Case Study: How a UK Transport SME Responded to a GDPR Breach Involving Driver and Customer Data
By Daniel Agyemang Prempeh, Founder, DefendVistaLast reviewed:
Executive summary
A regional UK transport SME running around 30 vehicles discovered, via a customer email, that an internal SharePoint folder containing driver licences, vehicle compliance documents and customer contact details had been accidentally shared with ‘Anyone with the link’ for over four months. The link had been indexed by a search engine and accessed by 47 unknown IP addresses. DefendVista was engaged within two hours of the discovery. We led the breach response, took the data offline within 35 minutes, completed a full forensic assessment, supported the ICO notification, communicated with affected data subjects and rebuilt the client's data governance posture. The ICO closed the case with no enforcement action.
Who the business was
Sector
Regional transport and contract logistics
Fleet
Around 30 vehicles operating across the North East and Yorkshire
Employees
48 including drivers, traffic office, compliance and admin
Annual turnover
£5.4m, mixed contract work for industrial and public sector customers
Key systems
Microsoft 365, SharePoint, TMS, driver licence checking service, payroll
Data protection maturity
Registered with the ICO. No DPO. No DPIA process. Privacy notices last updated in 2019.
The starting point
The compliance manager had set up a shared folder on SharePoint to collect driver licences, DBS checks and CPC cards from a new intake of drivers six months earlier. Rather than work through the slightly awkward internal sharing flow, she had used ‘Anyone with the link, can view’ and emailed the link to her own personal account so she could review documents at home.
The personal email account was later signed into on a tablet that was sold on eBay without being wiped. The buyer eventually contacted the company through their public website to alert them that documents containing driver names, addresses, photographs and licence numbers were accessible from a link in the inbox.
By the time the company looked at SharePoint, the folder contained 312 documents across 41 drivers, plus 18 customer contact files added later. The folder had been accessed by 47 unique IP addresses over the previous four months, including from countries with no business relationship.
What went wrong
Identifiable personal data of drivers, including photographs, addresses, dates of birth and licence numbers, had been accessible to anyone on the internet for over four months.
Sensitive personal data, including DBS results for some drivers, was in scope, which raised the severity classification of the breach significantly.
Customer contact data, including phone numbers and email addresses of named contacts at industrial sites, was also exposed and may have been harvested for downstream phishing.
There was no documented Data Protection Impact Assessment, no breach register, no records of processing activity and no incident response plan covering data breaches. The 72 hour ICO notification clock was already running.
What was at stake
59
Data subjects affected
41 drivers (including DBS results) and 18 named customer contacts.
312
Documents exposed
Driver licences, photo IDs, DBS results, CPC cards and customer contact sheets.
~4 months
Window of exposure
From folder creation to the public alert from a third party.
£8.5m / 2%
Maximum theoretical UK GDPR fine
Higher of these two figures, used to frame board risk discussion. Actual outcome: no enforcement.
What would have happened if nothing changed
- ICO enforcement action, including monetary penalty up to the higher of 2 per cent of global turnover or around £8.7m, plus an enforcement notice and reputational damage.
- Compensation claims from affected drivers or customer contacts under UK GDPR, including potential claims for distress and identity theft mitigation costs.
- Loss of public sector contracts that include data protection warranties and termination rights on serious breach.
- Increased risk of targeted phishing, identity fraud and SIM swap attacks against the named individuals whose data was exposed.
- Reputational damage if the breach were to be reported in the trade press or local media before the company had a coherent response in place.
Worried this could be your business?
Book a free 30 minute consultation with a UK cybersecurity specialist who understands transport and logistics. No sales pressure, just a frank conversation about your exposure.
What the forensics showed
- The SharePoint folder had been set to ‘Anyone with the link, can view’ on the day it was created. Microsoft 365 audit logs confirmed the configuration, the date and the user who created the link.
- Search engine cache snapshots confirmed the link had been indexed within seven weeks of creation, after the URL appeared in a forwarded email signature posted to a public mailing list.
- Microsoft 365 audit logs showed 47 unique IP addresses had accessed the folder, with a small number of repeat visitors from outside the UK who had downloaded a large proportion of the documents.
- There was no evidence of further intrusion into the rest of the SharePoint tenant or any other system, but auditing had only been enabled for 30 days at the point of investigation, limiting visibility on earlier activity.
- Privacy notices, contracts and the data breach response process were all materially out of date or absent altogether, which materially affected the regulatory posture of the business.
What we did in the first 24 hours
- 01
Pull the data offline immediately
Disabled the anonymous link and re permissioned the folder to named users only within 35 minutes of being called. Confirmed via audit logs that no further anonymous access was possible.
- 02
Forensic timeline of access
Pulled Microsoft 365 unified audit logs to identify every IP address, country and document accessed. Built a defensible record of who saw what and when, which became the backbone of the ICO notification.
- 03
ICO notification within 72 hours
Drafted and submitted a structured breach notification to the ICO within the statutory window, with a clear timeline, scope assessment, immediate actions and remediation plan.
- 04
Notification to affected data subjects
Wrote and sent personalised notifications to all 41 drivers and 18 customer contacts, with practical guidance on what to watch for and a direct contact point inside the business.
- 05
Engage external legal counsel
Connected the client with a data protection solicitor to review the notifications, advise on individual compensation risk and prepare a board level brief on potential enforcement exposure.
