/ Money

Data breaches: will you back our call for redress?


We’re calling on the government to use the Data Protection Bill to give independent bodies the power to take action with collective redress. Will you back our call?

Yahoo revealed recently that it had been the victim of the largest data breach in history, with hackers able to gain access to information from up to three billion Yahoo accounts.

That’s nearly half the population of the world, and even though it’s likely that some individuals will own more than one of those accounts and many will be dormant, it will still be many hundreds of millions of people that are affected.

Just a couple of weeks ago we had the news of the latest details in the on-going Equifax breach with over 690,000 people’s phone numbers, email address, driving licence numbers, Equifax membership details and passwords have been compromised in a cyber-attack. That’s in addition to 14.5 million records where only names and dates of birth were made vulnerable.

Equifax breach

Equifax has confirmed that it will be writing to all of the victims –  assuming that it has up-to-date details. It will be offering free access to its identity protection service, Equifax Protect, to those who had their email addresses, driving license number or online membership details compromised. And for those who had their phone number accessed will be offered a leading identity monitoring service for free.

People are understandably concerned that when they hand their personal information over to a company, that company will keep it safe. However, as we’ve seen, this isn’t always the case.

If you were a victim of a serious data breach which meant your personal information was available for others to see, what would you do?

Data breaches

While the law is clear that you have the right to seek redress from the company who has lost or misused your data; actually getting redress is another matter.

In the first instance you could go to the company, but if the offer isn’t good enough or it doesn’t offer anything at all, where do you go?

You might expect there to be some sort of ombudsman or even the regulator to intervene on your behalf. But for victims of data breaches, the current system means the next step is to take the company to court yourself. For many, this would signal the end of any redress claim.

The fact that you need to go to court is a practical barrier, as understandably most are reluctant to become embroiled in a potentially lengthy and costly legal process.

And in some cases, you may not even know exactly where your data was lost and will struggle to build the evidence needed. In the case of Equifax, many of those affected will have no idea their data has been lost until the letter comes through the door – this could be simply that they don’t recall using the service, but also if a credit check has been run on them by a different company.

Collective redress

When there’s a data breach we believe people should have better ways to access their right to get redress.

Where a significant breach involving lots of people has taken place, we think the most appropriate way to get redress would be to allow independent organisations acting in the public interest to take action collectively on behalf of all people who have been affected.

Collective redress doesn’t just improve the process, but it also cuts costs and court time and makes it easier for businesses as all claims are dealt with at once. Companies that treat their customers fairly when things go wrong have absolutely nothing to fear and much to gain from an effective redress regime.

This collective redress action is something that we want the government to introduce for data breaches through the new Data Protection Bill. We want the government to amend the Bill to enable organisations, like Which?, to take action on behalf of all consumers.

We need evidence to support our call on the government. Have you suffered a data breach? Would you be prepared to take a company to court if your data had been lost?

Share your experience


Well, the number of laptops containing important details and information left on trains and in taxis by civil servants in the MOD, DSS and many other government departments suggests little will ever be done about private companies.

And in a sense all your important data is already available: credit card information, addresses, ‘phone numbers – many companies already have this data and more and the government has all of it. While I believe it’s a good idea to develop the class action system here, I suspect the genie is long out of the bottle.

Mark Gillan says:
4 November 2017

The genie can always be put back in the bottle, always … where there is a will, there is a way.

We pay for mistakes when it involves money, so should the corporates for not keeping our data safe enough. Surely they should be forced to take out insurance if they haven’t already.

If you do not want your data breached or you computer stolen or hacked just STOP using all modern technology and revert to what you had to do before the computer age You could do that yourself but the people (companies) will still store everything they get from you on a computer They think and hope everything is secure but many people (even a non-expert like me ) Know no modern technology is ever 100% secure .At the moment hackers etc . are still winning against those trying to make things 100% secure Every new ” secure ” method is soon overcome by some one

ShellieToo says:
28 October 2017

Actually bishbut, even reverting to a pre-PC and internet age is not sufficient. In the case of Equifax and other credit check companies, they have astonishingly wide remit to collect and process your personal data without you even knowing it.

You have a contract with British Gas? Credit agencies know about it.
A bank account with anyone at all. Also in their database.
You own a car? Have a life insurance policy? A job, for that matter? All there.

