Whether we’re shopping online, booking a holiday or signing up to a new mobile phone contract, we trust the companies we deal with to protect our details.
But an ever-growing list of data breaches affecting the world’s largest organisations is eroding that trust.
Earlier this year, easyJet told roughly nine million customers their data had been compromised in a breach.
Marriott also hit the headlines for losing around 5.2 million people’s contact and personal information – its second data breach in three years.
And the recent cyberattack on a cloud computing provider, Blackbaud, has left students and charity donors concerned their records have fallen into the hands of criminals.
Here, Which? investigates the cost of lost data and why it should be easier for victims to seek redress.
Almost half of Which? members experience fraud after a data breach
We found that 23% of Which? members have had their data compromised following a cyberattack on a company or organisation, according to our survey of 1,369 members in July 2020.
And 46% of those members later experienced fraudulent activity.
That’s just those who were aware their data had been compromised. We also asked members to submit their email addresses to haveibeenpwned.com, a website that tells if your email address has been involved in a data breach.
We had 515 members take part, submitting a total of 610 email addresses. It was revealed that:
Troy Hunt, creator of the site, warns that the numbers are likely to be much higher: ‘The average account will have been in about two data breaches. But there are a whole host of other breaches we don’t know about and the breached passwords might be used in other places.’
What happens to your data after it’s stolen?
Hackers put stolen data up for sale on the dark web, and occasionally advertise it on social media.
Beyond simply withdrawing money from your account, or using your debit or credit card details, stolen data can be used for other purposes.
Criminals may set up accounts in your name (identity theft), or use your own data to convince you they’re an organisation you trust (authorised push payment fraud).
Drew Perry, chief executive of cybersecurity firm Tiberium, explained: ‘There are a number of cybergangs out there and most of them are Russia-based and financially motivated. And these operations are slick and sophisticated. They have help-desks and refund policies.’
Drew told us about one forum on the dark web: ‘An EU bank card number with all associated personal data sells for US$9.90 on this particular site, or in a bulk of 10 for US$99. The bulk pack includes all instructions and information you need to carry out your fraud operation to make money.’
‘Someone tried to take £15,000 from my account’
One British Airways customer told us his trip to Thailand became a holiday from hell after the airline suffered a data breach in 2018.
‘I got to the Manchester Airport and that’s when everything started going very weird’, Jamie explained.
He received an email from Royal Bank of Scotland (RBS) telling him changes had been made to his bank account.
‘I was very stressed,’ he said. ‘I needed to get on the plane, so I couldn’t contact the bank to see what the changes were.’
When Jamie arrived in Thailand, his debit card was declined.
‘RBS had suspended my account because there had been a lot of suspicious activity. Someone had tried to take £15,000 from my account.’ Also, Nationwide blocked his debit card after strange activity was detected.
‘At this point, I’m in a foreign country with no access to money. I was told they couldn’t reactivate my cards until I came back to the UK,’ Jamie explained.
Jamie then received an email from British Airways notifying him that he was one of 500,000 customers whose details had been stolen.
Jamie found the experience was highly stressful. ‘I’m a switched-on person usually,’ he told us. ‘But I can’t tell you what it felt like to have someone try to steal my money and then be told there’s nothing I can do until I get back to the UK.’
Jamie struggled to get in touch with BA, but did eventually speak to its customer service team through Twitter and managed to get home, at his own expense.
He’s since joined a group action claim against the airline and sent it an invoice, covering the cost of his ruined holiday and getting home. He’s yet to receive a response.
‘I look back and remember having numerous panic attacks, all because of the stress caused by a data breach,’ Jamie told us. ‘It’s been nearly two years since I bought that ticket and I don’t want BA to get away with this. The consequences have gone far beyond me having to ring my bank a few times.’
BA told Which? it notified all affected customers as quickly as possible and confirmed it would reimburse any direct financial losses as a result of the attack, and offer credit-rating monitoring.
It added: ‘This was a unique case which we investigated at the time and could find no evidence that the fraud was attributable to the cyberattack. A response to the relevant customer’s concerns was provided at the time.’
‘I don’t know what my rights are’
One patient who received therapy through Anxiety UK was contacted by the charity following the Blackbaud data breach in May 2020, to say her information may have been compromised.
The stolen data included personal information, as well as ‘limited notes’ for those who had accessed therapy services with the charity.
‘While I know my therapist notes weren’t included, they still hold other sensitive information from the screenings I took when signing up,’ she told us.
‘I’m very open about my anxiety and my journey with mental health, but there’s lots of other people who are still fearful about the stigma of having a mental health illness. It’s not good enough to just receive a blasé “sorry email”,’ she added.
‘I don’t know what my rights are because there’s nothing in the information the charity sent me,’ she said. ‘They seem to think bank details are more important, but banks refund customers, while there’s no protection for medical information.’
The victim is unsure how she can prove the value of her medical data. ‘I know businesses can be fined, but it’s our data,’ she said. ‘How do you put a price on my medical information?’
Blackbaud paid the hackers a ransom, and the hackers said they had destroyed the copy of information. It says it has no reason to believe the compromised data has or will be misused.
But the victim is concerned her data is still out there.
‘The charity emailed to say the information hasn’t been misused, but how can they give those reassurances?’ she said. ‘I protect my data and check my credit file on a monthly basis, so I’m doing that bit right, but you can’t run any checks on personal sensitive data.’
A spokesperson for Anxiety UK said: ‘We’ve worked tirelessly over recent weeks to contact our beneficiaries to let them know what has happened, as they are our key priority as always.’
