Millions of Britons have had their personal information stolen in one of the countless cyber hacks on UK companies and organisations. The recent cyber attack on Marks & Spencer was a reminder that even the biggest and most well-known companies can be hit.
But what should you do if your personal information is stolen? Are a few of your details really of value to a fraudster – and, if so, what can they do with it?
Here Money Mail reveals how fast your data is sold on to criminal gangs, what data is valuable, where your data goes and what you can do to protect yourself.
Fraudsters act fast… so should you
When a cyber attack happens against a business or organisation and large volumes of information are stolen, speed is then of the essence – for both potential fraudsters and victims.
Dr Nicola Harding, chief executive of security service We Fight Fraud, explains hackers make money by selling the data rapidly for use before potential victims have been alerted and change passwords or security settings.
Stolen information becomes a ‘commodity in the underworld’, for immediate sale via the dark web.
Dr Harding says: ‘Hackers sell the data in bulk so they can move it on quickly, but they don’t know how much can be monetised.’
It may even have been sold on before you know it has been stolen.
Personal details, payment information and login details are attractive because hackers can use them to steal identities
Dr Harding adds: ‘Stolen data has a shelf life. There’s a chance data has already gone on to the dark web before the organisation which has been hacked has even realised there’s a breach and before the consumer has been notified.’
Nonetheless, it is still worth acting as soon as you can to change your passwords and check your security settings, as we explain below.
What’s my most valuable data?
The most lucrative details a fraudster can get their hands on includes your full name, date of birth and address. These are vital for identity theft.
National Insurance numbers are sold on to criminals to commit benefit or tax fraud, while bank details and credit card numbers are used for direct financial theft.
There is a huge variation in how much your hacked information is worth, according to global cyber-security consultancy the Enovise Group. Stolen credit card details are worth £3.75 to £37.50, hacked social media accounts are ‘frequently sold’ for £22.50 to £75, while online bank login details change hands for £150 upwards, depending on how wealthy the victim is.
‘Most expensive’ are medical records – useful for insurance fraud or even creating false medical identities – which potentially sell for up to £750.
Personal details, payment information and login details – including obscure personal information used for secondary verification – are attractive because hackers can use them to steal identities.
Simon Miller, of fraud prevention service Cifas, adds that ‘seemingly unimportant data, such as your pet’s name or the street you lived on as a child that you may have used for additional security, may appear harmless but can still be used to guess passwords or bypass verification checks’.
Data that’s less immediately valuable, but still a concern, might include browsing history or non-sensitive contact details. While alone they pose less risk, when combined with other information they can be used for phishing or social engineering attacks.
Even if only low-level data has been stolen, such as names and email addresses from a shopping website or discount app, it can still have value for criminals if their victims use the same password for multiple places.
‘Criminals’ success is down to how well-protected the consumer is. ‘It’s why having different passwords is so important,’ adds Dr Harding.
What does it mean if I get a message saying my data has been hacked?
Should you receive notification via email informing you that there has been a data breach then, put simply, this means information about you has been accessed by someone without authorisation.
Your personal information might now be in the hands of criminals who could exploit it for financial gain, fraud or identity theft.
If you are contacted directly by criminals who say they have access to your data and want you to pay them or do something else for them to safeguard your data then it is vital you do not do what they ask and report it to the authorities immediately. These fraudsters are likely engaged in a phishing attempt or social engineering attack.
An alert about hacking should be a ‘red flag’ that your data security ‘has been compromised’, says Mr Miller.
‘You need to act quickly to protect yourself, your data and your money.’
The consequences of having your personal data stolen can range from a mild inconvenience to a complete nightmare.
Jano Bermudes, at cyber-security consultancy CyXcel, says that if you receive a message saying your data has been hacked it will have been verified by professionals
Jano Bermudes, chief operating officer at cyber-security consultancy CyXcel, says: ‘When you receive a message saying your data has been hacked, it means individuals have accessed your personal information and this fact has been verified by competent professionals – usually the forensic cyber specialists deployed during a cyber-insurance claim.
‘The organisation are reaching out to you in line with legal advice they will be receiving in relation to their obligations under one or more compliance regimes [data protection, payments regulation, health regulation or similar].’
Even consider replacing your passport
If you subsequently receive a message from the company that has been hacked, check that it is genuine. Fraudsters will often exploit fears about hacks by getting in touch and pretending to be from the company that has been hacked or another official organisation. They may offer to help secure your account or your money, but in reality are just tricking you into sharing your personal information. Assess whether the email is genuine by phoning the company, or organisation, if necessary. Do not click on any links in an email or text message.
Change any passwords linked to the breached service – especially if you’ve re-used them elsewhere, experts advise.
