Home / News & Resources / News & Updates / What constitutes a data breach?

What constitutes a data breach?

  • Posted on

In our current digital landscape, personal data can be incredibly valuable, especially to criminals. Individuals provide their personal data to a multitude of different organisations, and if those organisations do not have the correct data protection in place, their personal and financial information could be at risk.

If your data has been exposed because an organisation has acted negligently, you may be able to make a data compensation claim. Knowing exactly what is meant by a data breach, how they happen and what your rights are is the first step towards achieving a fair resolution.

In this article, we’ll explore:

If you would like immediate advice from our data breach experts about a potential data breach claim, you can call 0330 041 5137 or fill out our online claim form to start the claims process.

What is a data breach?

A data breach refers to an incident whereby personal data is accessed, viewed or shared by an unauthorised party without permission. This might be the result of criminal activity but is often caused by simple human error on the part of individuals responsible for protecting that data.

Both individuals and companies are at risk of a breach, yet businesses must be especially careful to protect data. If data is exposed due to lax protection and handling, companies are viewed to have breached GDPR data protection laws, which can result in enforcement action, fines or other penalties.

What constitutes a breach of data protection?

A GDPR data breach refers to a breach of the General Data Protection Regulation (GDPR).  This is an EU data protection law that was implemented in the UK by the Data Protection Act 2018.

The UK version of GDPR broadly follows the same principles as in the EU, but has amended slightly to ensure that rules are suitable for the UK after Brexit.

In this context, a breach of data protection will refer to any incident whereby personal data that is stored by an organisation is lost, altered, destroyed, disclosed or accessed without proper authorisation.

GDPR defines personal data as information that could be used to identify someone, including names, addresses, financial information, identification numbers, location data and online identity data.

Where an incident constitutes a data breach, the organisation responsible will be required to follow specific reporting protocols, as outlined by UK GDPR. Organisations will also be liable to face fines for failure to properly comply with UK GDPR.

How do data breaches happen?

Data breaches can happen under many different circumstances, a few of the most common scenarios include:

Unencrypted data: Where data is unencrypted, cyber criminals can intercept and access private data, particularly where employees are moving within multiple clouds, or working within a network on the move. Businesses are advised to enable end-to-end encryption to protect data.

Accidental exposure or leak: Many data protection breaches are caused by errors in judgment, for example clicking on a malicious link or simply sending personal data to the wrong person e.g. by email or in a letter.

Ransomware or malware: Cyber criminals often use ransomware or malware to gain access to company systems and applications. To avoid such incidents, it’s important that companies have robust IT security protection.

Lax access controls: If companies fail to put robust access controls in place, for example not using multifactor authentication, they are more at risk of a cyber attack.

Phishing: Where cyber criminals attempt to trick people into sharing sensitive data by posing as an individual or organisation that has a legitimate reason for needing that data. These data theft attempts often occur by email. To avoid such issues, businesses must ensure that companies provide cyber security training to all employees.

Distributed denial of service: DDoS attacks are often used to create a diversion and while security administrators are distracted threat actors attempt to access sensitive data.

What are the negative consequences of a data breach for individuals?

A personal data breach can cause a variety of negative repercussions for an individual including fraud, financial loss, discrimination, or restriction of rights.

Companies have a responsibility to keep an individual’s data safe. If a company has failed in this duty any individual affected should seek legal advice.

If you are worried that your data has been exposed in a breach, please read our helpful guide on what to do if your data has been stolen in a data breach.

What rights do individuals have if their personal data is exposed?

According to UK data protection law, individuals are entitled to pursue a data protection breach claim if their data has been put at risk due to a breach of GDPR. Doing so allows them to:

  • Enforce their rights if data protection law has been breached
  • Claim data breach compensation for emotional distress, financial damages, or privacy loss

The amount you can claim will likely be more substantial if you can show specific harm/distress.

If your personal data is exposed and you would like to pursue a data breach compensation claim, contact our solicitors at Hayes Connor for more information.

What does GDPR law say about data breaches?

