Top 10 Biggest Data Breaches In The UK

This article takes a close look at the top 10 biggest data breaches in the UK, as of July 2024. Personal information falling into the hands of unauthorised or malicious individuals can seriously damage the lives of people it affects, but it happens on a regular basis.

In this piece, you’ll learn about multiple cases with a widely felt impact. Some cases involve an organisation being hit by a cyber attack they could not have reasonably prevented. However, some instances represented a failure on the organisation’s part that allowed a data breach to occur.

In case you’re wondering, a personal data breach is a security breach that affects the confidentiality, integrity or availability of information that can be used to identify a person. This definition comes from the UK’s data protection watchdog, the Information Commissioner’s Office (ICO).

With that in mind, continue reading to learn more about these high-profile data breaches and the action taken by the ICO afterwards.

Also, you’ll see in some of these cases that affected individuals were able to seek compensation. If you have a valid claim for a data breach, our expert solicitors can help. If you want to learn more, either:

Call our free 24/7 helpline on 0330 0434072, or;
Ask how to make a claim with our online form.

What Are The Top 10 Biggest Data Breaches In The UK?

The ten cases we’ve reviewed for this article impacted a varying number of people, ranging from the tens of thousands to the tens of millions. They show different ways in which a breach of data protection can happen and highlight how it’s possible for an organisation to be penalised for insufficient cyber security.

At any point, please don’t hesitate to call the number above if you have any questions or want to discuss your own experience of a data breach.

Dixons Carphone

The top data breach in terms of affected personal records relates to Dixons Carphone, which was absorbed by Currys in 2021. Before then, at least 14 million people saw their personal data compromised due to an attacker installing malicious software on tills in July 2017.

The software went undiscovered for nine months, with the breach of security leading to the attacker capturing payment card information belonging to 5.6 million customers. The compromised data also included names, postcodes, email addresses and details of failed credit checks.

Dixons Carphone was criticised by the ICO for ”multiple, systemic and serious inadequacies”. Among its noted failures were taking insufficient steps to protect passwords and failing to detect the security breach for as long as it did.

The ICO fined Dixons Carphone £500,000, the maximum amount possible.

Resource: https://www.theguardian.com/business/2020/jan/09/dixons-carphone-fined-500000-for-massive-data-breach

Equifax

Equifax is a multinational credit reporting agency. In 2017, it was involved in one of the biggest data breaches ever recorded in the UK.

A criminal cyber attack on Equifax’s American parent company meant that hackers gained unauthorised access to 15.2 million UK records. This included sensitive information affecting nearly 700,000 clients.

However, it was later revealed by the Financial Conduct Authority (FCA), a financial watchdog, that there were around 13.8 million affected customers.

Equifax was found to have failed to address known issues when sharing customer data with its parent company. The breach stemmed from a failure to install security updates in a timely fashion, allowing the criminals to exploit a weakness in Equifax’s security framework. As a result, customers’ personal details and financial data were put at risk.

As well as receiving a £500,000 ICO fine, Equifax were ordered to pay a £15,949,200 fine to the FCA, though the figure was reduced to £11 million because of the company’s co-operation.

Resources: https://www.reuters.com/article/us-equifax-cyber-idUSKBN1CF2JU/

https://www.bbc.co.uk/news/business-41192163

Easyjet

Budget airline Easyjet was targeted by what was called a “highly sophisticated” cyber attack in January 2020.

The company notified the ICO and the National Cyber Security Centre (NCSC), the UK’s technical authority for cyber threats, of the attack. However, they came under fire for not disclosing their discovery for four months.

The 2,208 customers whose credit card details were unlawfully accessed were notified in April 2020. In May, Easyjet admitted that the email addresses of around nine million customers were stolen.

Resource: https://www.bbc.co.uk/news/technology-52722626

The National Health Service (NHS)

The NHS is trusted with among the largest data collections of any organisation in this country. While the NHS as a whole has not faced one of the top 10 biggest data breaches in the UK, a spate of incidents across local trusts between 2010 and 2012 combined to form one of the biggest recorded breaches in the UK healthcare service.

The causes of such medical data breaches ranged from human error to stolen data. These cases all led to an ICO fine:

An individual working for IT services at Brighton and Sussex University Hospitals NHS Trust was instructed to destroy around 1,000 hard drives containing personal data. Instead, at least 252 were taken, with some being sold online. The £325,000 fine handed to the Trust was a record figure for the ICO at the time.
NHS Surrey was involved in the second of two data breaches caused by the sale of hardware. A second-hand computer was sold online, but the information on it had not been properly disposed of. The Trust was fined £200,000 because the sensitive data of over 3,000 patients was exposed.
Torbay Care Trust received a fine of £175,000 after sensitive information belonging to 1,373 staff members was accidentally published on its website and made publicly available.
Sensitive patient information and staff records were found among documents left abandoned in a disused hospital. Thieves accessed the files and shared some of the exposed data online. As a result, the Belfast Health Trust was given a £225,000 fine.
Personal health information and other patient data was faxed to the wrong person 45 times in three months. The incident, which affected 59 patients, led to a £90,000 fine for the Central London Community Healthcare NHS Trust.

