Data Breaches

19 November 2025

Knowledge

GDPR

What is a data breach?

A data breach is a compromise of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to protected data.

A data breach can occur when personal information is mishandled, whether through carelessness, theft, or malicious intent. Once a data breach has occurred, individuals whose information has been compromised may be at risk of identity theft, fraud, or other malicious activity.

Organisations that suffer a data breach may also face legal action, reputational damage, and financial losses.

Since the GDPR (General Data Protection Regulation) came into force, all organisations are legally required to report certain types of personal data breach to the ICO (Information Commissioner’s Office) within 72 hours of becoming aware of the breach.

43% of businesses have experienced a cyber security breach or attack in the past 12 months.1 It’s time to get serious about defending your data.

Data breaches at a glance

(98%) of businesses rely on some form of digital communication or service.
(43%) of businesses identified cyber security breaches or attacks in the last year
(£16.1k) the average cost of a data breach for a medium-sized business

What are the biggest data breaches?

Organisation	Number of compromised records	Date	What happened?
Yahoo	3 billion	December 2014	The web service provider suffered a colossal data breach after an employee fell victim to a phishing attack in early 2014.
Marriott Hotels	383 million	November 2018	Cyber criminals discovered a vulnerability in one of the hotel’s reservation systems, giving them access to a database containing names, payment card details and contact details of millions of customers.
Equifax	145.5 million	July 2017	Consumer credit company Equifax recorded $87.5 million in expenses and a 27% drop in net income after the personal data of 47.9 million of its users was compromised in what has arguably been the cyber security scandal of the decade.
Facebook	50 million	September 2018	The accounts of nearly 50 million users were exposed by a vulnerability in the social media giant’s “View as” function, allowing attackers to take over accounts and third-party platforms that used Facebook logins.
Dixons Carphone	10.2 million	July 2017	Shares in Dixons Carphone plummeted by as much as 6% after approximately 10 million records containing personal data were compromised in what was described as the “biggest online data breach in UK history”.
British Airways	500,000	September 2018	Criminal hackers injected malicious code into British Airways’ website, diverting traffic to a fraudulent replica site. Customers were then handing their information to fraudsters including login details, payment card information, address and travel booking information.
Wonga	270,000	June 2018	Described as “one of the biggest” breaches of financial information in the UK, information stolen from the controversial lender included account numbers, sort codes and the last four digits of customers’ card numbers.
Ticketmaster	40,000	April 2017	A lesson in the importance of supply-chain security: Ticketmaster discovered that a malware infection on a third-party support product was exfiltrating customer data to an unknown third party.

Why do data breaches happen?

Data breaches aren’t just the result of cyber attacks. There can be many other causes:

Weak and stolen credentials: Many websites use off-the-shelf software, applications, and plugins, which often contain vulnerabilities that can be exploited by criminal hackers.
Application vulnerabilities: Common website and web application security issues include potential for injection, privilege escalation and cross-site scripting.
Malware: Designed to disrupt and gain unauthorised access to a computer system, malware encompasses Trojans, social engineering, worms, viruses, and spyware.
Employee negligence: Human error accounted for 88% of incidents reported to the ICO in 2017/18.

How can data breaches be prevented?

Data breach prevention isn’t as simple as just installing antivirus software. Your ability to avoid a breach relies on three pillars: people, processes, and technology.

Start with your staff: Improving security training for employees is the best defence against cyber attacks. Find out how you can familiarise your staff with the basics of information security with our GDPR and Data Protection Act 2018 Staff Awareness E-learning Course.
Implement basic cyber security measures: Cyber Essentials is a framework that is suitable for small organisations and can help prevent up to 80 % of cyber attacks through the implementation of five basic controls.
Follow a proven information security framework: Implementing an ISMS (information security management system) provides a systematic approach to protecting and managing your organisation’s information through effective risk management and is a more comprehensive approach to information security than Cyber Essentials.
Tighten up your technology: All organisations should have the following technologies in place:
- Firewalls
- Intrusion prevention
- Switched networks
- Malware/ virus protection
- Log file consolidation
- System monitoring
- Single sign-on
- Data leakage prevention
- Spam filtering

How we can help you prepare for and respond to a data breach

GDPR notification requirements are complicated but complying with them needn’t be. Our Breach Management as a Service will help you respond quickly and effectively to a data breach to meet the Regulation’s 72-hour notification requirement.

Find out more

What makes us different.

We have an in-depth understanding of the GDPR’s requirements and how they can be met.
We provide a complete compliance support service to help your organisation achieve GDPR compliance.
Our specialist team has extensive data protection and information security management project expertise, both in the UK and internationally.
We provide a total cyber resilience solution, comprising books, toolkits, software, consultancy, penetration testing, training and audits.
We are the pioneer of ISO 27001, having led the world’s first successful implementation project.
Our vast technical expertise, combined with extensive experience implementing frameworks and standards across a broad range of industries and countries, means we are unrivalled in our depth and breadth of services.
We work with your organisation to tailor services that meet your budget and business objectives.

Cyber Security Breaches Survey 2018

Find out how we can help you prepare for and respond to a data breach

Frequently asked questions (FAQs)

What is a data breach?
A data breach is a security incident where personal or confidential information is accessed, disclosed or stolen without authorisation.

What is a personal data breach?
A personal data breach is a breach involving information that identifies an individual, such as names, addresses or health data.

What constitutes a data breach?
A data breach occurs when data is accidentally or unlawfully destroyed, lost, altered, accessed or disclosed to unauthorised people.

What is an integrity data breach?
An integrity breach is when data is altered or corrupted without permission, making it inaccurate or unreliable.

Who enforces UK data breach laws?
In the UK, the Information Commissioner’s Office (ICO) enforces data breach laws, investigates incidents and issues fines where necessary.

How long do you have to report a data breach?
Organisations must report a personal data breach to the ICO within 72 hours of discovery, unless the breach is unlikely to risk individuals’ rights.

Can an individual be held responsible for a data breach?
Yes. Employees can be personally accountable if they act negligently or maliciously. However, ultimate responsibility lies with the organisation as data controller.

Back to resources