A data breach at my old workplace leaked my financial information: Can I get compensation?

I recently received an email from a company I used to work for, saying that there has been a cyber-attack and my personal and financial information could have been compromised.

I have spoken to some former colleagues about this, and we have a lot of questions.

Is it possible for us to find out what, if any, information the hackers have stolen about each of us personally? The email said it could have included payslips (so addresses and national insurance numbers), bank details, copies of passports and driving licences which seems serious.

And what should we do to protect ourselves? Most of us have changed our online banking passwords, but what else?

I have read it may be possible to get compensation, how does that work?

The company has also offered us a free 12-month subscription to a 'credit and web monitoring' service which apparently helps to flag up any suspicious activity.

If we accepted that, would it affect any right to compensation? L.C, London

Data breach: Hackers target companies to steal sensitive information about their employees which they can later sell on to other criminals on the dark web

Data breach: Hackers target companies to steal sensitive information about their employees which they can later sell on to other criminals on the dark web 

Harvey Dorset, of This is Money, replies: Unfortunately, given the increasingly digital world in which we live, data breaches are becoming more and more common, having grown almost continuously since the early 2000s.

Last year, there were 7.78million cyber attacks against UK businesses, with half of British businesses experiencing a cyber-attack.

Criminals often target companies and steal their data, and in most cases proceed to sell said data on the dark web.

Stolen data can include customer records, employee details and financial data.

Criminals use this data to commit identity theft, account takeovers, and phishing attacks.

Under GDPR rules in the UK, companies that have experienced a data breach are required to notify individuals whose data is at risk as a result.

If your data has been stolen as part of a cyber-attack, then you are entitled to compensation if the breach has caused 'material or non-material damage.'

Of course, if the data breach was minor, the company from whom the data was stolen will argue that no damage was actually caused by the breach.

For expert advice, This is Money spoke to Charlotte Hill, partner and solicitor advocate at law firm Penningtons Manches Cooper to find out what to do if you have had your data stolen, and if you are entitled to compensation.

How to report a data breach

Charlotte Hill says obtaining legal advice can help to establish if you have basis for a compensation claim

Charlotte Hill says obtaining legal advice can help to establish if you have basis for a compensation claim

Charlotte Hill replies: If you are the victim of a cyber-attack and you suspect that your personal data has been stolen, you ought to report the crime to Action Fraud – the UK's national reporting centre for fraud and cybercrime. 

The report will be assessed by the National Fraud Intelligence Bureau who should notify you within 28 days of their initial assessment.

Typically, the NFIB will either refer the matter to your local police force for investigation (as you can no longer report it to them directly), or they will advise you that no further action will be taken. 

Even if no action is taken, the report will remain on file, which means that it will be used to help continue to build a national intelligence picture and to create campaigns to raise awareness of high-risk fraud types.

The NFIB can also shut down bank accounts, websites and phone numbers which are used by fraudsters. 

Unless the police are asked to investigate your report, however, unfortunately there is no further recourse for you via this avenue and Action Fraud cannot assist in the recovery of any stolen funds or compensation.

Personal data (such as addresses, national insurance numbers, bank details, and other details which can be used to identify a person including those from identity documents) must, amongst other things, be processed in a manner that ensures appropriate security of that data, including protection against unauthorised or unlawful processing in accordance with UK data protection laws.

If the victim's former employer believes that their employees' personal data has been stolen, the employer is obliged to report the personal data breach to the Information Commissioner's Office within 72 hours of learning of the breach, unless such a breach is unlikely to result in a risk to the rights and freedoms of the victims.

The employer is also required to report the data breach to the victims without undue delay. 

The ICO will then investigate the breach and has the power to fine data controllers for the breach. 

Individuals can also make reports to the ICO if they are not happy with the organisation's response to any concerns about the breach, or if they fail to respond to such correspondence within a month. 

The ICO cannot award compensation for victims, however. 

Can I get compensation after a data breach?  

Victims can seek compensation from an organisation if they have suffered damage as a result of it breaking data protection laws. 

This compensation can be for both material damage, such as the loss of money, and also non-material damage, such as from suffering distress.

It may be that the organisation will agree to pay compensation to the victims without having to go to court but, if the organisation does not agree to pay any compensation or the victim does not consider the payment to be sufficient, the victim's next step would be to make a claim to court.

Obtaining early legal advice in such a scenario is key to consider the merits of any such claim – we often advise victims who have been offered compensation from organisations before they decide whether to accept it or to pursue the organisation via the court. 

It is quite common now for individuals to team up to form what is known as a 'group action' to collectively pursue an organisation for a data breach to make the claim more cost-efficient and effective.

How to protect your money if your data is stolen 

The organisation might well be able to confirm what documents or data was stolen, but their investigations into the breach will likely take a considerable amount of time and it may not be able to confirm exactly what was taken, but only which servers or folders were compromised.

If in doubt, however, it is recommended that victims report the details of all documents which they think might have been stolen, such as passports and driving licences or bank card numbers, to the organisation that issued them. 

They should also inform their bank or building society and any credit card companies of their concerns and arrange for new cards to be issued to them, while reporting any usual transactions on their statements.

Victims should be extra vigilant for any suspicious emails, text messages or websites which could have been engineered to obtain any missing personal data to allow the fraudsters to access their accounts. 

Using software to help detect suspicious activity should not constitute an offer of compensation

Passwords should be changed to new, strong passwords to protect any accounts.

Victims can also contact the UK's Fraud Prevention Service, Cifas, for protective registration which places a warning flag against the victim's name on the National Fraud Database. 

This will then tell any organisation that uses Cifas information to pay special attention when the victim's details are used to apply for their products or services.

Typically, the offer of using software to help detect suspicious activity should not constitute an offer of compensation, but the employer may be offering this in the absence of a payment and so it would be prudent to check the position with them and carefully consider the offer in detail before accepting or refusing it. 

The victim should be careful not to agree to compromise any and all potential claims against the employer, as this could then prevent any claim via the courts.