Data Breach Claims: Who pays when your data is compromised?

Katie Goss avatarKatie Goss
5 min read
January 06, 2025

The illegal trade in personal data is booming. Over the last few years, criminal gangs have launched major attacks on all kinds of companies, organisations and state institutions, attempting to steal or hold for ransom the personal data of UK citizens.  

Your right to protection when it comes to personal data is enshrined in UK law – with GDPR stipulating strict protocols for any company’s duty of care for any sensitive details and personal data it holds. However, the sophistication of cybercriminals, and the sloppiness of some companies when it comes to data protection and security, have resulted in some high-profile data breaches that put employees and service users at risk.  

The seriousness and frequency of cyber attacks on organisations big and small is only increasing. In this article, we explain how data breaches break consumer law and which companies and organisations could be liable to pay compensation to their customers and employees.  

The rise of cyberattacks

In 2023, the government updated its long-term defence strategy, which stated that the use of “commercial spyware, ransomware and offensive cyber capabilities by state and non-state actors has proliferated.” This was in response to a rising tide of cyberattacks which, unfortunately, has continued to grow. 

In 2024 all kinds of public institutions and private firms were targeted by hackers looking to steal data or demanding ransoms: including  Southern Water,  Transport for London, and a laboratory that processes blood tests for the NHS

Cyber gangs will either steal and sell data to other scammers and criminals on the dark web, or hold the data for ransom – demanding huge sums from the company to prevent it being released.

In October 2023, the hacker group, Rhysida, attacked the online information systems of the British Library: they demanded a ransom of 20 bitcoin, at the time around £600,000. When the British Library did not pay they publicly released approximately 600GB of stolen data.

As well as criminal gangs, it seems that some cyberattacks are conducted by foreign governments: China was accused of orchestrating a hack targeting the details held by the Electoral Commission in August 2021 andRussian intelligence has been blamed for targeted hacks against politicians, civil servants, journalists, academics and others in public life as a way of interfering in UK politics.

GDPR

The General Data Protection Regulation (or GDPR) was enacted into British law by The Data Protection Act 2018. This piece of legislation means that when organisations want or need to process your personal data they must seek permission first and are held to strict regulations on how it is handled, protected and stored.

GDPR means that when you give your personal information to anyone – whether a company, service provider or your employer – they have a duty of care to protect it. After all, if it ended up in the public domain you could be at risk of all kinds of fraud. 

If there is a data breach, organisations have 72 hours to report it to the Information Commissioner’s Office (ICO), which will then conduct an investigation. They must also inform anyone whose personal information has been compromised. 

Were your details exposed in a data breach? Get compensated now 

The biggest breaches

There have been some major data breaches over the last few years where lax security allowed hackers to gain access to sensitive personal information.

While those affected by the breaches would have been notified about the attack (in accordance with ICO regulations), many may be completely unaware that they could receive compensation for the breach and any subsequent issues they had due to their details being compromised. 

The Ministry of Defence

In May of 2024, there was a significant data breach at the Ministry of Defence that affected the personal information of serving and former UK armed forces personnel. 

Hackers targeted the payroll system – which was managed by an external contractor. While no internal or operational MOD data was stolen, the names, bank details and even addresses of current and former members of the Royal Navy, Army and Royal Air Force were obtained. 

It is still unknown who was behind the hack or what the data may be used for, but if you’re an MoD employee, you might be eligible for compensation provided you can prove the breach and harm caused.

Capita 

The MOD case shows how criminals often target system that are outsourced. In 2023 there was a massive data breach at outsourcing giant Capita – who are used by many public and private organisations and handle the data of millions of their employees or service users. 

In March, Capita was attacked by the criminal ransomware gang, Black Basta who targeted Capita’s Microsoft Office 365 software and stole huge amounts of data, including personal details, financial records and sensitive corporate data. A second data breach was also reported by local authorities who found benefits data was found unsecured online – exposed and unprotected by a password, perhaps since 2016! 

Capita claims that no personal bank account details were compromised by this data security breach.

Perhaps the area most affected are those with Pension schemes administered through Capita – including around 470,000 members of the Universities Superannuation Scheme (USS) and more than 100,000 members of the Marks and Spencer pension scheme (including more than 50,000 pensioners).

South Staffordshire Water

In August 2022 South Staffs Water and Cambridge Water said it had been victim of a cyber-attack that targeted its corporate IT network. Customers of these water companies had personal information, including bank account details, hacked and published on the dark net.

Leicester City Council

On March 7th 2024, Leicester City Council shut down its IT networks and phone system when a security incident was detected. The attack was carried out by a known ransomware group who had previously targeted a number of government, education and health organisations around the world. 

The council have recently said that more data was stolen during the cyber-attack than they originally thought. 

Data breach claims

When your personal data is stolen, and then bought and sold by criminal gangs, you’re exposed to all kinds of problems, such as identity theft or fraud.

As well as the obvious financial losses, there are also all kinds of hidden costs – including sleepless nights and the time, energy and inconvenience of closing compromised accounts, reporting or remaining vigilant for suspicious activity. 

Make a data breach claim

As data breaches become more and more common, it is vital that you hold companies accountable for security failures. So if your data has been compromised in one of these high-profile breaches you should seek some kind of redress from the company that failed to protect you. 

Our recommended provider, Barings Law, is helping anyone caught up in the following data breaches: 

  • the MOD
  • Capita 
  • South Staffordshire Water  
  • Leicester City Council

Claiming damages with  Barings Law, will save you time and energy and protect you from legal costs later on – you’ll only pay a fee if you are awarded compensation. 

 Claim damages now 

 

If you have any thoughts on this topic, or any other consumer issues you would like us to cover, feel free to get in touch with us at support@resolver.co.uk.

Sign up for our Newsletter!

Share this:

Resolver

Need to resolve an issue? Let's get this sorted.

No Comments

Also worth your time