/ Money

Do you know what to do if your data’s been compromised?

Data breach victims seeking compensation are often faced with difficult choices when pursuing claims. Would you know how to proceed?

A member got in touch with the Which? Money Helpline after their local council suffered a cyberattack towards the end of 2020. They’d then seen an advert on their Facebook feed from a firm suggesting they can use it to claim compensation for the data breach.

But can ads like that really be trusted?

Data breaches, where companies lose or alter our data without permission, are a growing problem. We’ve highlighted in the past that personal details such as names and credit card details stolen from breaches are sold on the dark web and used by scammers.

In the case of this local council, the disruption caused to essential online services led to a number of property purchases falling through, and extra costs for those affected. But people are right to be sceptical of adverts like this, which could have been posted by criminals looking to collect personal details.

You can check the firm is on the Solicitors Register and make sure the website address listed there matches the website the advert is leading you to. Be aware, however, that even genuine ‘no-win, no-fee’ firms can take a hefty cut of any compensation you may receive.

General Data Protection Regulation

The General Data Protection Regulation (GDPR), part of the Data Protection Act 2018, gives you a right to claim compensation from an organisation if you have suffered damage (financial or distress) as a result of it breaking data protection law.

But before taking your council to the small claims court, you should approach it directly and request compensation. You may also wish to seek a judgment from the Information Commissioner’s Office (ICO) over whether your council broke the law.

The ICO can’t award compensation but a judgment in your favour could make your court case more likely to succeed. You can find our guide to the small claims court, and a costs calculator, here.

Difficult choices

Data breach victims seeking compensation are faced with a difficult choice: hand over much of your compensation to a claims firm, or put in a lot of legwork yourself. That’s why we want not-for-profit organisations, such as Which?, to be able to bring collective redress actions to court on behalf of people on an ‘opt out’ basis.

This would avoid individuals having to shoulder the cost and responsibility themselves. If companies knew that a breach was likely to result in a major legal claim against them, they would be incentivised to better protect our data, reducing the chance of a breach happening in the first place.

Has your data ever been involved in a breach? How did you deal with the situation?

Helping our members

Did you know about Which? Money Helpline? It’s staffed by financial experts with more than 100 years’ experience in the financial services industry between them.

Members can ask us questions about a range of personal finance subjects, and there are no limits to the number of calls you and your family can make, or the length of time you can spend talking to us.

What the Which? Money Helpline can help you with
  • Banking
  • Borrowing – credit cards and loans
  • Car, home and travel insurance
  • Equity release
  • Investments
  • Long-term care
  • Mortgages
  • Pensions
  • Protection insurance
  • Savings and Isas
  • Tax
  • Wills/probate/trusts
(We do not offer regulated financial advice).

Which? members with a Which? Money subscription can call the helpline on 029 2267 0001.


This appalling situation raises the question, how can a council, or any organisation, or company or institution be breaking the law if the law is not in force? In other words how can they be breaking the law by breaching our trust by not using strong enough data security if the existing laws don’t require it? That’s why like I’ve said so many times on the forums we need top of the range, maximum security end to end encryption to be made absolutely compulsory for all those who we have to trust with our sensitive personal information because at the moment it looks like there is far too much loose, slack casual blase attitudes out there and cutting of every possible corner. But then I suppose it all comes down to cost, all that extra security is costly, just like having extra strong doors and windows and locks on our homes, as well as 4K ultra HD digital cctv and monitored alarms etc. But something has to be done as the current situation is far too insecure and it’s outrageous breach of our trust with all too often appalling consequences, especially for the most vulnerable in our society.

Only just seen this – my bad.

The website https://haveibeenpwned.com/ can provide a useful heads up for leaks from one’s email address that might be out there.