Table of Contents
I recently received an email from a company I worked for, saying that there has been a cyber attack and that my personal and financial information may have been compromised.
I’ve talked to some former colleagues about this and we have a lot of questions.
Is it possible for us to discover what information, if any, hackers have stolen about each of us personally? The email said it could have included pay slips (i.e. addresses and national insurance numbers), bank details, copies of passports and driving licences, which seems serious.
And what should we do to protect ourselves? Most of us have changed our online banking passwords, but what else?
I have read that it is possible to obtain compensation, how does it work?
The company has also offered us a free 12-month subscription to a “web and credit monitoring” service that apparently helps detect any suspicious activity.
If we accepted that, would it affect any right to compensation? L.C., London
Data breach: Hackers attack companies to steal sensitive information about their employees that they can then sell to other criminals on the dark web.
This is Money’s Harvey Dorset responds: Unfortunately, given the increasingly digital world we live in, data breaches are increasingly common and have grown almost continuously since the early 2000s.
Last year, there were 7.78 million cyber attacks against UK businesses, with half of British businesses suffering a cyber attack.
Criminals often attack companies and steal their data and, in most cases, proceed to sell said data on the dark web.
Stolen data can include customer records, employee details and financial data.
Criminals use this data to commit identity theft, account takeover, and phishing attacks.
Under GDPR rules in the UK, companies that have suffered a data breach must notify people whose data is at risk as a result.
If your data has been stolen as part of a cyber attack, then you are entitled to compensation if the breach has caused “material or non-material damage.”
Of course, if the data breach was minor, the company whose data was stolen will argue that the breach did not cause any harm.
For expert advice, This is Money spoke to Charlotte Hill, partner and defense lawyer at law firm Penningtons Manches Cooper to find out what to do if your data is stolen and whether you are entitled to compensation.
How to report a data breach
Charlotte Hill says getting legal advice can help establish whether you have basis for a compensation claim
Charlotte Hill responds: If you are the victim of a cyber attack and suspect that your personal data has been stolen, you should report the crime to Action Fraud, the UK’s national fraud and cyber crime reporting centre.
The report will be evaluated by the National Fraud Intelligence Office, who must notify you within 28 days of its initial evaluation.
The NFIB will usually refer the matter to local police for investigation (as you can no longer report it directly) or they will inform you that no further action will be taken.
Even if no action is taken, the report will remain archived, meaning it will be used to help continue building a national intelligence picture and create campaigns to raise awareness about high-risk types of fraud.
The NFIB can also close bank accounts, websites and phone numbers used by scammers.
However, unless the police are asked to investigate your report, unfortunately there is no further recourse for you through this route and Action Fraud cannot help recover stolen funds or compensate you for them.
Personal data (such as addresses, social security numbers, bank details and other data that can be used to identify an individual, including identification documents) must, among other things, be processed in a way that ensures adequate security of that data. including protection against unauthorized or unlawful processing under UK data protection laws.
If the victim’s former employer believes that its employees’ personal data has been stolen, the employer is required to report the personal data breach to the Information Commissioner’s Office within 72 hours of becoming aware of the breach, to unless such violation is unlikely to result in a risk to the rights and freedoms of the victims.
The employer is also required to inform victims of the data breach without undue delay.
The ICO will then investigate the breach and has the power to fine data controllers for the breach.
Individuals can also make reports to the ICO if they are dissatisfied with the organisation’s response to any infringement concerns, or if they do not respond to such correspondence within one month.
However, the ICO cannot award compensation to victims.
Can I get compensation after a data breach?
Victims can seek compensation from an organization if they have suffered harm as a result of breaching data protection laws.
This compensation can be for material damage, such as loss of money, as well as for moral damage, such as suffering anguish.
The organization may agree to pay compensation to victims without having to go to court, but if the organization does not agree to pay any compensation or the victim does not consider the payment to be sufficient, the victim’s next step would be to file a complaint. claim before the courts.
Obtaining legal advice early in such a scenario is key to considering the merits of any such claim; We often advise victims who have been offered compensation by organizations before they decide whether to accept it or pursue the organization through the courts.
It is now quite common for individuals to band together to form what is known as a “group action” to collectively pursue an organization for a data breach and make the claim more cost-effective and effective.
How to protect your money if your data is stolen
The organization may be able to confirm what documents or data was stolen, but its investigations into the breach will likely take a considerable amount of time and it may not be able to confirm exactly what was stolen, only which servers or folders were compromised. .
However, if in doubt, it is recommended that victims inform the issuing organization of the details of any documents they believe may have been stolen, such as passports and driving licenses or bank card numbers.
They should also inform their bank or building society and any credit card companies of their concerns and arrange for new cards to be issued, while reporting any regular transactions on their statements.
Victims should be especially vigilant for any suspicious emails, text messages, or websites that may have been designed to obtain missing personal data to allow scammers to access their accounts.
The use of software to help detect suspicious activity should not constitute an offer of compensation.
Passwords should be changed to new, strong passwords to protect accounts.
Victims can also contact the UK Fraud Prevention Service, Cifas, to obtain a protection record which places a warning flag next to the victim’s name in the National Fraud Database.
This will tell any organization using Cifas information to pay particular attention when victim data is used to solicit their products or services.
Generally, the offer to use software to help detect suspicious activity should not constitute an offer of compensation, but the employer may offer this in the absence of payment, so it would be wise to verify the position with them and carefully consider the offer. . in detail before accepting or rejecting it.
The victim should be careful not to commit to each and every potential claim against the employer, as this could prevent any claim in court.
Some links in this article may be affiliate links. If you click on them, we may earn a small commission. That helps us fund This Is Money and keep it free to use. We do not write articles to promote products. We do not allow any commercial relationship to affect our editorial independence.