Lucia Bar in ‘shocking’ privacy breach

The CVs of over 600 people, including York students, were uploaded to their website in breach of the Data Protection Act

Lucia Wine Bar and Grill have been accused of breaking data protection laws after the CVs of over 600 people, including York students, were uploaded to their website.

The CVs and cover letters of 605 people who had applied online to work at Lucia, which has branches in York and Beverley, were made available online.

Many of the CVs contained the addresses, phone numbers and email addresses of the applicants.Several of those who had uploaded their CVs were under 18.

All the files were available to download and could be easily accessed via a Google search.

This breaches section seven of the Data Protection Act of 1998 which states that: “Appropriate security measures must be taken to protect against unauthorised or illegal data processing. Data controllers must make sure that security controls are in place and are followed. Only employees who need to use personal data to carry out their work should have access to that data.”

Serious breaches of the Act can be fined up to £500,000.

George Hughes, the York student who originally discovered the data breach, said “I think it is absolutely harrowing that this information is so freely available.”

Alexander Watkins, a third year student at York who applied for a job at Lucia and whose personal information has been compromised told Nouse: “The fact that my personal details – phone number and address – are available, when I submitted that to the company in confidence, is pretty disgraceful anyway. But the fact it is so easily accessible via an index search on Google, something I was doing when I was 11 to pirate songs, is ridiculous in this day and age.

“I have posted on their Facebook page, but given the recent stories about Bora Bora, I have a feeling the ‘Latin Quarter’ of York has a less than serious approach to how it treats its customers.”

When contacted by Nouse, Lucia’s Wine Bar said, “we’d like to thank you for letting us know. As a company we do take these matters seriously.

“We can assure you that this is now in our hands and our website designer will make sure that all the information have come to us safe and private.”

Lucia’s website developer, Studio EightyEight later responded, saying “CVs which were uploaded to the website by the public were handled differently to the other data that we store, however this has now been changed.

“A full security review of the website will be conducted and changes will be made where required.”

The Open Rights Group, a member organisation of European Digital Rights who fight to defend digital privacy, commented on the data leak, telling Nouse: “This is quite a shocking breach of privacy. Companies have a legal responsibility to protect the personal data they hold about us, particularly the kind of sensitive information that can be found on a CV.

“Data protection laws are an essential part of preserving our right to privacy and ensuring that we have control over personal information that is held by governments and corporations.”


  1. Just to let you know- it’s ‘section’ 7 not ‘principle’ 7 of the Data Protection Act.

    Reply Report

  2. hi I am one of the director of Lucia and we took your points onboard..All the data are now safe with password entry..I like to thank you once again and I hope in the future we would like hear good lines and stories about our restaurant as you did one last year..xx

    Reply Report

Leave a comment

Please note our disclaimer relating to comments submitted. Please do not post pretending to be another person. Nouse is not responsible for user-submitted content.