I recently received an email from the company I work for, saying there has been a cyber-attack and that personal and financial information may have been compromised.
I’ve talked to some of my former colleagues about this, and we have a lot of questions.
Can we find out what, if any, information hackers have stolen about each of us personally? These emails may include pay slips (so your address and national insurance number), bank details, a copy of your passport and a serious looking driving licence.
And what should we do to protect ourselves? Most of us have changed our online banking passwords, but what else?
I have read that it is possible to get compensation, how is it possible?
The company also offers a free 12-month subscription to its ‘credit and web monitoring’ service that can help flag suspicious activity.
If we accept, will it affect our right to compensation? LC, London
Data breach: Hackers target companies to steal sensitive information about employees that can later be sold to other criminals on the dark web.
Harvey Dorset, from This is Money, replied: Unfortunately, due to the increasingly digital world we live in, data breaches are on the rise, as they have grown almost continuously since the early 2000s.
Last year, there were 7.78 million cyber attacks on UK businesses, with half of UK businesses experiencing cyber attacks.
Criminals often target companies and steal data, and most continue to sell that data on the dark web.
Stolen data can include customer records, employee details and financial data.
Criminals use this data for identity theft, account takeovers, and phishing attacks.
Under GDPR rules in the UK, companies that experience a data breach must notify individuals whose data is at risk.
If your data has been stolen as part of a cyber attack, you are entitled to compensation if the breach has caused ‘material or non-material damage.’
Of course, if the data breach is minor, the company whose data was stolen will argue that no damage was caused by the breach.
For expert advice, Iki Dhuwit spoke to Charlotte Hill, partner and attorney at law firm Penningtons Manches Cooper to find out what to do if your data has been stolen, and if you are entitled to compensation.
How to report a data breach
Charlotte Hill says getting legal advice can help determine whether you have grounds for a compensation claim
Charlotte Hill replied: If you are the victim of a cyber attack and you suspect that your personal data has been stolen, you should report the crime to Action Fraud – the UK’s national reporting center for fraud and cyber crime.
The report will be assessed by the National Fraud Intelligence Bureau who will be notified within 28 days of the initial assessment.
Usually, the NFIB will refer the matter to the local police for investigation (as you cannot report it to them directly), or they will advise you that no further action will be taken.
Even if no action is taken, the report will remain on file, meaning it will be used to help continue to build the national intelligence picture and create a campaign to raise awareness of high-risk types of fraud.
The NFIB can also close bank accounts, websites and phone numbers used by fraudsters.
Unless the police are asked to investigate your report, but unfortunately, there is no other way for you to go through this path and Action Fraud cannot help you recover stolen funds or compensation.
Personal data (such as address, national insurance number, bank details, and other details that can be used to identify a person including from identity documents) must, among other things, be processed in a way that ensures the security of the data, including protection against unauthorized processing or invalid under UK data protection law.
If the victim’s former employer believes that the employee’s personal data has been stolen, the employer must report the personal data breach to the Information Commissioner’s Office within 72 hours of learning about the breach, unless the breach did not lead to the breach. risk to the rights and freedom of the victim.
Employers must also report such data breaches to victims without delay.
The ICO will then investigate the breach and have the power to search the data controller for the breach.
Individuals can also make a report to the ICO if they are unhappy with the organization’s response to their concerns about the breach, or if they do not respond to the correspondent within a month.
However, the ICO cannot compensate the victims.
Can I seek compensation after a data breach?
Victims can claim compensation from the organization if they suffer damage as a result of breaching data protection laws.
This compensation can be for material damage, such as loss of money, and also non-material damage, such as suffering hardship.
It is possible that the organization will agree to pay compensation to the victims without having to go to court but, if the organization does not agree to pay compensation or the victim does not consider the payment sufficient, the victim’s next step is to make a statement to the court.
Getting early legal advice in these scenarios is key to considering the merits of the claim – we often advise victims who have been offered compensation from an organization before they decide whether to accept or pursue the organization through court.
It is now common for individuals to create what are known as ‘group actions’ to jointly pursue organizations against data breaches to make claims more efficient and effective.
How to protect your money if your data is stolen
The organization may be able to confirm what documents or data were stolen, but the investigation of the breach will take a lot of time and it may not be possible to confirm exactly what was taken, but only a compromised server or folder. .
However, when in doubt, victims are advised to report details of all documents they think may have been stolen, such as passports and driving licenses or bank card numbers, to the issuing organization.
They should also inform their bank or building society and credit card company of their concerns and arrange for a new card to be issued to them, while reporting regular transactions on their reports.
Victims should be more alert for suspicious emails, text messages, or websites that may be designed to obtain lost personal data so that fraudsters can gain access to their accounts.
Using software to help detect suspicious activity is not necessarily an offer of compensation
Passwords must be changed to a new, strong password to protect any account.
Victims can also contact the UK’s Fraud Prevention Service, Cifas, for a protective registration which places a warning sign against the victim’s name on the National Fraud Database.
This will then inform the organization that uses Cifas information to pay special attention when the victim’s details are used to apply for that product or service.
Usually, an offer to use software to help detect suspicious activity does not have to be an offer of compensation, but an employer may make such an offer if there is no payment and it is wise to review the position with them and consider the offer carefully. in detail before accepting or rejecting.
Victims should be careful not to agree to compromise and all potential claims against the employer, as this can prevent claims through the courts.
Some of the links in this article may be affiliate links. If you click, we may earn a small commission. That helps us fund This Is Money, and keep it free to use. We do not write articles to promote products. We do not allow commercial relationships to affect our editorial independence.
