Which? reveals the shocking scale of data theft following cyberattacks and calls for tough action against failing firms

Which? is calling for enforcement of tough penalties for firms that fail to prevent data breaches, as new research from the consumer champion reveals the shocking scale of data theft following cyberattacks.

When data breaches occur, opportunistic fraudsters can then go on to buy stolen information such as passwords or credit card and bank details, as well as using other personal details to pose more convincingly as victims’ banks and other trusted organisations.

Now worryingly a new Which? survey suggests that these problems are rampant – revealing that almost half (46%) of people whose data was stolen by hackers then went on to experience fraud.

This was out of around a quarter (23%) of 1,369 Which? members who said they’d had their data compromised following a breach involving a company or organisation.

Which? also heard from people who said that they’d not only lost money but seen their mental health impacted in the aftermath of being involved in a data breach. These victims have also struggled to get any form of redress from the companies that failed to protect their personal data.

Jamie, a British Airways customer, had his trip of a lifetime ruined when he became one of the 500,000 customers whose names, email addresses and card details were stolen by cybercriminals. When he arrived for his holiday in Thailand he found that RBS had frozen his account, saying there had been a lot of suspicious activity including someone attempting to take £15,000 from his account, and Nationwide had also blocked his debit card.

Jamie said he suffered immense stress at the time and two years on he is still fighting to get compensation back from BA for his ruined holiday, he has even joined a group action claim against the airline, but is yet to receive any redress.

Which? has also heard from an easyJet customer who was disappointed that even though the company became aware of a huge data breach in January 2020, the airline said that it was only able to start informing customers in April. He feels the airline has taken no responsibility and is worried his data is out there, possibly being traded by criminals on the dark web.

This year has seen some huge data breaches take place. EasyJet told around 9 million customers that their data had been compromised in a breach. Marriott also hit the headlines for losing around 5.2 million people’s contact and personal information – announcing its second data breach in three years. And more recently the cyberattack on software company Blackbaud has left students and charity donors concerned their records have fallen into the hands of criminals.

As part of its investigation, Which? also asked its members to submit their email addresses to haveibeenpwned.com, a website that tells you if your email address has been involved in a data breach. Which? had 515 members take part, submitting a total of 610 email addresses. It was revealed that 79 per cent had experienced at least one breach. Of those, the average number of breaches per email address was 3.7. One address had been in 19 breaches.

Despite all of this, the ramifications for firms that fail to protect their customers’ data are limited. The ICO announced its intention to fine BA £183 million for its 2018 breach and Marriott just under £100 million for losing around 339 million guest records. However, the deadlines to issue the fines were extended and both companies are expected to appeal. The IAG Group, which owns BA, released a report in June, estimating the fine would be €22 million.

Currently victims have limited options to seek redress when data breaches occur. Although under GDPR consumers have a right to claim compensation if they have suffered damage as a result of an organisation breaking data protection law, doing so isn’t always easy. The ICO advises victims to take independent legal advice and to try to settle with the organisation first. If this fails, victims may be able to make a court claim – either independently or through a group action claim, where claimants join together to seek redress.

Which? is calling for the ICO to actually issue intended fines when organisations breach data protection law, otherwise firms may continue to treat customers, and their sensitive personal data, with disregard.

Which? also wants the government to implement provisions in the GDPR to allow not-for-profit organisations to bring collective redress action on behalf of consumers for breaches of data protection rules – without them having to opt-in to a group case or bring the case themselves. This would help to support and enforce the rights of consumers, making it easier for victims of data breaches to secure adequate redress, and create further incentives for businesses to improve their data processing mechanisms.

Jenny Ross, Which? Money Editor, said:

“Whether we’re shopping online, booking a holiday or signing up to a new mobile phone contract, we have to trust the companies we deal with to protect our details –  and if things go wrong we need to know that businesses are held to account.

“We need the ICO to be a regulator with teeth that is prepared to step in and issue fines in the event of companies breaking data protection laws, to ensure more businesses better protect consumers from data breaches.

“Consumers should also have a much clearer route to redress when they suffer the financial and emotional toll of data breaches – and that’s why the government must allow for an opt-out collective redress regime that deals with mass data breaches.”

Further case study details

Jamie, a British Airways customer, told Which? that his trip to Thailand became a holiday from hell after the airline suffered a data breach in 2018. When he arrived in the country his debit card was declined. He said: “RBS had suspended my account because there had been a lot of suspicious activity. Someone had tried to take £15,000 from my account” and Nationwide also blocked his debit card after strange activity was detected.

He then received an email from BA notifying him that he was one of the 500,000 customers whose names, email addresses and credit card details had been stolen by cybercriminals. Jamie suffered immense stress as a result. “I’m a switched on person usually. But I can’t tell you what it felt like to have someone try to steal my money and then be told there’s nothing I can do until I get back to the UK.”

