Data breach victims should have more rights to sue companies under GDPR, Which? has told the Government as a survey shows almost half of them experience fraud.
The consumer watchdog said that victims who had sensitive personal and financial details stolen from companies often fell victim to fraud or suffered financial hardship as a result.
However, they are currently unable to pursue legal compensation unless they sued companies privately.
Which? has called for ministers to activate a clause in GDPR regulations, which came into force in 2018, that would allow third-party organisations such as the watchdog to sue companies on behalf of data-breach victims.
Under the provisions, individuals would be able to opt out of any representative legal action, should they wish.
The call comes as the Department of Digital, Culture, Media and Sport is currently reviewing GDPR, and considering whether any of its latent clauses should be activated.
Meanwhile, a survey by Which? of more than 1,000 of its members who had been victims of corporate data breaches found that 46 per cent had gone on to experience fraud.
The watchdog said data hack victims also suffered other serious consequences, citing BA customers who have, had cards blocked while on holiday after the airline was hacked in 2018.
BA is facing a record £183 million fine over the data breach from the data regulator, the Information Commissioner Office (ICO).
However, Which? argued none of the large fines imposed by ICO under GDPR had been levied yet and warned they were expected to be appealed.
Jenny Ross, Which? money editor, said: “Whether we’re shopping online, booking a holiday or signing up to a new mobile phone contract, we have to trust the companies we deal with to protect our details – and if things go wrong we need to know that businesses are held to account.
“We need the ICO to be a regulator with teeth that is prepared to step in and issue fines in the event of companies breaking data protection laws, to ensure more businesses better protect consumers from data breaches.
“Consumers should also have a much clearer route to redress when they suffer the financial and emotional toll of data breaches – and that’s why the government must allow for an opt-out collective redress regime that deals with mass data breaches.”