I recently received an email from a company I worked for stating that a cyber attack has occurred and that my personal and financial information may have been compromised.
I’ve talked to a number of former colleagues about this and we have a lot of questions.
Is it possible for us to find out what information, if any, the hackers stole about each of us personally? The email stated that it could contain pay slips (i.e. addresses and social security numbers), bank details, copies of passports and driver’s licenses, which seems serious.
And what should we do to protect ourselves? Most of us have changed our online banking passwords, but what else?
I have read that it is possible to get compensation, how does that work?
The company has also offered us a free twelve-month subscription to a ‘credit and web monitoring’ service that apparently helps flag suspicious activity.
If we were to accept that, would this have consequences for the right to compensation? LC, London
Data breach: Hackers target companies to steal sensitive information about their employees, which they can later sell to other criminals on the dark web
Harvey Dorset from This is Money replies: Unfortunately, given the increasingly digital world we live in, data breaches are becoming increasingly common and have increased almost continuously since the early 2000s.
Last year there were 7.78 million cyber attacks against UK businesses, with half of UK businesses experiencing a cyber attack.
Criminals often target companies and steal their data, and in most cases sell this data on the dark web.
Stolen data can include customer data, employee data and financial data.
Criminals use this data to commit identity theft, account takeovers, and phishing attacks.
Under GDPR rules in the UK, companies that have experienced a data breach are required to notify individuals whose data is at risk as a result.
If your data has been stolen as part of a cyber attack, you are entitled to compensation if the breach has caused ‘material or non-material damage’.
If the data breach was minor, the company whose data was stolen will of course argue that no actual damage was caused by the breach.
For expert advice, This is Money spoke to Charlotte Hill, partner and lawyer at law firm Penningtons Manches Cooper, to find out what to do if your data has been stolen and whether you are entitled to compensation.
This is how you report a data breach
Charlotte Hill says seeking legal advice can help determine whether you have a basis for a compensation claim
Charlotte Hill replies: If you are the victim of a cyber attack and you suspect your personal information has been stolen, you should report the crime to Action Fraud – the UK’s national fraud and cybercrime hotline.
The report will be reviewed by the National Fraud Intelligence Bureau, which must notify you within 28 days of the initial review.
Normally the NFIB will refer the matter to your local police for investigation (as you can no longer report the matter directly to them), or they will inform you that no further action will be taken.
Even if no action is taken, the report will remain on file, meaning it will be used to continue building a national intelligence picture and to create campaigns to raise awareness of high-risk types of fraud .
The NFIB can also close bank accounts, websites and phone numbers used by fraudsters.
Unless the police are asked to investigate your report, unfortunately there is no further recourse for you in this way and Action Fraud cannot assist in recovering stolen money or compensation.
Personal data (such as addresses, social security numbers, bank details and other data that can be used to identify a person, including data from identity documents) must, among other things, be processed in a manner that ensures appropriate security of that data, including protection against unauthorized or unlawful processing in accordance with the UK data protection law.
If the victim’s former employer believes that its employees’ personal data has been stolen, the employer is obliged to report the personal data breach to the Information Commissioner’s Office within 72 hours of becoming aware of the breach, unless it is unlikely that such a breach will result in a risk to the rights and freedoms of victims.
The employer is also obliged to report the data breach to the victims without delay.
The ICO will then investigate the breach and has the power to fine data controllers for the breach.
Individuals can also report to the ICO if they are unhappy with the organization’s response to any concerns about the breach, or if they do not respond to such correspondence within a month.
However, the ICO cannot award compensation to victims.
Can I receive compensation after a data breach?
Victims can claim compensation from an organization if they have suffered harm as a result of breaching data protection laws.
This compensation can concern both material damage, such as the loss of money, and non-material damage, such as suffering.
The organization may agree to pay compensation to the victims without having to go to court, but if the organization does not agree to pay any compensation or if the victim does not consider the payment to be sufficient, the The victim’s next step is to file a claim with the judge.
Obtaining early legal advice in such a scenario is critical to assessing the merits of such a claim. We often advise victims who have been offered compensation by organizations before deciding whether to accept it or pursue the organization through the courts.
It is now very common for individuals to band together to form a so-called ‘class action’, where they jointly sue an organization for a data breach to make the claim more cost-efficient and effective.
How to protect your money if your data is stolen
The organization may be able to confirm which documents or data were stolen, but their investigation into the breach will likely take a significant amount of time and may not be able to confirm exactly what was stolen, but only which servers or folders were compromised. .
However, if in doubt, victims are advised to report details of any documents they believe have been stolen, such as passports, driving licenses or bank card numbers, to the organization that issued them.
They should also inform their bank or building society and any credit card companies of their concerns and arrange for new cards to be issued to them, while recording all usual transactions on their statements.
Victims should be extra vigilant for suspicious emails, text messages, or websites that could be designed to obtain missing personal information so the fraudsters can gain access to their accounts.
The use of software to help detect suspicious activity should not constitute an offer of compensation
Passwords should be changed to new, strong passwords to protect accounts.
Victims can also contact the UK Fraud Prevention Service, Cifas, for protective registration, which will place a warning flag next to the victim’s name on the National Fraud Database.
This will tell any organization using Cifas information to pay special attention when using the victim’s data to apply for their products or services.
Typically, an offer to use software to detect suspicious activity should not constitute an offer of compensation, but the employer may offer this if payment is not made. So it is wise to check the situation with him and consider the offer carefully. detailed before accepting or rejecting it.
The victim should be careful not to agree to compromise any claims against the employer as this could prevent any claim through the courts.
Some links in this article may be affiliate links. If you click on it, we may earn a small commission. That helps us fund This Is Money and keep it free to use. We do not write articles to promote products. We do not allow a commercial relationship to compromise our editorial independence.