, , ,

Data breaches – should you even care?

data breaches

In 2019, The ICO was still owed 42% of the total amount of fines it has handed out for data breaches, spam, and nuisance calling since 2015. This demonstrates the difficulty the data protection regulator has when it comes to enforcing the punishments it hands out to companies.

Data obtained by The SMS Works via a freedom of information request found that:

  • 152 fines have been issued since 2015
  • 30% of these remain unpaid.

This unpaid amount does not include the £183m and £99m fines facing British Airways and Marriott Hotels. These are under appeal and not yet owed to the ICO.

The sheer amount of unpaid fines shows a complete lack of responsibility and care from offending organisations.

Companies are demonstrating a history of data protection failures

At the same time, it has been discovered that Marriott has suffered another data breach. On this occasion, rather than customers, it is employees who have had their privacy violated due to a third-party. It is astonishing that, even in the face of a £99m fine, Marriot still doesn’t seem to be taking its data protection responsibilities seriously.

But it’s not alone.

Just a few weeks after the ICO announced plans to fine British Airways a whopping £183.93 million for its 2018 data breach, a vulnerability with the airway’s check-in procedures, once again, exposed passenger information.

Also, in November 2019, T-Mobile suffered a severe data breach with over a million pre-paid customers believed to be affected. But this wasn’t the first time T-Mobile had suffered a security failure. In August last year, the company admitted to a data breach which affected around two million customers.

And the list goes on.

In early 2020, Dixons Carphone Warehouse was fined £500,000 by the Information Commissioner’s Office (ICO). The Dixons Carphone data breach resulted in 10 million customer records being accessed from Currys PC World and Dixons Travel stores. The details were stolen by cybercriminals. But that breach was not the first time that the company had failed to protect its customers. The Carphone Warehouse, which merged with Dixons, was previously fined £400,000 following another cyber-attack. At that time, the huge fine was one of the biggest ever handed out by the Information Commissioner’s Office.

So, at best, we could argue that big companies are not learning from their security mistakes. At worst they just don’t care.

Is there any point in making a complaint?

Here at Hayes Connor Solicitors, we help our clients to claim compensation for breaches of their data privacy rights. And it’s a job we take very seriously. Not least because we understand the full and often traumatic effect a data breach can have on an individual. But, in light of these findings – and with breaches happening on an almost daily basis – is there any point even trying to stand up for your data privacy rights?


Certainly, where there is a pattern of breaches, there are likely more significant security issues at play. In fact, we would argue that in many cases these organisations are lucky that they haven’t suffered more attacks. Because when you adopt a reactive “break-fix” approach rather than a proactive security-first approach, it’s only a matter of time before something else goes wrong.

But just because some organisations aren’t prioritising data security doesn’t mean you shouldn’t.

Cybercrime can result in both financial and/or identity theft. And the result of either of these can be devastating. With enough information, cybercriminals can apply for credit in your name, set up fraudulent bank accounts and access your existing accounts. Even if you haven’t lost out financially after a data breach, this doesn’t mean that there is “no harm done.” A personal data breach is a 21st-century version of being burgled. If a criminal came into your home and stole your private information, you would be distressed. So why should you feel any less upset at having your online data taken?

Even if a privacy violation doesn’t cause you damage or distress, that doesn’t mean you shouldn’t do anything about it. Your data has value and organisations are legally obliged to look after it.

Something has to be done to make companies accountable for their data protection failures. And, in many cases, taking action against these organisations is the only way to make them improve their security processes.

Is it really their fault?

Cybercriminals are becoming more and more sophisticated. But even where a company has come under attack, this doesn’t let them off the hook. If they have done everything in their power to protect your data and have robust security processes and procedures in place, it is unlikely that they would be found guilty by the ICO.

Also, where a third-party has been involved in a breach (e.g. in the Ticketmaster data breach), this doesn’t mean the company that collected your data isn’t to blame. It is their responsibility to put adequate checks and processes in place to secure vendor access. So, implicating the third party as the bad actor is both dishonest and legally neither here nor there.

The reality is that in most cases, data breaches happen because of a failure to implement reasonable and robust processes. These organisations must be made to get their houses in order. But it’s essential to get specialist legal help to tackle these offenders head-on.

If the ICO can’t do anything, what can you do?

The scale of unpaid fines begs the question of whether the ICO has the powers it needs to be fit for purpose. But that doesn’t mean there is nothing you can do. Because, while the ICO investigates and fines companies for data protection failures, it does not award compensation to victims.

That’s where we come in.

Hayes Connor Solicitors is a law firm operating in the data breach and protection sector. We help our clients to claim data breach compensation following data protection violations, GDPR breaches and other cyber offences. Our firm has established itself as the leading niche provider of legal services in this area. A relatively new and evolving area of law, this is all we do. Consequently, we have become a specialist in data protection law and data breach compensation claims. As a result, we lead our field when it comes to understanding the complexities involved.

In larger cases, we work alongside expert data protection barristers. This means you will get the very best level of legal support available.

With all the experience and expertise needed to win against even the biggest of companies, we work with you to protect your rights and hold organisations to account for their failures.