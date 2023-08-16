Data breaches are on the rise and they are a big business for criminals seeking to defraud you of your hard-earned cash.

The victim count of data breaches in 2022 was 422m, up from 268m the year before, according to the Identity Theft Resource Center.

The most recent high-profile breach to hit the headlines happened in Northern Ireland, where the personal details of more than 10,000 police employees were leaked – a particularly sensitive situation given NI’s recent history.

While most data breaches are not typically so sensitive, they are certainly common. And the data lost could still be used by criminals for scams.

Every day we freely hand over our email addresses and even passwords (do you really use a different password for every account?!) to websites and businesses, so unless you are very lucky you may well find that your data has been leaked at some point.

This can be alarming, as any release of your personal information could leave you vulnerable to identity theft. With enough of your data, hackers could try to access your bank accounts or break into your email and wreak havoc on your finances.

So, if you’re in this situation, what can you do about it – and might you be entitled to compensation?

What is a personal data breach?

“A personal data breach is any unauthorised use or access of your personal data,” says Richard Forrest of law firm Hayes Connor.

“Often that’s down to human error, or the fact that whoever was holding your data did not have the right procedures in place to retain it safely, and so that data then falls into the hands of a third party without your consent.”

Human errors that result in data breaches under GDPR law can be very simple. In fact, they are things many of us have done before, such as not checking hidden fields on spreadsheets before sharing them, or accidentally cc’ing all the recipients of an email rather than bcc’ing them.

However, personal data breaches may also occur as a result of hacks or other cybersecurity issues.

With some 83pc of businesses suffering attempted phishing hacks in 2022, it’s worth thinking carefully about which ones you trust with your information, and whether parting with it is really necessary.

How do I know if my data is at risk?

“If an organisation has suffered a cyberattack or an accidental breach, then it has a duty to inform people whose data has been impacted. Typically this means that they will send you an email explaining what exactly has been leaked from the data they held on you,” Mr Forrest says.

Data breaches don’t always come in the form of cyber crime or technical issues however, and can instead be the result of a lack of GDPR training. “If your GP mistakenly posts your medical records to someone else instead of you, then they are under a duty to tell you so,” Mr Forrest explains.

Some email providers will alert users if their account passwords have been published online or may have fallen into the hands of criminals. Google, for example, has been known to email its users when it spots this has happened. It also has a password check up service.

Cybersecurity companies such as McAfee can also tell you if your information has been spread on the open internet or on the dark web, a hidden part of the internet often used by fraudsters, although be aware that there will be a charge.

The website haveibeenpwned.com is a free and simple option. Put in your email address and it will tell you whether it has been compromised and when.

Do I have to report a data breach?

It is not your responsibility to report any data breaches. The company that has lost your data should do this by referring itself to the Information Commissioner’s Office (ICO).

But, while you are not responsible, you may wish to refer it yourself, particularly if the organisation has not handled the breach well, says Sean Humber of Leigh Day, a law firm.

“A company or body which has suffered a serious data breach is required to refer the issue to the Office within 72 hours,” Mr Humber says.

“However, it can be hit and miss when it comes to what they investigate, and what they investigate well.

“It can be worth contacting the ICO to ask for confirmation that they are looking into the breach. You can also let them know that you have been affected and ask to be kept in the loop.”

If you think that your data has been used maliciously or that you think your bank account may have been compromised, you should contact Action Fraud, the police fraud reporting service.

How do I report a data breach?

If you wish to make a report to the ICO, you can do so online – but the onus is on the organisation that is responsible for the data breach, not on you.

To complain to the ICO about how your data has been processed or handled, you must fill out the ICO’s online form and provide correspondence about the issue and any other supporting evidence.

You should give the organisation concerned “the chance to sort things out” before making a complaint to the ICO however, its website says.

What do I do if my data is compromised?

“Depending on the data that was breached, you may want to consider changing your online account passwords,” says Mr Forrest.

“You should also be extra vigilant when receiving calls or emails from sources you don’t recognise, and it may be best to treat any contact from people you don’t know as potentially fraudulent for some time.”

He added: “You may also wish to contact your bank to put a marker on your account, to increase the chances that any attempt to breach your account will be stopped.

“The organisation responsible should also provide you with guidance around what to do depending on the data leaked, and it is important to read that carefully.”

It could be a good idea to invest in a credit monitoring service which would notify you if anyone tried to take out a loan in your name, he said. Organisations that have lost customer data often offer this service for free.

“Things like changing your passwords frequently and making sure that you don’t use the same password for all of your accounts can be helpful too,” he added.

Can I claim any compensation?

If a data breach affecting you has been caused by a cybersecurity attack, and the organisation involved has taken all the measures it can to protect your information, then you may not have grounds to claim compensation.

However, a majority of personal data breach cases are caused by human error. “If an organisation has failed to take appropriate measures to protect your data, then you’ll have a claim under the general data protection act,” Mr Humber explains.

“In extreme cases such as with what has happened in Northern Ireland, you may have a claim under human rights law if the breach has violated your right to private life.”

He added: “The amount you win will likely not be life changing, but in a situation where the information is particularly sensitive, you may expect to win thousands of pounds in compensation.”

