Cyberattacks are often leading to major data breaches

(Image credit: Shutterstock)

Companies across the UK simply aren't doing enough to protect their customers from having their information stolen and sold on following a data breach, experts have warned.

Consumer watchdog Which? found that companies which had suffered a cyberattack often went on to be hit by data breaches or other leaks, putting customer data unacceptably at risk.

Almost half (46%) of people whose data was stolen by hackers then went on to experience fraud, the organisation found in a nationwide survey.

Data breach risk

Some of the UK's biggest names, including the likes of British Airways, Marriott and EasyJet, have suffered data breaches this year, meaning millions of users could potentially be at risk of fraud.

Under UK law, companies must report data breaches to the Information Commissioner's Office (ICO) or face a major fine, following the passing of GDPR back in 2018.

Which? says it wants the ICO to actually issue intended fines when organisations breach data protection law - otherwise it believes that firms may continue to treat customers, and their sensitive personal data, with "disregard".

“Whether we're shopping online, booking a holiday or signing up to a new mobile phone contract, we have to trust the companies we deal with to protect our details –  and if things go wrong we need to know that businesses are held to account," said Jenny Ross, Which? Money Editor.

“We need the ICO to be a regulator with teeth that is prepared to step in and issue fines in the event of companies breaking data protection laws, to ensure more businesses better protect consumers from data breaches."

“Consumers should also have a much clearer route to redress when they suffer the financial and emotional toll of data breaches – and that’s why the government must allow for an opt-out collective redress regime that deals with mass data breaches.”

Which? is also calling on the government to add extra rules into GDPR to allow not-for-profit organisations to bring collective redress action on behalf of consumers for breaches of data protection rules – without them having to opt-in to a group case or bring the case themselves. 

It says this would help to support and enforce the rights of consumers, making it easier for victims of data breaches to secure adequate redress, and create further incentives for businesses to improve their data processing mechanisms.

Mike Moore
Deputy Editor, TechRadar Pro

Mike Moore is Deputy Editor at TechRadar Pro. He has worked as a B2B and B2C tech journalist for nearly a decade, including at one of the UK's leading national newspapers and fellow Future title ITProPortal, and when he's not keeping track of all the latest enterprise and workplace trends, can most likely be found watching, following or taking part in some kind of sport.