/ Money

Data breaches: will you back our call for redress?


We’re calling on the government to use the Data Protection Bill to give independent bodies the power to take action with collective redress. Will you back our call?

Yahoo revealed recently that it had been the victim of the largest data breach in history, with hackers able to gain access to information from up to three billion Yahoo accounts.

That’s nearly half the population of the world, and even though it’s likely that some individuals will own more than one of those accounts and many will be dormant, it will still be many hundreds of millions of people that are affected.

Just a couple of weeks ago we had the news of the latest details in the on-going Equifax breach with over 690,000 people’s phone numbers, email address, driving licence numbers, Equifax membership details and passwords have been compromised in a cyber-attack. That’s in addition to 14.5 million records where only names and dates of birth were made vulnerable.

Equifax breach

Equifax has confirmed that it will be writing to all of the victims –  assuming that it has up-to-date details. It will be offering free access to its identity protection service, Equifax Protect, to those who had their email addresses, driving license number or online membership details compromised. And for those who had their phone number accessed will be offered a leading identity monitoring service for free.

People are understandably concerned that when they hand their personal information over to a company, that company will keep it safe. However, as we’ve seen, this isn’t always the case.

If you were a victim of a serious data breach which meant your personal information was available for others to see, what would you do?

Data breaches

While the law is clear that you have the right to seek redress from the company who has lost or misused your data; actually getting redress is another matter.

In the first instance you could go to the company, but if the offer isn’t good enough or it doesn’t offer anything at all, where do you go?

You might expect there to be some sort of ombudsman or even the regulator to intervene on your behalf. But for victims of data breaches, the current system means the next step is to take the company to court yourself. For many, this would signal the end of any redress claim.

The fact that you need to go to court is a practical barrier, as understandably most are reluctant to become embroiled in a potentially lengthy and costly legal process.

And in some cases, you may not even know exactly where your data was lost and will struggle to build the evidence needed. In the case of Equifax, many of those affected will have no idea their data has been lost until the letter comes through the door – this could be simply that they don’t recall using the service, but also if a credit check has been run on them by a different company.

Collective redress

When there’s a data breach we believe people should have better ways to access their right to get redress.

Where a significant breach involving lots of people has taken place, we think the most appropriate way to get redress would be to allow independent organisations acting in the public interest to take action collectively on behalf of all people who have been affected.

Collective redress doesn’t just improve the process, but it also cuts costs and court time and makes it easier for businesses as all claims are dealt with at once. Companies that treat their customers fairly when things go wrong have absolutely nothing to fear and much to gain from an effective redress regime.

This collective redress action is something that we want the government to introduce for data breaches through the new Data Protection Bill. We want the government to amend the Bill to enable organisations, like Which?, to take action on behalf of all consumers.

We need evidence to support our call on the government. Have you suffered a data breach? Would you be prepared to take a company to court if your data had been lost?

Share your experience


Well, the number of laptops containing important details and information left on trains and in taxis by civil servants in the MOD, DSS and many other government departments suggests little will ever be done about private companies.

And in a sense all your important data is already available: credit card information, addresses, ‘phone numbers – many companies already have this data and more and the government has all of it. While I believe it’s a good idea to develop the class action system here, I suspect the genie is long out of the bottle.

Mark Gillan says:
4 November 2017

The genie can always be put back in the bottle, always … where there is a will, there is a way.

We pay for mistakes when it involves money, so should the corporates for not keeping our data safe enough. Surely they should be forced to take out insurance if they haven’t already.

bishbut says:
12 October 2017

If you do not want your data breached or you computer stolen or hacked just STOP using all modern technology and revert to what you had to do before the computer age You could do that yourself but the people (companies) will still store everything they get from you on a computer They think and hope everything is secure but many people (even a non-expert like me ) Know no modern technology is ever 100% secure .At the moment hackers etc . are still winning against those trying to make things 100% secure Every new ” secure ” method is soon overcome by some one

ShellieToo says:
28 October 2017

Actually bishbut, even reverting to a pre-PC and internet age is not sufficient. In the case of Equifax and other credit check companies, they have astonishingly wide remit to collect and process your personal data without you even knowing it.