GDPR sets out seven key principles with relation to data collection, storage, and protection, these are:

  1. Transparency, fairness and lawfulness
  2. Data minimisation
  3. Limitation of purpose
  4. Data accuracy
  5. Security, confidentiality, and integrity
  6. Accountability
  7. Storage limitation

Where a data protection breach poses a high risk to the freedoms and rights of individuals, data protection law states that the organisation must inform the individuals without delay.

If a GDPR breach has occurred, the company must provide the following information to the individual.

  • A description of the data breach, in simple language
  • The contact details of the company data protection officer (or details on how to get more information regarding the breach)
  • The potential or likely consequences of the data breach
  • What the individual can do to deal with the breach, including steps to reduce any negative effects

What type of data can be breached?

Virtually any type of personal data can be breached, including:

  • Basic personal information: such as names, phone numbers, addresses, email addresses, location data
  • Intellectual property info: This may include blueprints, trade secrets or patents
  • Personal or medical info: Anything related to an individual’s mental or physical health, also known as “special category data”.
  • Financial data: such as invoices, bank details and credit card information

What are the three types of data breach?

There are three main types incidents that could be considered a data breach. These are:

Confidentiality Breach: A confidentiality breach refers to an incident whereby there is unauthorised access to or exposure of personal data.

Integrity Breach: An integrity breach happens when there is unintended or unauthorised alteration of data

Availability Breach: This type of breach takes place where data is lost access to by mistake or accidentally destroyed

What are some examples of a data breach?

Both small and large organisations are at risk of a data breach. Some examples of high-profile data breaches that have occurred in 2022 include:

Toyota data breach

In October 2022, Toyota revealed that the customer numbers and email addresses of nearly 300,000 customers had been exposed. The breach occurred when a hacker managed to access server credentials using a source code that was mistakenly posted online by a third-party web development contractor.

North Face data breach

In September 2022, approximately 200,000 North Face accounts were accessed in a credential stuffing hack that occurred on the company site. Information that was exposed included names, addresses, phone numbers and genders. Users are more likely to fall victim to a credential stuffing attack when they re-use the same password on multiple sites.

What steps should companies be taking to prevent data breaches?

Preventing a data protection breach largely depends on the type of breach that occurs:

Ransomware: It’s essential that individuals and companies have anti-virus and anti-malware software installed. Patching devices and backing up files regularly is recommended.

Phishing attacks: To avoid phishing, employers should ensure that employees know how to spot fraudulent text messages and emails. Password manager systems are also useful (as these will typically only enter passwords on real websites).

Cracked or stolen passwords: Businesses and individuals should follow password security best practices and use multi-factor authentication (MFA) for extra protection.

Data leak: To prevent data leaks businesses are advised to enable configuration management, doing so will ensure that cloud services do not expose data online.

What should a company do after a data breach?

According to UK GDPR laws, organisations have to report a GDPR breach within 72 hours. If the breach has a high potential to negatively impact the freedoms and rights of an individual, the person must be informed right away. Businesses must also keep a detailed record of data breaches.

What should an individual do after a data breach?

If your personal information has been exposed in a data protection breach, you should change your passwords right away. It is also advisable to create a security alert for your credit reports, or enable a security freeze.

If a company has lost your personal data, and or has broken GDPR rules, you may be entitled to make a data breach claim.

To review your case and find out whether you have the basis of a data breach compensation claim, it is advisable to get in touch with a specialist solicitor.

How Hayes Connor can help with data breach claims

If your data has been leaked or compromised, our solicitors may be able to support you to make a data breach compensation claim. We can act for clients on a no win, no fee basis, removing the financial risk of pursuing the claim.

We are one of the largest teams of data breach claims specialists in the country, with decades of combined experience in securing compensation for victims of data breaches. We can advise you on whether you are likely to have grounds for a claim, the level of compensation you may be entitled to and what you need to do to start a claim.

Our goal is to ensure that anyone who is affected by a data breach is able to get the compensation they deserve, while making the claims process as simple and stress-free as possible.

You can find out more about our expertise and how we handle data breach claims here.

To start a claim, you can use our online claim form and we will get back to you shortly to let you know if we believe you have grounds for compensation.

If you would like to speak to a member of our team, please do not hesitate to give us a call on 0330 041 5137.