Our sectors

We treat all personal data in accordance with our privacy policy.
Show Site Navigation

Data Breach Compensation and Claims

All organisations that hold personal information about individuals have a responsibility to keep this information safe.
If the organisation discloses this information to someone else without the person’s permission this is known as a data breach.
Data breaches can occur:
  • If someone from the organisation deliberately shares confidential information with others without the person’s knowledge
  • When a successful cyber-attack or hack leads to a criminal gaining unauthorised access to the information. This is usually due to organisation’s failing to have adequate security measures in place to prevent the attack.
Each year, the Information Commissioner’s Office (I.C.O.), the UK's independent body set up to uphold information rights, issues fines totalling many millions of pounds against organisations for failing to keep people’s personal information safe.
While some breaches affect only one person, other data protection breaches may affect millions of people and can make the national news. Some recent high-profile examples include:
  • Over nine million EasyJet customers had their personal details hacked as a result of a cyber-attack;
  • Over 100 TalkTalk customers had their personal information hacked in a series of data breaches suffered by TalkTalk in 2014 and 2015;
  • Over three million mobile phone customers’ personal details were hacked as a result of a successful cyber-attack of Carphone Warehouse’s IT system in 2015.
If a cyber-attack or hack has compromised your personal data, you may be entitled to data breach compensation. This can cover the loss of control over this information together with any anxiety and distress suffered and any financial losses incurred.

Ready to talk? Talk to one of our specialist data protection solicitors about your case. Call 020 8038 9412 or email postbox@leighday.co.uk.

What is a data breach?

A data breach happens when unauthorised people access private information, or it is released into an uncontrolled environment (such as online)[1].
Data protection breach examples include:
  • The names and home addresses of customers appearing on a public website;
  • Bank details (including account number and sort code) being stolen in a cyber-attack and then used for fraud or identity theft;
  • Names of those signed up to sensitive websites, like dating sites, being disclosed;
  • A letter containing somebody’s medical details being sent to the wrong postal or email address;
  • Somebody’s personal details being included in a group email. 
The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 [2] are the main laws that strictly control how your personal information can used by organisations, businesses or the government.

What can cause a data breach?

There are many different types of data breach. Some can be deliberate. For example, a disgruntled member of staff at a company can leak personal information to others without the individual’s knowledge or consent.
In other cases, the breach can happen unintentionally. For example, a business may suffer a successful cyber-attack of its customers’ personal information as a result of inadequate security, or a Hospital may send a letter containing confidential medical information to the wrong address.

The impact of a data breach

The loss of personal information as a result of a data breach can have a significant emotional and financial impact on the victim. The loss can cause anxiety and distress due to concerns at how the personal information could now be used. It can also cause considerable inconvenience in the victim now needing to urgently take steps to try and minimise the risks posed by the breach. In some cases, especially where financial information is stolen in a breach, it can lead to fraud, identity theft and loss of money. For all of these reasons, victims should apply for data breach compensation.
Three important examples of serious data breaches are:
  • EasyJet: In one of the UK’s largest ever data breaches, EasyJet announced in May 2020 that the personal details of over nine million customers has been hacked as a result of a cyber-attack.
  • Carphone Warehouse: Over three million mobile phone customers’ personal details were hacked as a result of a successful cyber-attack of Carphone Warehouse’s IT system in 2015. The firm were fined £400,000 by the I.C.O. for the breach.
  • TalkTalk: Over a hundred TalkTalk customers had their personal information hacked in a series of data breaches suffered by TalkTalk in 2014 and 2015;

How can I find out if my data was stolen?

Organisations often hold a huge amount of data about their customers - from confidential information such as names and addresses to financial data like credit card and bank details.
Under the GDPR[3], a company is obligated to inform both you and the I.C.O. without delay if there is a serious data breach affecting your personal information. They should explain:
  • The likely consequences of the data breach
  • Measures taken or in place to tackle the breach and any adverse effects
  • Who their data protection officer is and their contact details
If you think your personal data may have been disclosed as a result of a data breach but have not been informed by the organisation from whom information was taken, contact them directly. They should then tell you whether your personal data has been disclosed as a result of a data breach.
Contact Leigh Day if you believe a breach has involved your personal data, but the company in question have not notified you. Our data breach solicitors can investigate your concerns and assess whether you have a viable claim for compensation.

