cyber security

Calls for tougher penalties on firms that leak user data as nearly half suffer fraud

Consumer firm Which? has called for tough penalties for firms that fail to prevent data breaches, after research showed that nearly half of those who lose data in such cases later experience fraud.

When data breaches occur, the stolen information is often made available on the dark web for cyber criminals to purchase.

Key information such as passwords or credit card and bank details, as well as using other personal details, can be bought to pose more convincingly as victims’ banks and other trusted organisations.

With the majority of cyber crime financially motivated, victims risk losing considerable sums of cash.

In a survey of more than 1,300 Which? members, almost half (46 per cent) of people whose data was stolen by hackers said they later experienced fraud.

This was out of around a quarter (23 per cent) of 1,369 Which? members who said they’d had their data compromised following a breach involving a company or organisation.

Following the start of coronavirus lockdowns in March, financial losses from cyber crime reportedly skyrocketed by 72 per cent as criminals took advantage of the shift to home working.

Which? also heard from people who said that they’d not only lost money but seen their mental health impacted in the aftermath of being involved in a data breach. These victims have also struggled to get any form of redress from the companies that failed to protect their personal data.

As part of its investigation, Which? asked its members to submit their email addresses to, a website that tells you if your email address has been involved in a data breach.

Which? had 515 members take part, submitting a total of 610 email addresses. It was revealed that 79 per cent had experienced at least one breach. Of those, the average number of breaches per email address was 3.7. One address had been in 19 breaches.

Despite all of this, Which? said, the ramifications for firms that fail to protect their customers’ data are limited. The ICO announced its intention to fine BA £183m for its 2018 breach and Marriott just under £100m for losing around 339 million guest records.

Jenny Ross, Which? Money Editor, said: “Whether we’re shopping online, booking a holiday or signing up to a new mobile phone contract, we have to trust the companies we deal with to protect our details – and if things go wrong we need to know that businesses are held to account.

“We need the ICO to be a regulator with teeth that is prepared to step in and issue fines in the event of companies breaking data protection laws, to ensure more businesses better protect consumers from data breaches.

“Consumers should also have a much clearer route to redress when they suffer the financial and emotional toll of data breaches – and that’s why the government must allow for an opt-out collective redress regime that deals with mass data breaches.”

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles