Which? calls for tougher penalties for firms who fail to prevent data breaches

Which? is calling for enforcement of tough penalties for firms that fail to prevent data breaches, such as the ones that hit British Airways, easyJet and Marriott.

The consumer champion says 46% of people whose data was stolen by hackers became victims of fraud.

Almost a quarter (23%) of 1,369 Which? members said they’d had their data compromised following a breach involving a company or organisation. Many said their mental health had been affected.

One was a British Airways’ customer who found out while in Thailand that his bank account and debit card had been frozen because of suspicious activity.

The customer suspects it was linked to BA’s data breach that hit 500,000 customers. However, BA described the incident as a ‘unique case’ and said there was no evidence the fraud was attributable to the cyber attack.

The client has joined a group action claim against the airline, but is yet to receive any redress.

Which? also heard from an easyJet customer who was disappointed that even though the company became aware of a huge data breach, affecting nine million customers in January 2020, the airline said that it was only able to start informing customers in April.

He feels the airline has taken no responsibility and is worried his data is out there, possibly being traded by criminals on the ‘dark web’.

Marriott hit the headlines this year for losing around 5.2 million people’s contact and personal information – its second data breach in three years.

The Information Commissioner’s Office announced its intention to fine BA £183 million for its 2018 breach and Marriott just under £100 million for losing around 339 million guest records. However, the deadlines to issue the fines were extended and both companies are expected to appeal. BA owner IAG released a report in June estimating the fine would be a much smaller €22 million.

Currently victims have limited options to seek redress when data breaches occur. Although under GDPR consumers have a right to claim compensation if they have suffered damage as a result of an organisation breaking data protection law, doing so isn’t always easy.

The ICO advises victims to take independent legal advice and to try to settle with the organisation first. If this fails, victims may be able to make a court claim – either independently or through a group action claim.

Which? is calling for the ICO to actually issue intended fines when organisations breach data protection law, otherwise firms may continue to treat customers, and their sensitive personal data, with disregard.

Which? also wants the government to implement provisions in the GDPR to allow not-for-profit organisations to bring collective redress action on behalf of consumers for breaches of data protection rules – without them having to opt-in to a group case or bring the case themselves.

Jenny Ross, Which? Money Editor, said: "We have to trust the companies we deal with to protect our details – and if things go wrong we need to know that businesses are held to account.

"We need the ICO to be a regulator with teeth that is prepared to step in and issue fines in the event of companies breaking data protection laws, to ensure more businesses better protect consumers from data breaches.

"Consumers should also have a much clearer route to redress when they suffer the financial and emotional toll of data breaches – and that’s why the government must allow for an opt-out collective redress regime that deals with mass data breaches."