You have a contract with British Gas? Credit agencies know about it.
A bank account with anyone at all. Also in their database.
You own a car? Have a life insurance policy? A job, for that matter? All there.

That’s right: These private firms know exactly how much money you made last tax year. If you look for a new job, the HR department will insist on doing a credit check (relevant why?!?!), which will uncover all the above, if they pay enough money for it.

It’s all so discouraging. I could stop using the internet right now, turn in my smartphone, only trek across town to the one bank branch still open in my community so I can withdraw cash once a week to buy all my daily supplies, etc, and these data aggregators would *still* have a shocking amount of insight into who I am, how much I earn and what I do with my money. As Ian says above, the genie is long out of the bottle. Frankly I find it terrifying.


All that Shellie and Equifax was hacked recently in the USA and people wonder how their details are known . I remember fixing phones in two credit checking companies – well hidden- very tight security and looking at their very old computers then, I could see they knew all about your finances.


Unless your data is subsequently misused, you won’t suffer a loss. And how would you prove, given how many companies and institutions hold your personal data, that the particular one was responsible for any loss?

Redress / compensation is designed to cover a definable loss so simply giving money to individuals is not redress but a penalty charge. A universal charge of any substance on many companies might well bankrupt them, and on public institutions like the NHS or government departments would simply either come out of the taxpayer’s pocket or cut their services – to our general detriment.

How do you deal with companies outside our jurisdiction – social media companies for example where some willingly deposit far too much personal information?

I’d like to see companies that hold data encouraged to practice sensible security (if they do not already) but as bishbut says nothing is 100% – like bank scams. And perhaps individuals who take data out of their workplace and leave it on public transport might be dealt with more appropriately.


I keep bringing this up to–again-complete avoidance , I get up to the minute emails from America on it .I am fed up reiterating what I already posted > as I am told – no expression of technical stuff here( yet others can do it ) I will keep it SIMPLE . Want to stop all this ???? then stop leaving back-doors in all outr data which is sent to the USA where its used by third parties and hackers have as easy a time hacking it all as they have Windows 10 . Government snooping is rife in the UK/USA but the UK is now worse than the USA with its draconian snooping policies a new version just being introduced making us the number one country on the “Snooperbility ” of Nations all time greatest list. Remove back-doors stop the snoopers/hackers ( both the same ) “Terrorists ” guess who paid for them in the first place , no not who you think and now used as an excuse to condemn this country to having our internet restricted on political websites so you can only reach pro US/UK ones . Information Retrieval in action -2017.. AS Bishbut rightly says – sticking plaster over cracks ( but really enormous ravines).


You have to hand it to the Americans , no 1 year later finding out about data breaches found a USA website specializing in medical breaches of patient data . No old data this 12October -2017 latest breach .Company called HealthIT security (USA ) -Amazon S3 repository with 150,000 patients records +316,363 weekly blood tests attempt ( they haven’t admitted they were hacked ) -5th October ransomeware attack -Arkansas -this got through and a long list of other attacks but thats not all 73 % of medical professionals share passwords for EHR Access. The problem OUR data is sent to the US and their servers.Another US good informational website lists not only Equifax but -the Buckle Breach in June -Cloud Pets breach -Arby,s breach -E-Sports Entertainment Association breach -Yahoo- FriendFinderNetwork breach-KInpton Hotels +Restaurants breach -Cici,s breach–Omni Hotels+ Resorts breach and thats only Page ONE . Many of you will not recognise them but think on if US websites are being hacked and we use US software and systems no wonder the scammers know so much about us.. For my critics I have many more non-disputable websites if you want . I really admire US informational honesty and freedom compared to the UK.