It’s provided a dedicated email address for beneficiaries to contact directly and has offered the support of Anxiety UK-approved therapists.
‘It’s worrying that my data is out there’
Criminals prey on confusion, and the COVID-19 pandemic has given them ample opportunity.
Brendan, from Belfast, received a suspicious-looking email from easyJet in June.
‘It looked like a standard easyJet email, but the links wouldn’t work, which I found strange. It also said, “you’ve cancelled your holiday to Spain”, which wasn’t true’. EasyJet had in fact cancelled Brendan’s holiday prior to this email.
Unsure whether the email was fraudulent, Brendan tweeted easyJet but didn’t receive a response.
EasyJet later confirmed to Which? the email was genuine. However, it did not make an effort to resolve this with Brendan at the time, who feels let down by the response given the huge data breach the airline had experienced.
Even though easyJet became aware of the breach in January 2020, it didn’t start to inform customers until April.
‘It’s taken no responsibility,’ Brendan said. ‘I’m worried that my data is out there, possibly being passed around on the dark web.’
He would rather have asked for a refund, instead of rebooking, if he had known there was a data breach. ‘I’ve become overly cautious and it’s caused a lot of disruption,’ Brendan said.
‘Here’s a business we’ve freely given our information to and the security issues are really concerning.’
EasyJet says it’s sorry it didn’t respond to Brendan’s tweet and has now reassured him that the email was genuine.
It said it notified customers as soon as it was able to do so about the breach and offered a complimentary 12-month membership to an identity-monitoring service.
The company believes although the cyberattack was regrettable, it doesn’t mean easyJet was at fault or that customers are entitled to compensation.
Larger fines yet to be enforced
The Information Commissioner’s Office (ICO) is the UK’s independent authority created to uphold information rights.
Under General Data Protection Regulation (GDPR), which came into force in 2018, the ICO can impose a maximum fine equivalent to €20m or 4% of a company’s global turnover for a data breach; previously, the maximum was £500,000.
Fines are determined by the scale of the breach and how long the organisation took to report it. But no organisation has yet paid these larger GDPR-era fines.
The ICO announced its intention to fine BA £183m last year for its 2018 breach. The next day it announced its intention to fine Marriott just under £100m for losing 339 million guest records.
The deadlines to issue the fines, however, were extended – and both companies are expected to appeal. The IAG Group, which owns BA, released a report in June, estimating the fine would be €22m.
The ICO has refused to comment on the Marriott or British Airways cases until the regulatory process has concluded.
Fines might deter companies, but the money goes to the UK Treasury, not the victims. The ICO can’t award compensation but will give its opinion in court, which might help a claim.
And although GDPR says you have a right to claim compensation following a breach, doing so is not easy.
Bringing companies to court
A number of law firms offer no-win, no-fee group-action claims – but do your research.
Check firms are registered with the Solicitors Regulation Authority.
Law firms take a percentage of your final compensation, typically between 25% and 35%.
Some have wildly different expectations of how much compensation you might get. One law firm believes the British Airways Group Litigation Order will result in up to £2,000 per person, while another firm expects £6,000 to £16,000, depending on damages.
Which? calls for better redress for data breach victims
When companies fail to comply with data protection rules, consumers should have easy access to effective redress.
Currently, we have an “opt-in” system, with the burden lying with consumers to bring court claims about unlawful data practices themselves, or to find a representative body that can do so on their behalf.
It’s difficult to prove distress – financial or otherwise – was caused by a specific breach.
As Troy Hunt says: ‘The number of data breaches that happen is staggeringly high.’
Even if haveibeenpwned.com suggests your email was involved, proving that this led to a scam is difficult.
The fact that harms suffered by consumers may seem relatively small, legal processes can be lengthy and costly, and a lack of accessible evidence means that many breaches go without redress.
The government has the power to facilitate better redress by implementing Article 80(2) GDPR in its upcoming review of the Data Protection Act 2018.
This would then allow not-for-profit organisations such as Which? to bring collective redress actions on behalf of people on an ‘optout’ basis, without those consumers each having to bring – or to appoint a representative body to bring – an individual case against the company involved.
A properly implemented redress system would ensure people could trust that harm suffered as a result of data breaches would be remedied and would simultaneously act as an incentive for companies to improve their data handling processes – resulting in fewer breaches.
How to protect yourself
While it’s up to companies to prevent data breaches from happening, you can reduce the potential damage to your finances.
- Passwords – Always set strong passwords for your accounts and use a different password/email combination for every account.
- Password manager – Many services now alert you if your passwords have been compromised. As services such as Lastpass and Dashlane can be used for free, there’s no reason not to use a password manager.
- Credit card details – Don’t save your credit card details if you aren’t going to use the service regularly. Although it’s a faff to resubmit them, that’s better than having your financial information unnecessarily stored in a database that could be compromised.
- Guest checkout – Similarly to the above, just checkout as a guest if you aren’t going to use the service that often. Only create an account if you really need to.
- Two factor/multi-factor authentication (2FA/MFA) – 2FA/MFA is worth activating to increase security if it is available, particularly if your account holds your financial information.
- Be wary of fraudulent texts, calls and emails – Always be cautious if a company requests personal or sensitive information from you, particularly after a breach. Report anything suspicious to Action Fraud.
- Sign up to Cifas protective registration – If you do fall victim to a breach, Cifas’ service (£25 for two years) means banks and financial companies will take extra steps if they see your details being used to apply for products and services.