A data breach happens when information held by an organisation is accessed, stolen, or exposed without authorisation. It might be your email address and password, your name and home address, your payment card details, or in serious cases, your national insurance number or medical records. Breaches happen to companies of all sizes — from major retailers and banks to small apps you signed up for years ago. Understanding what a data breach means for you, and knowing what steps to take, can significantly limit the damage.
What Gets Exposed in a Data Breach?
Different breaches expose different types of data depending on what the organisation stored. Common categories include:
- Email addresses and passwords — the most common. If your password is exposed, any account using that same password is at risk.
- Names and physical addresses — used for targeted phishing or identity fraud.
- Phone numbers — used for SMS scams or SIM swap attacks.
- Payment card details — if poorly encrypted, can be used for fraudulent purchases.
- Government ID numbers — National Insurance numbers, passport details — used in more serious identity theft.
- Medical records — sensitive and heavily regulated but occasionally exposed in healthcare breaches.
How Do Data Breaches Happen?
The most common causes of data breaches include:
- Hacking and cyberattacks — attackers exploit vulnerabilities in software or infrastructure to access databases.
- Phishing attacks on employees — staff at a company are tricked into handing over credentials, giving attackers inside access.
- Weak or reused passwords — if an employee uses a compromised password, attackers can log in using stolen credentials from other breaches.
- Unsecured databases — some breaches happen because data is accidentally left publicly accessible.
- Third-party suppliers — companies often share data with suppliers whose security standards may be lower.
How Will You Know If You Are Affected?
There are several ways you might find out:
- Direct notification from the company — under UK GDPR, organisations that suffer a breach must notify affected individuals if there is a risk to their rights and freedoms.
- Media coverage — large breaches are frequently reported in the news.
- Have I Been Pwned — a free tool at haveibeenpwned.com lets you check whether your email address has appeared in any known breach database. You can also sign up for automatic alerts.
- Your password manager — tools like 1Password and Bitwarden have built-in breach monitoring.
Read our guide on how to check if your email or password has been leaked for a step-by-step walkthrough.
What to Do If Your Data Has Been Breached
1. Change your password on the affected service
Do this immediately, even if the breach happened some time ago. Use a strong, unique password you do not use anywhere else.
2. Change the same password everywhere else
If you reused that password on other sites, change it on all of them. Attackers routinely try breached credentials across popular services — a technique called credential stuffing.
3. Enable two-factor authentication
Set up two-factor authentication on the affected account and any other important accounts. This means a stolen password alone is not enough to get in.
4. Monitor for suspicious activity
Keep an eye on your email, bank statements, and credit report for anything unusual. In the UK, you can check your credit report for free via Experian, Equifax, or TransUnion. Unexpected credit applications or accounts you did not open can be an early sign of identity fraud.
5. Report identity fraud if it occurs
If you believe your personal details have been used to commit fraud, contact Action Fraud at actionfraud.police.uk. If financial accounts are involved, contact your bank immediately.
What Are Your Rights After a Data Breach?
Under UK GDPR, you have the right to:
- Be informed about a breach if it poses a risk to you
- Access the personal data a company holds about you (Subject Access Request)
- Request deletion of your data in certain circumstances
- Complain to the Information Commissioner’s Office (ICO) at ico.org.uk if you believe your data has been mishandled
If a company fails to notify you of a breach that affected you, or if they handled your data negligently, you may be entitled to compensation.
How to Reduce Your Exposure Going Forward
The two most effective habits are using a password manager so every account has a unique password, and enabling two-factor authentication wherever it is available. Together, these two measures mean that even when a breach occurs — and it will — the impact on your other accounts is contained.
