/ Money

Data breaches: will you back our call for redress?


Hardly a week goes by without news of another data breach. And today we have more news on the scale of Equifax’s data breach. So what should we do about it?

Last week, Yahoo revealed that it had been the victim of the largest data breach in history, with hackers able to gain access to information from up to three billion Yahoo accounts.

That’s nearly half the population of the world, and even though it’s likely that some individuals will own more than one of those accounts and many will be dormant, it will still be many hundreds of millions of people that are affected.

And now we have the latest details in the on-going Equifax breach with over 690,000 people’s phone numbers, email address, driving licence numbers, Equifax membership details and passwords have been compromised in a cyber-attack. That’s in addition to 14.5 million records where only names and dates of birth were made vulnerable.

Equifax breach

Equifax has confirmed that it will be writing to all of the victims –  assuming that it has up-to-date details. It will be offering free access to its identity protection service, Equifax Protect, to those who had their email addresses, driving license number or online membership details compromised. And for those who had their phone number accessed will be offered a leading identity monitoring service for free.

People are understandably concerned that when they hand their personal information over to a company, that company will keep it safe. However, as we’ve seen, this isn’t always the case.

If you were a victim of a serious data breach which meant your personal information was available for others to see, what would you do?

Data breaches

While the law is clear that you have the right to seek redress from the company who has lost or misused your data; actually getting redress is another matter.

In the first instance you could go to the company, but if the offer isn’t good enough or it doesn’t offer anything at all, where do you go?

You might expect there to be some sort of ombudsman or even the regulator to intervene on your behalf. But for victims of data breaches, the current system means the next step is to take the company to court yourself. For many, this would signal the end of any redress claim.

The fact that you need to go to court is a practical barrier, as understandably most are reluctant to become embroiled in a potentially lengthy and costly legal process.

And in some cases, you may not even know exactly where your data was lost and will struggle to build the evidence needed. In the case of Equifax, many of those affected will have no idea their data has been lost until the letter comes through the door – this could be simply that they don’t recall using the service, but also if a credit check has been run on them by a different company.

Collective redress

When there’s a data breach we believe people should have better ways to access their right to get redress.

Where a significant breach involving lots of people has taken place, we think the most appropriate way to get redress would be to allow independent organisations acting in the public interest to take action collectively on behalf of all people who have been affected.

Collective redress doesn’t just improve the process, but it also cuts costs and court time and makes it easier for businesses as all claims are dealt with at once. Companies that treat their customers fairly when things go wrong have absolutely nothing to fear and much to gain from an effective redress regime.

This collective redress action is something that we want the government to introduce for data breaches through the new Data Protection Bill. We want the government to amend the Bill to enable organisations, like Which?, to take action on behalf of all consumers.

Has your data been lost before? Would you be prepared to take a company to court if your data had been lost?

Profile photo of Ian

Well, the number of laptops containing important details and information left on trains and in taxis by civil servants in the MOD, DSS and many other government departments suggests little will ever be done about private companies.

And in a sense all your important data is already available: credit card information, addresses, ‘phone numbers – many companies already have this data and more and the government has all of it. While I believe it’s a good idea to develop the class action system here, I suspect the genie is long out of the bottle.

bishbut says:
12 October 2017

If you do not want your data breached or you computer stolen or hacked just STOP using all modern technology and revert to what you had to do before the computer age You could do that yourself but the people (companies) will still store everything they get from you on a computer They think and hope everything is secure but many people (even a non-expert like me ) Know no modern technology is ever 100% secure .At the moment hackers etc . are still winning against those trying to make things 100% secure Every new ” secure ” method is soon overcome by some one

Profile photo of malcolm r

Unless your data is subsequently misused, you won’t suffer a loss. And how would you prove, given how many companies and institutions hold your personal data, that the particular one was responsible for any loss?

Redress / compensation is designed to cover a definable loss so simply giving money to individuals is not redress but a penalty charge. A universal charge of any substance on many companies might well bankrupt them, and on public institutions like the NHS or government departments would simply either come out of the taxpayer’s pocket or cut their services – to our general detriment.

How do you deal with companies outside our jurisdiction – social media companies for example where some willingly deposit far too much personal information?