Some websites or apps allow you to enable so-called two-factor authentication. This is where you have to complete an extra layer of security in addition to filling in your password to gain access. For example, it could send a text message to your phone with a security code that you must provide before you can access your account. Mr Miller suggests enabling this technology where possible.
He also suggests checking your financial statements regularly if your data has been stolen in a security breach, looking out for transactions that you do not recognise.
Dr Harding says you should ‘not panic but act quickly’ by changing passwords, enabling two-factor identification via text message or email, monitor accounts for unusual activity and use a credit freeze or fraud alert if you suspect identity theft.
‘If the breach involves Government ID (passport, driving licence), report the loss and consider replacing those documents,’ Dr Harding adds.
She also recommends using password manager – which creates strong, secure and constantly changing passwords that a user does not have to remember.
Use complex passwords and change them regularly, according to Mr Bermudes. He adds that it is essential to download security updates to online devices.
Identity fraud is the biggest threat
Simon Miller says that every piece of data has value and identity fraud is the most common fraud reported by Cifas members – it accounted for nearly 60 per cent of all cases filed to the National Fraud Database in 2024.
This is where a fraudster uses your personal details to impersonate you, for example to take out loans in your name.
It is essential that you act quickly to minimise damage.
To minimise the risk, you should secure your accounts as quickly as possible, monitor your credit file, check your bank account DAILY and report suspicious activity to Action Fraud.
What are my rights if my data has been stolen?
Under laws such as the UK GDPR and Data Protection Act 2018, you have the right to be informed of the breach in a timely manner; know what data was compromised; access your data and request details of how it’s handled; complain to the Information Commissioner’s Office and seek compensation if the breach resulted from the organisation’s failure to protect your data adequately.
Dr Nicola Harding, chief executive of security service We Fight Fraud, says you should ‘not panic but act quickly’ by changing passwords
Dr Harding says: ‘Organisations are legally obligated to act responsibly with your data. If they don’t, you’re entitled to accountability.’
If the data theft has led to money being stolen from accounts or fraudulent activity, contact Action Fraud or your bank, which may have the responsibility to reimburse you.
But Tom Pelham, lawyer and member of the Forum of Insurance Lawyers’ tech and cyber team, says further compensation is unlikely because companies falling victim are likely to be treated sympathetically.
He says: ‘There is often a lot of negative public sentiment towards companies that suffer a cyber incident, but it is important for everyone to understand the wider context.
‘The vast majority of the clients that we support during live cyber incidents have taken every reasonable step to prevent intrusions, but they are engaged in a daily battle to defend their environments against professional threat actors.
‘The public perception is that these incidents are caused by teenagers in hoodies acting alone, but the reality is that there is a sophisticated army of threat actors around the world who are members of organised crime networks.
‘These threat groups have the resources and skill sets to challenge conventional security architecture and they are motivated by huge financial rewards. In my view, we should be focusing less on the perceived “failings” of companies that have suffered cyber incidents and more on the unique sophistication and motives of those perpetrating the attacks.’
Can I claim compensation?
If negligence is proven then you can claim compensation, says Dr Harding.
She says: ‘If an organisation failed to implement appropriate security measures and that failure led to the breach, you may have grounds to claim compensation for both financial loss and emotional distress. The Information Commissioner’s Office can investigate, and you can also take legal action independently.’
But Mr Pelham adds: ‘Whilst we do occasionally see individuals attempting to seek compensation following a compromise of their personal data, most claims will encounter significant challenges.
‘The UK courts are largely sympathetic to the practical challenges that UK companies face in securing their systems and there is a general acceptance that no company can achieve absolute perfection when it comes to security and the protection of customers’ personal data.’
Easy ways to protect yourself
Once you know what has been exposed you need to think through the wider impact, says The Cyber Centre advice service.
If you use the same username and password combination on other sites then you need to change them straight away.
If something more private has been exposed, such as your messages, sexuality or extracurricular activities, then you will need to consider what to do next.
Victims of identity fraud following a data breach can ask to have a warning flag put beside their name and other personal details in the National Fraud Database.
It means banks and other financial organisations know such individuals are vulnerable.
Cifas offers this through its Protective Registration service, costing £30 for two years.
The Cyber Helpline adds: ‘You have to be switched on to your online security posture. Be careful of suspicious calls, text messages and emails. Check the security settings of your devices and online accounts and investigate anything suspicious.
‘Many organisations who are hacked offer their customers free security tools to help them deal with the impact of their data being known to cyber criminals. This might be free credit score checks, free security software or access to expert advice.’
For further information, visit the National Cyber Security Centre’s website: https://www.ncsc.gov.uk/guidance/data-breaches, or the Information Commissioner’s Office website: https://ico.org.uk/for-the-public/data-protection-and-journalism/taking-your-case-to-court-and-claiming-compensation
