Do I have rights if a company's data breach led to me being scammed?
Yes — if a company failed to protect your personal data and that failure led to fraud against you, you may have a claim for damages under data protection law, depending on the nature of the breach and whether it caused you identifiable harm.
Last reviewed: 10 June 2026
Explanation
Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, organisations holding your personal data have legal obligations to protect it. If they fail to implement adequate security measures and your data is exposed in a breach that subsequently enables fraudsters to target you, you may have a right to compensation for the material or non-material damage you suffered.
The Information Commissioner's Office (ICO) in the UK investigates data protection breaches. You can make a complaint to the ICO, which can investigate and issue enforcement action and fines against the company — though the ICO does not award individual compensation directly.
For individual compensation, you would need to bring a civil claim against the company, either in the county court or potentially through a group litigation order if many people were affected. You must show that the data breach occurred, the company was responsible, and that you suffered identifiable damage as a result of the breach.
This is general information only. Data breach claims are legally complex and causation between a breach and subsequent fraud can be difficult to establish. Consult a data protection solicitor if you believe you have a claim.
Common red flags
- A company notified you of a data breach involving your personal or financial information
- You received targeted phishing emails shortly after a data breach from a company you use
- Your identity was misused and the data used could only have come from a specific source
- The company failed to notify you of a breach within the required 72-hour window
What to do now
- Raise a complaint directly with the company and request details of what data was exposed
- Report the breach to the ICO (UK) or relevant data protection authority
- Document any fraud or loss that occurred following the breach
- Consult a data protection or consumer law solicitor about a compensation claim
- Monitor your credit file for signs of identity fraud following the breach
- Change passwords for any accounts using the same credentials as the breached service
Frequently asked questions
Can I claim compensation without proving I actually lost money?
Under UK GDPR, compensation can be claimed for non-material damage including distress, anxiety, and loss of control over personal data — not just financial loss. However, courts require identifiable harm. A purely technical breach with no discernible impact on you would be harder to base a claim on.
What is the ICO and can it get me compensation?
The ICO is the UK's data protection regulator. It investigates breaches and can take enforcement action against companies, but it does not award individual compensation. For compensation you need to pursue a civil claim separately, though an ICO finding against a company strengthens your civil case.