That’s right: These private firms know exactly how much money you made last tax year. If you look for a new job, the HR department will insist on doing a credit check (relevant why?!?!), which will uncover all the above, if they pay enough money for it.

It’s all so discouraging. I could stop using the internet right now, turn in my smartphone, only trek across town to the one bank branch still open in my community so I can withdraw cash once a week to buy all my daily supplies, etc, and these data aggregators would *still* have a shocking amount of insight into who I am, how much I earn and what I do with my money. As Ian says above, the genie is long out of the bottle. Frankly I find it terrifying.

This comment was removed at the request of the user

Unless your data is subsequently misused, you won’t suffer a loss. And how would you prove, given how many companies and institutions hold your personal data, that the particular one was responsible for any loss?

Redress / compensation is designed to cover a definable loss so simply giving money to individuals is not redress but a penalty charge. A universal charge of any substance on many companies might well bankrupt them, and on public institutions like the NHS or government departments would simply either come out of the taxpayer’s pocket or cut their services – to our general detriment.

How do you deal with companies outside our jurisdiction – social media companies for example where some willingly deposit far too much personal information?

I’d like to see companies that hold data encouraged to practice sensible security (if they do not already) but as bishbut says nothing is 100% – like bank scams. And perhaps individuals who take data out of their workplace and leave it on public transport might be dealt with more appropriately.

This comment was removed at the request of the user

This comment was removed at the request of the user

Without redress there will be no improvement. Why shouldn’t a person be compensated by companies who do not apply a duty of care to data?

Compensation covers definable loss. Other redress will be as goodwill or penalty charges. Our water supply was interrupted without the requisite 48 hours warning. Under their customer guarantee scheme we have £30 credited to out account, even though our loss was £1.50 for 4 bottles of water and the fuel to get to the shop.

There needs to be serious jail-time for anyone caught stealing data. Buying and selling of personal data also needs to be made illegal with serious consequences and this should include anyone using stolen or bought data.

The trouble with companies like Equifax, Experian et al is that they have somehow managed to get themselves appointed as the arbiters of our financial lives. I don’t recall them being voted for or even asking me if I wished them to be the final arbiter in a decision as to whether I can have a loan, credit card, mortgage etc. But of course when you apply for any of these products you have to agree to a credit search with these companies or you won’t get what you want.

Experian even charges to tell you wether your details are out there on the net for sale, what a wonderful wheeze, don’t worry too much about losing the data that you have so assiduously acquired, because if you lose it you can always charge us to find out whether we were one of the victims!

My wife had a completely false black mark on her credit score and despite the company responsible for the information giving her written confirmation that they had it wrong and despite untold letters, emails and phone conversations in the end the only way it was removed was by the five year time limit being passsed.

The FCA needs to come down on these organisations very hard indeed, if these companies want to exert that amount of power and control over our lives then they have to be absolutely beyond reproach and sufferserious financial penalties commensurate with their profits if they get it wrong, because hitting their bottom line is the only thing that these companies understand as they appear to be completely amoral

xtopher says:
7 December 2017

peter t thank you very much for eloquently saying what I have been raging about this last few weeks; I too didn’t vote for Equifax nor did they ask my permission. I want them to remove every digit of data about me because they are clearly (a) not fit for purpose (b) operating with impunity. Damn them I hope they are wiped of the face of the planet if the USA class action is successful.

Any company storing personal data should be liable for not keeping it secure enough. They have duty of care and it is responsibility to protect it especially as this is for some potentially having their credit score severely affected.

It is your personal data private companies should be liable for not keeping it secure enough. Also what
do the private companies want with so much personal date? To sell for a profit that is wrong and completely

Sener says:
25 October 2017

Its funny this has come up, because lately I have been really suspicious about Ebay, Amazon, Paypal etc sharing my personal information deceptively or without my permission or knowledge.

I suspect this because only just recently say 2 to 3 years everytime I try to sign in to Ebay, Amazon, Paypal etc I am forced to “confirm my identity”, and within the next few days I receive spam & promotional messages and occasional cold calling to my personal contact details.