Resources: https://www.bbc.co.uk/news/uk-england-sussex-18293565, https://www.bbc.co.uk/news/technology-23286231, https://www.bbc.co.uk/news/uk-england-devon-19150290, https://www.bbc.co.uk/news/uk-northern-ireland-18497161, https://www.bbc.co.uk/news/uk-england-london-18145350

Virgin Media

Broadband provider Virgin Media suffered a data breach of its own making in 2019 and 2020. Due to what it claims was one staff member’s failure to follow proper procedures, data relating to 900,000 customers was left unsecured for ten months.

It led to at least one person gaining unauthorised access to information including names, email and home addresses, and contact numbers. Virgin Media only became aware when cyber security experts discovered and then reported the data breach to them.

Resource https://www.bbc.co.uk/news/business-51760510

JD Wetherspoon

An attack on national pub chain JD Wetherspoon’s computer systems meant that hackers gained access to customers’ financial details. The data breach affected card information belonging to 100 customers who had purchased vouchers online. However, JD Wetherspoon was quick to point out that card numbers and security numbers (CVVs), which would be needed for identity theft to be possible, were not held in the affected database.

Overall, the data breach affected more than 650,000 people. Customers who did not have their card data breached saw names, email addresses, phone numbers and dates of birth stolen.

The incident, which occurred in June 2015, was not discovered until December that year. The personal data that had been accessed was stored by a third party.

Resource: https://www.bbc.co.uk/news/uk-35002951

British Airways

Another company that had its customers’ financial information accessed unlawfully was British Airways (BA). In June 2018, cyber attackers gained access to the airline’s computer system using compromised employee login credentials.

They were able to manipulate BA’s systems so that when customers entered card details online, a copy of the information was redirected to a website under their control. As a result, the attackers had access to customer passwords, bank account numbers and card information.

BA’s security team shut down the malicious activity in September 2018.

429,612 individuals were affected because of the cyber attacks. Of that number, more than 300,000 had their card number and CVV accessed by the attackers.

The ICO found that BA had failed to fully comply with the Data Protection Act 2018 (DPA) and the UK General Data Protection Regulation (UK GDPR), two key pieces of data protection law.

While they originally intended to impose a penalty of £183.39m, the ICO eventually fined BA £20m. This figure still represents the biggest fine it has ever handed out (as of April 2024).

Resources: https://www.bbc.co.uk/news/technology-54568784, https://www.bbc.co.uk/news/technology-45446529

Wonga

Until it fell into administration and was dissolved, Wonga gained infamy as payday loan company. It was hit by a data breach that affected 245,000 UK customers. This occurred in 2017.

The loans firm reported at the time that it was investigating illegal and unauthorised access to its systems. However, it was not clear on how the breach had occurred.

Customer bank account numbers and sort codes were affected, along with contact and address information.

Resource: https://www.bbc.co.uk/news/business-39544762

Three Mobile UK

In 2016, fraudsters gained access to Three Mobile’s upgrade database illegally. Their reported aim was to steal devices by upgrading customers and intercepting their order before it reached its intended destination.

As a result of the attack on Three’s security framework, eight customers received fraudulent upgrades. Although Three acted to protect their computer systems, it is said that 133,827 customer accounts were breached.

The attackers were able to access personal information, but no financial data was compromised.

A second data breach involving Three occurred the year after in which customers were able to see other people’s names, phone numbers, and call histories.

Resources: https://www.bbc.co.uk/news/business-38030498, https://www.theguardian.com/business/2017/mar/20/three-mobile-possible-data-breach-data-usage-call-history

TalkTalk

Rounding off the top 10 biggest data breaches in the UK is an incident that affected telecommunications provider TalkTalk in 2015.

At the time, it was among the biggest data breaches seen in the UK. A cyber attack resulted in 156,959 customers’ personal data being accessed. Additionally, the hackers were able to steal 15,656 bank account numbers and sort codes.

The ICO investigated and found that TalkTalk had failed to take appropriate measures to secure webpages. The database software it used to protect them was outdated and easily bypassed by the hackers. Furthermore, TalkTalk had already been subject to two identical cyber attacks in the same year, but didn’t take any action.

Because of TalkTalk’s failure to protect its customers’ data, the ICO handed down a then record fine of £400,000.

Resource: https://www.bbc.co.uk/news/business-37565367

Read About The Top 10 Biggest Data Breaches In The UK

Learn About The Top 10 Biggest Data Breaches In The UK

What Are The Top 10 Biggest Data Breaches In The UK?

Dixons Carphone

Equifax

Easyjet

The National Health Service (NHS)

Virgin Media

JD Wetherspoon

British Airways

Wonga

Three Mobile UK

TalkTalk

Read More About Data Breaches