Jamie struggled to get in touch with BA, but did eventually speak to its customer service team via Twitter and managed to get home, at his own expense. He’s since joined a group action claim against the airline and sent it an invoice, covering the cost of his ruined holiday and getting home but is yet to receive a response. “I look back and remember having numerous panic attacks, all because of the stress caused by a data breach. It’s been nearly two years since I bought that ticket and I don’t want BA to get away with this. The consequences have gone far beyond me having to ring my bank a few times.”

Brendan, an easyJet customer, told Which? that he received a suspicious looking email from the company in June. “It looked like a standard easyJet email, but the links wouldn’t work, which I found strange. It also said, ‘you’ve cancelled your holiday to Spain’, which wasn’t true.” EasyJet had in fact cancelled Brendan’s holiday prior to this email.

Unsure whether the email was fraudulent, particularly given the many scammers looking to take advantage of the Covid-19 pandemic, Brendan tweeted easyJet but didn’t receive a response.

EasyJet later confirmed to Which? the email was genuine. However, it did not make an effort to resolve this with Brendan at the time, who felt let down by the response given the huge data breach the airline had experienced. Even though easyJet became aware of the breach in January 2020, it didn’t start to inform customers until April.

He said. “It’s taken no responsibility. I’m worried that my data is out there, possibly being passed around on the dark web.”  He would rather have asked for a refund, instead of rebooking, if he had known there was a data breach. He added: “I’ve become overly cautious and it’s caused a lot of disruption. Here’s a business we’ve freely given our information to and the security issues are really concerning.”

Further details on opt-out collective redress action 

The government has the power to facilitate better redress by implementing Article 80(2) GDPR in its upcoming review of the Data Protection Act 2018. This would then allow not-for-profit organisations such as Which? to bring collective redress actions on behalf of people on an ‘opt- out’ basis, without those consumers each having to bring – or to appoint a representative body to bring – an individual case against the company involved.

A properly implemented redress system would ensure that people could trust that harm suffered as a result of data breaches would be remedied and would simultaneously act as an incentive for companies to improve their data handling processes – resulting in fewer breaches.

DCMS is consulting on the operation of the ‘representative’ action provisions of the Data Protection Act 2018.

Which? advice to consumers on protecting their data

  • Passwords – Always set strong passwords for your accounts: https://computing.which.co.uk/hc/en-gb/articles/360000818025-How-to-create-secure-passwords

  • Password manager – Many services now alert you if your passwords have been compromised. As services such as Lastpass and Dashlane can be used for free, there’s no reason not to use a password manager.

  • Two factor/multi-factor authentication (2FA/MFA) – Wherever possible turn on 2FA/MFA to increase security, particularly if your account holds your financial information. Don’t use SMS but use an authenticator app or even a hardware token if possible.

  • Credit card details – Don’t save your credit card details if you aren’t going to use the service regularly. Although it’s a faff to resubmit them, that’s better than having your financial information unnecessarily stored in a database that could be compromised.

  • Guest checkout – Similarly to the above, just checkout as a guest if you aren’t going to use the service that often. Only create an account if you really need to.

Notes to editors

Rights of reply

British Airways

BA told Which?: 

“At the time, we notified all potentially affected customers as quickly as possible, advising them to contact their bank or card provider as a precaution. We confirmed that any customers who suffered direct financial losses as a result of the attack would be reimbursed, and offered credit rating monitoring, provided by specialists in the field, to any affected customer who was concerned about an impact to their credit rating.

“This was a unique case which we investigated at the time and could find no evidence that the fraud was attributable to the cyber-attack. A response to the relevant customer’s concerns was provided at the time.

“To date, we have identified no verified cases of fraud as a result of the attack.”


“We are sorry that the customer’s tweet about an email regarding their holiday was not responded to. This was as a result of human error and is not the level of service we expect for our customers. The email the customer tweeted about was an automatically generated email from easyJet holidays in response to the customer’s request to cancel their holiday.  Our team has now been in touch with this customer to reassure them that the email he received was genuine and not fraudulent.

“At easyJet we take the safety and security of our customers’ information very seriously. As soon as we were able to do so, we notified and provided support to the small number of customers whose payment card data was compromised, offering them complimentary 12-month membership to an identity monitoring service. Out of an abundance of caution, we also sent phishing alert emails to approximately 9 million customers and have provided support to them via a dedicated customer service team. Our customer experience continues to be a key priority and our wider IT transformation strategy focuses on optimising that experience.

“The nature of the attack meant that it took time for easyJet to identify whether, and if so to what extent, personal data had been affected. We could only inform relevant customers once the investigation had progressed enough that we were able to identify whether any individuals potentially been affected, then who had been affected or potentially affected, and what information had been accessed or potentially accessed.

“It is, of course, regrettable that this cyber-attack took place, but it does not mean that easyJet was at fault or that customers are entitled to compensation under the compensation provisions set out in the General Data Protection Regulation.”


Blackbaud’s statement said the cybercriminals who carried out the ransomware attack did not access credit card information, bank account information, or social security numbers. Blackbaud paid the cybercriminal’s demand with confirmation the copy of data they removed had been destroyed. It says it has no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or made available publicly. Affected customers were notified and supplied with additional information.

Press Release