Bottom line, I suspect that these companies are manipulating their customers in order to share and sell their personal information to third parties without their knowledge and If my suspicions are correct then it’s only a matter of time before I and others become the victims of financial fraud. This is very worrying but I don’t know how to prove it, nor do I know what to do about it.
Online shopping is a necessity to my life and family, but if this is a matter of professional betrayal of trust to the consumer than something must be done.

This comment was removed at the request of the user

T O’Brien says:
7 November 2017

II received a letter asking me to call on a free number. I called it and there was no tone. I thought I’d been scammed. I checked my credit report with another trusted supplier. No change. I then realised this was probably a cold call trying to get me to sign up to Equifax products. Beware these unscrupulous people.

This comment was removed at the request of the user

The UK Government is responsible for allowing Banks like Barclays to use external employees in India etc to run the bank in the UK. What were they thinking? Most phone calls that come to my landline are from abroad and they always want you to answer their marketing questions. They never give up calling and when you try to track their number it is always unavailable/ or withheld. How fair is that? Brexit should have happened before the privatisation of British Businesses even occurred, back in the 90s. Tony Blair’s government actually ruined everything, it made Britain vulnerable. It is too late now to correct anything because our details are all over the place, even our home addresses.

I was sent a letter from Equifax and immediately contacted Crime Watchers when in turn asked me to contact both my bankers and a company called
Action Fraud. They tell me that they are fully aware of Equifax and were pleased they were informed by me, I am a pensioner living off my Meagher pension.

They said that if any other pensioner receives mail from this company Action Fraud would like to receive any information from them in a hope to stop these people from trying to con others who are, like me a pensioner or someone of low income.

This comment was removed at the request of the user

The ongoing data breach involving Equifax and its primary and secondary customers is a prime example of the utter lack of impact the ICO and the FCA has on such issues. 700,000 UK citizens conformed as having serious data breaches with the potential impact over 15M people. The breach was in May 17 at the latest and the ICO is still “asking” Equifax to inform the victims of their utter disregard for UK law. From the conversations I have had with the ICO and Equifax they are in breach of a number of principals of the DPA, yet the ICO is doing other than posting a pointless statement from an unidentified spokesperson – three paragraphs telling us they are monitoring the situation. Essentially, it looks like the Data was held in the USA and as the Data Controller is based in the USA it is out of their jurisdiction. Whilst the USA take Equifax to task we can’t even get them to inform the victims. The ICO is not fit for purpose already telling businesses and fundraising sub-contractors that they can carry on with current breaches of the DPA even when GDPR is in play and that if they get too many complaints about it they will simply give them advise and guidance on how to continue with the behaviour in a way that won’t result in legal prosecution. In the USA we have multi-billion $ class action law suits already commenced whilst the criminal investigation takes place. In the UK we have the ICO and FCA refusing to engage with or take information from the victims of Equifax let alone actually represent the concerns of victims to Equifax. Class action and law suits is the only way to force international and domestic businesses to get their data houses in order. Equifax are of course despicable in how they have dealt with UK citizens’ personal data. However, what about all the banks, mobile phone companies, utlilities companies, building societies, etc that signed agreements with Equifax that allowed them to take UK citizens’ personal data over to the USA with a USA data controller meaning it is outwith the jurisdiction of the ICO. Even now we have banks fraud departments advising people to contact Equifax and take up their offer of a free service that requires victims of Equifax to provide even more personal data to Equifax who are still mid-criminal investigation. The ongoing treatment of the victims of Equifax, by Equifax, by the original data controllers that signed agreements with Equifax and by the ICO and the FCA is frankly disgusting. There should be full UK criminal investigation. There should be an investigation into why banks, financial organisations, utilities companies, etc signed agreements with Equifax without carrying out due diligence on how UK citizens’ data was being managed / protected. Any business that pits agreements with third parties in place that has requires the handling of personal data of UK citizens should be equally held liable for any data breaches in the partner companies systems. Only class actions and severe law suits will force companies to take consumer data protection seriously.

I am not panicking. I notice that Equifax offer protection if you give them details of your credit card and bank accounts. Not likely. They’ve done enough damage already

I have just received my Equifax “breach letter” today—24th January 2018–9 months after the reported breach. As Jim above says, yes they are now offering free Protection packages for those affected but this involves giving even more personal information like bank account details, email adds, 6 years home addresses, mobile phone numbers, credit/debit card numbers! A hackers delight-all neatly rolled into one package. No thank you.