How we got the business back on its feet
- 01
Lock down sharing across SharePoint
Configured tenant level sharing controls so anonymous links are disabled by default, external sharing is restricted to approved domains, and any sensitive label triggers additional review.
- 02
Enable and retain full audit logging
Turned on comprehensive Microsoft 365 audit logging, extended retention to 12 months, and connected logs to a managed monitoring service so future incidents have full visibility from minute one.
- 03
Records of Processing and DPIA framework
Built a Records of Processing Activity register covering driver, customer, employee and supplier data, plus a lightweight DPIA template that has to be completed for any new data collection.
- 04
Privacy notices and contracts refreshed
Rewrote the public privacy notice, the driver privacy notice and the standard customer data protection clauses. Audited supplier contracts for required UK GDPR processor terms.
- 05
Annual data protection training
Rolled out a short, role specific annual training programme covering safe sharing, supplier requests for data, subject access requests and breach reporting, owned by the operations director.
What we built so it could not happen again
- Tenant level SharePoint and OneDrive sharing controls aligned to a documented data classification policy.
- Sensitivity labels on driver, employee and customer data, with automatic encryption and download restrictions for the most sensitive labels.
- Records of Processing Activity register maintained quarterly, owned by the operations director with light touch DPO support from DefendVista.
- Documented data breach response plan with a one page playbook for the operations director, including pre approved ICO notification template.
- Annual data protection training, joiner training and leaver process integrated into HR.
- Independent third party audit of the data protection posture every 18 months, with results presented to the board.
Measurable results
No enforcement
ICO outcome
0
Compensation claims received
100%
Public sector contracts retained
35 minutes
Time to data offline
48 hours
Time to ICO notification
0
Repeat data breaches in 18 months since
The ICO acknowledged the breach, accepted the documented containment, communications and remediation work, and closed the case without enforcement. No individual compensation claims were received in the twelve months following the notifications. The client used the experience to upgrade their data protection posture from ad hoc to genuinely audit ready, and now references the work in tender responses for public sector contracts.
What other operators should take from this
‘Anyone with the link’ is the default and the danger
Most SharePoint and OneDrive breaches we investigate involve anonymous sharing links used out of convenience. Disabling these at tenant level removes the largest single category of accidental data exposure in modern Microsoft 365 environments.
Audit logging needs to be on before you need it
By default, Microsoft 365 audit retention is limited. If you only turn it on after the breach, you cannot prove what happened. Long retention is cheap insurance and essential for ICO conversations.
The ICO rewards documented, honest response
In our experience, transport SMEs that engage early, notify within 72 hours, communicate clearly with data subjects and document their remediation rarely face enforcement. Cover ups or slow responses are what attract penalties.
Personal devices and personal accounts are part of your risk
A single document forwarded to a personal account and then accessed from a personal device created this entire breach. Clear policy and Microsoft 365 controls that prevent this matter more than any one technical tool.
Data protection is operational, not legal
Transport SMEs do not need an in house data protection lawyer. They need an operations director who understands the basics, supported by a specialist who knows the sector and the regulator.
If this sounds uncomfortably familiar
DefendVista provides UK transport and logistics SMEs with practical GDPR support that fits how they actually run. We harden Microsoft 365 sharing, build a usable RoPA and DPIA process, rewrite privacy notices and contracts, train staff in plain English and provide light touch outsourced data protection support. If you have a live breach, we lead the response, draft the ICO notification and protect the operating business through the process.
Explore related services, guides and case studies.
GDPR for Transport Companies
Pragmatic data protection for hauliers, fleets and logistics SMEs.
Cybersecurity for Transport Companies
End to end cyber risk reduction for transport firms.
Incident Response Plan Consultancy
IR plans that include data breach response.
Transport Cybersecurity Survival Kit
Free toolkit including a GDPR compliance checklist.
Or browse the full case study library, our cybersecurity services, the industries we specialise in, or free transport cyber resources.
Common questions on this kind of incident
Do we have to report a GDPR breach to the ICO?+
If personal data has been accessed, exfiltrated, altered or destroyed in a way that is likely to risk individuals' rights and freedoms, you must notify the ICO within 72 hours of becoming aware. For most transport SME breaches involving driver or customer data, the answer is yes.
What happens if we do not notify the ICO in time?+
Late or non notification is itself a breach of UK GDPR and significantly increases the risk of enforcement action. The ICO is generally more sympathetic to honest, prompt notifications than to cover ups discovered later.
Will we be fined for a data breach?+
Not necessarily. In our experience, transport SMEs that engage early, notify quickly, communicate with affected individuals and document a credible remediation plan rarely face monetary penalties for first time, non egregious breaches. Documentation and tone matter enormously.
Do we need to tell our drivers and customers about a breach?+
If the breach is likely to result in a high risk to individuals, yes, you must notify them directly. Even where the legal threshold is not met, transparent communication usually preserves relationships and reduces compensation risk.
How do we stop SharePoint and OneDrive breaches happening?+
Disable anonymous sharing links at tenant level, restrict external sharing to approved domains, apply sensitivity labels to driver and customer data, and train staff in plain English on safe sharing. These four changes prevent the overwhelming majority of incidents we see.
Do we need a Data Protection Officer?+
Most UK transport SMEs are not legally required to appoint a DPO, but they do need someone who owns data protection in practice. We provide light touch outsourced support so the operations director has expert backup without the cost of a full time hire.
Do not wait for your own case study to be written.
Book a free consultation with DefendVista. We will tell you, in plain English, where your operation is exposed and what to do about it first.