I’d like to see companies that hold data encouraged to practice sensible security (if they do not already) but as bishbut says nothing is 100% – like bank scams. And perhaps individuals who take data out of their workplace and leave it on public transport might be dealt with more appropriately.

Profile photo of duncan lucas

I keep bringing this up to–again-complete avoidance , I get up to the minute emails from America on it .I am fed up reiterating what I already posted > as I am told – no expression of technical stuff here( yet others can do it ) I will keep it SIMPLE . Want to stop all this ???? then stop leaving back-doors in all outr data which is sent to the USA where its used by third parties and hackers have as easy a time hacking it all as they have Windows 10 . Government snooping is rife in the UK/USA but the UK is now worse than the USA with its draconian snooping policies a new version just being introduced making us the number one country on the “Snooperbility ” of Nations all time greatest list. Remove back-doors stop the snoopers/hackers ( both the same ) “Terrorists ” guess who paid for them in the first place , no not who you think and now used as an excuse to condemn this country to having our internet restricted on political websites so you can only reach pro US/UK ones . Information Retrieval in action -2017.. AS Bishbut rightly says – sticking plaster over cracks ( but really enormous ravines).

Profile photo of duncan lucas

You have to hand it to the Americans , no 1 year later finding out about data breaches found a USA website specializing in medical breaches of patient data . No old data this 12October -2017 latest breach .Company called HealthIT security (USA ) -Amazon S3 repository with 150,000 patients records +316,363 weekly blood tests attempt ( they haven’t admitted they were hacked ) -5th October ransomeware attack -Arkansas -this got through and a long list of other attacks but thats not all 73 % of medical professionals share passwords for EHR Access. The problem OUR data is sent to the US and their servers.Another US good informational website lists not only Equifax but -the Buckle Breach in June -Cloud Pets breach -Arby,s breach -E-Sports Entertainment Association breach -Yahoo- FriendFinderNetwork breach-KInpton Hotels +Restaurants breach -Cici,s breach–Omni Hotels+ Resorts breach and thats only Page ONE . Many of you will not recognise them but think on if US websites are being hacked and we use US software and systems no wonder the scammers know so much about us.. For my critics I have many more non-disputable websites if you want . I really admire US informational honesty and freedom compared to the UK.


Without redress there will be no improvement. Why shouldn’t a person be compensated by companies who do not apply a duty of care to data?

Profile photo of malcolm r

Compensation covers definable loss. Other redress will be as goodwill or penalty charges. Our water supply was interrupted without the requisite 48 hours warning. Under their customer guarantee scheme we have £30 credited to out account, even though our loss was £1.50 for 4 bottles of water and the fuel to get to the shop.

Profile photo of alfa

There needs to be serious jail-time for anyone caught stealing data. Buying and selling of personal data also needs to be made illegal with serious consequences and this should include anyone using stolen or bought data.

Profile photo of peter t

The trouble with companies like Equifax, Experian et al is that they have somehow managed to get themselves appointed as the arbiters of our financial lives. I don’t recall them being voted for or even asking me if I wished them to be the final arbiter in a decision as to whether I can have a loan, credit card, mortgage etc. But of course when you apply for any of these products you have to agree to a credit search with these companies or you won’t get what you want.

Experian even charges to tell you wether your details are out there on the net for sale, what a wonderful wheeze, don’t worry too much about losing the data that you have so assiduously acquired, because if you lose it you can always charge us to find out whether we were one of the victims!

My wife had a completely false black mark on her credit score and despite the company responsible for the information giving her written confirmation that they had it wrong and despite untold letters, emails and phone conversations in the end the only way it was removed was by the five year time limit being passsed.

The FCA needs to come down on these organisations very hard indeed, if these companies want to exert that amount of power and control over our lives then they have to be absolutely beyond reproach and sufferserious financial penalties commensurate with their profits if they get it wrong, because hitting their bottom line is the only thing that these companies understand as they appear to be completely amoral

Ania says:
15 October 2017

Any company storing personal data should be liable for not keeping it secure enough. They have duty of care and it is responsibility to protect it especially as this is for some potentially having their credit score severely affected.