Home / News & Resources / News & Updates / What is a third-party data breach?

What is a third-party data breach?

  • Posted on

The consequences of a third-party data breach can be extremely serious. Legal Director Richard Forrest discusses what third-party data breaches involve, what actions you can take if you are a victim of a third-party data breach and how Hayes Connor can help.

Any organisation that handles, stores, or uses your personal data is legally obligated to keep it secure. That said, for a variety of reasons, certain forms of data can be shared with verified third parties.

If the correct procedures are followed, this should not present an immediate threat to data security. However, as multiple incidents have demonstrated, cyber-criminals may elect to conduct malicious attacks on third parties in order to gain access to sensitive data, particularly if they view said third party as a vulnerable target.

In this article, we discuss some of the following common questions surrounding third-party data breaches, including what steps you should take if your data is ever exposed in such an incident:

What is third party data?

Third-party data relates to information that is collected by a provider, supplier or contractor of another organisation.

This means that a third-party data breach will involve an incident where personal data is compromised via a third-party vendor, rather than directly through an organisation. Typically, the third party’s systems will be misused in order to access the data an organisation holds.

What are the risks of a third-party data breach?

Third-party data breaches present much of the same risks as first-party data breaches. Any individual whose data is compromised in a third-party data breach could face a range of potential threats, including:

  • Loss of privacy
  • Direct financial losses
  • Vulnerability to phishing attacks
  • Fraud
  • Loss of confidentiality

In addition to these material risks, victims of third-party attacks can also experience a range of adverse impacts on their mental and physical health. Emotional distress, illness and difficulties sleeping are common issues that victims of data breaches may be left to deal with.

What is an example of a third-party data breach?

In the UK alone, there have been countless third-party data breach examples in recent years. Just some of the recent third-party data breaches the team at Hayes Connor have supported victims with include:

Met Police third-party data breach

In 2023, the Metropolitan Police launched an investigation after it was discovered that an attack had been launched against the IT systems of one of its third-party suppliers.

The scope of the data breach caused by the attack was not confirmed, though it was revealed that the supplier had access to a wide range of information relating to officers and members of staff. This is said to include names, ranks, photos, vetting levels and pay numbers.

More information about the Met Police data breach and how we are supporting victims can be found here.

Greater Manchester Police third-party data breach

A third-party supplier for Greater Manchester Police (GMP) force was also targeted in 2023, potentially putting thousands of officers and members of staff at risk.

The third-party supplier was responsible for producing GMP’s identification and warrant badges. As a result, they are though to hold personal information such as names, identity numbers and photographs.

More information on the Greater Manchester Police data breach and how we are supporting victims can be found here.

MOVEit/Zellis data breach

The MOVEit file transfer system, produced by Progress Software, was the target of a cyber-attack in 2023. Significantly, MOVEit is used by the UK payroll provider Zellis, who work alongside a number of high-profile clients.

Several companies revealed that they were fell victim to the MOVEit/Zellis data breach, though it is thought that thousands of firms have been affected across the country. AON, the BBC, Boots, British Airways, Creation Finances, DPD DHL and JLL have all been affected.

Can you claim compensation for a third-party data breach?

If your data has been compromised as a result of a third-party data breach, then you may potentially have grounds to make a claim for compensation.

That said, knowing whether an incident amounts to a breach of data protection laws is not always straightforward. This means that is vital that you seek out specialist support if you suspect that your data has been exposed. By doing so, you will have a clear understanding of your position, what steps you need to take, and whether making a claim for compensation would be in your best interests.

What compensation can you claim for a third-party data breach?

If your personal information has been exposed in a third-party data breach, there are two main issues you could potentially claim compensation for:

Financial losses

If your personal information has been exposed, there is the potential for it to have fallen into the hands of an unauthorised third-party. You could be at risk of having money directly extracted from your account if your financial details were exposed or becoming the victim of fraud. Claiming back any losses you have suffered may be possible.


Discovering that your personal information has fallen into the wrong hands can be an extremely daunting prospect and have very real consequences for you and your family. Many people commonly experience stress, trouble sleeping, feeling ill, and generally being very unsettled.

If you have experienced these types of issues or any other emotional fallout from a third-party data breach, then you may be in a position to claim compensation.

How Hayes Connor can support you if you are the victim of a third-party data breach

If your personal information has been exposed in a data breach, our solicitors may be able to support you in making a claim for compensation. We are able to act for clients on a no win, no fee basis, which removes the financial risk of pursuing a claim for third-party data breach.

At Hayes Connor, we are one of the largest teams of data breach claims specialists in the UK, with a wealth of combined experience and expertise. This means we are well positioned to advise you on whether you have grounds to make a claim, the level of compensation you could be entitled to receive and what you need to do to start a claim. Our team will then be available to guide you through every step of the claims process.

We want to ensure that anyone who has been affected by a third-party data breach is able to access the compensation they deserve, while also making the claims process as simple and stress-free as possible.

You can find out more about our expertise and how we handle data breach claims here.

To start a claim, you can use our online claim form and we will get back to you shortly to let you know if we believe you have grounds for compensation.

If you would like to speak to a member of our team, please do not hesitate to give us a call on 0330 041 5135.