Making a data breach claim

Get in touch with our specialist data protection solicitors to start your compensation claim for financial loss and/or emotional distress caused by a data breach.
  • Call 020 8038 9412 for a free initial consultation
  • Email postbox@leighday.co.uk and someone will respond soon
One of our specialist data protection, privacy and information law experts will listen to your case. If we believe you have a claim, the first step may be to complain directly to the company responsible. This can be the quickest way to settle a data breach claim, should the organisation accept they were at fault.
Reporting the data breach to the I.C.O.
If you have been a victim of a data breach, you may also wish to complain to the I.C.O.[4] who, as the UK's independent body set up to uphold the public’s information rights, are able to investigate the matter and fine the organisation . They can’t award compensation to those affected, but their actions, including any reports they produce as part of their investigations and findings that the organisation has not complied with the law, may help support your case.

Compensation for data breaches

The amount of compensation you’ll receive if you’re the victim of a data breach depends on the exact circumstances relating to the breach, including:
  • Sensitivity of the data stolen;
  • How many people accessed your data;
  • Length of time between the breach occurring and being informed;
  • How long unauthorised access to the data was / is available ;
  • Anxiety and emotional distress encountered;
  • Any financial losses experienced.
You could receive compensation for the loss of control over the information even if you suffered no financial loss. . As stated above, the I.C.O. can issue fines to organisations for breaching the GDPR and / or Data Protection Act 2018. However, the fines are distinct from any that can be claimed by victims of data breaches. Their findings that an organisation has not complied with the law, usually after a lengthy investigation, can be helpful in support of a claim for compensation too.

Why choose Leigh Day?

Our human rights department has more than 20 years’ experience working across the field of data protection and privacy.
 With the constant updates to how individuals and businesses use personal information and data, we keep on top of changes to information and data protection law to best advise our clients. We have brought successful compensation claims in cases where others wrongly accessed clients’ personal, medical and financial information.
“Sean Humber has a broad human rights and civil liberties practice and is particularly recognised for his work in prison law. He has vast levels of experience with a wide knowledge base which he draws on creatively to achieve the best outcomes for his clients," reports a source.” – Chambers and partners 2018
 Partner Sean Humber has a vast level of experience in privacy, data breach and information law. He has achieved settlements across cases when confidential information was disclosed deliberately and accidentally without a person’s consent or knowledge. Claims against a range of companies, the police, local authorities and the NHS.
Partner Gene Matthews has almost 20 years of experience bringing group claims (multiple party actions) on behalf clients against multi-national companies and actions against the Government.
To discuss your data protection claim and apply for compensation, contact Leigh Day by phoning 020 8038 9412 or email postbox@leighday.co.uk.

Data breach FAQs 

What is the punishment for breaching the General Data Protection Regulations / Data Protection Act 2018?

Breaching the law can result in a fine for the organisation responsible. The amount depends on the circumstances of the case, up to a maximum of €20 million or 4% of total annual worldwide turnover in the preceding financial year (whichever is higher).

How quickly must an organisation report a data breach?

Organisations must report a data breach to the I.C.O., as the relevant authority, without undue delay and no later than 72 hours after being made aware of it[5]. Any longer than this and they must give reasons for the delay. The organisation is also obligated to tell its affected customers without undue delay when there is a data breach affecting their personal information. Often, when an organisation contacts somebody affected by the data breach, it will also say that it has reported the matter to the I.C.O.

Some of the data protection cases we are currently taking on:


Share this page: Print this page

To discuss your case

    Let us call you back at a convenient time

    We treat all personal data in accordance with our privacy policy.
  • 020 7650 1200

More support and information