport or driving licence may have been accessed, this could leave you open to identity fraud.
‘This means someone could apply for a credit card, bank loan, or open an online retail spending account in your name.
‘I would also say it is worth regularly checking your bank statements and credit profiles for any spending. If your credit profile changes then contact the credit agency and query it.’
Consider cancelling cards
‘You could also get in touch with your bank to cancel your card as a precautionary measure, or even just to alert them about what has happened. It’s not going to do any harm.’
Take out a Cifas registration
‘If you are worried that your personal information has been compromised, I would recommend taking out a protective registration with us.
‘This costs £25 for two years, and it means that more than 600 Cifas member organisations will check any credit applications under your name against the National Fraud Database, and carry out additional checks to make sure it is you.’
Some links in this article may be affiliate links. If you click on them we may earn a small commission. That helps us fund This Is Money, and keep it free to use. We do not write articles to promote products. We do not allow any commercial relationship to affect our editorial independence.