What Are My Rights After A Credit Card Data Breach?

Welcome to our guide to claiming for a credit card data breach. When you take out a new credit card, you may skip through all of the terms and conditions before clicking the apply button. However, they are important because, amongst other things, they could explain how the card provider will use your personal information. The reason they should tell you about how your information will be used is because of the General Data Protection Regulation (GDPR). Since its implementation, the GDPR has provided individuals (the data subject) with extra control over how their data is processed. In this article, we will look at the possible harm that could result from a credit card data breach. Furthermore, we will show you when you could claim compensation for any suffering and how much you might be paid.

I Suffered After A Credit Card Data Breach, What Are My Rights?

What are my rights after a credit card data breach guide

What are my rights after a credit card data breach guide

To begin your claim, you might want to call our advisors, available 24/7. They supply free legal advice and can review your case on a no-obligation basis. If you decide to continue, we could partner you with a data breach solicitor from our team. If they decide to represent you, they will conduct your claim on a No Win No Fee basis. By working in this way, you should find that your claim is not too stressful because your financial risk is lowered.

If you want to find out whether you have the grounds to be compensated, why not call today? Our advisors can be reached on 0800 073 8801. During your call, we will answer any questions you need to ask and explain your options. If you would like more details about data breaches relating to credit and debit cards, please continue reading.

Select A Section

A Guide On Credit Card Data Breach Claims

Like other businesses, credit card providers have moved more and more of their operations online. As a result, there is an extra requirement to protect the personal data they process. If they don’t and your financial or personal details are leaked, you could suffer serious problems. To help prevent data breaches, the Data Protection Act 2018 was implemented alongside the GDPR.

Since these new laws came into effect, there must now be a lawful basis before any company (the data controller) can process personal information about you. In some cases, the lawful basis can be formed by telling you how your information is going to be used and also by seeking your permission.

If a credit card company fails to uphold data protection standards, they could find that the Information Commissioner’s Office (ICO) at their door. The ICO might decide to:

  • Investigate data breaches.
  • Fine organisations found to have broken data protection laws.

However, they aren’t able to compensate you if you’ve been harmed due to a GDPR data breach. For that reason, we have written the article on claiming for the harm caused by a credit card data breach.

When claiming compensation following a data breach, you will need to stick to the current time limits as per the Limitation Act 1980. In most cases, that is a 6-year period. You might want to check that amount of time applies in your case though. That’s because, if your claim is based on a human rights breach, you’ll only get 1 year to claim.

When you are ready to start a claim, or if you have any questions after reading this guide, please get in touch with our team. You’ll receive free legal advice whether you make a claim or not.

Financial Data A Credit Card Company Could Hold About You

When you sign your credit agreement with your card provider, you will need to supply a lot of personal information. This information can be retained to manage your account. It could also be added to while you remain a customer. So what information could a credit card company hold about you? Well, it might include:

  • Your full name.
  • Credit card number.
  • Telephone or mobile number.
  • Home address.
  • Email address.
  • Previous addresses.
  • Website credentials.
  • Credit history.
  • Transaction history.
  • Missed payment history.

A lot of the information listed here is protected by the GDPR. That’s because it could help to identify you. If this type of information was to be leaked accidentally, it might be embarrassing or cause you to become anxious. Furthermore, if it were to be stolen by criminals, they could use it in crimes that could cost you money.

As well as protecting this type of information about you, your credit card company is not allowed to share it with others without your permission. Therefore, if you were to be contacted by a company because they’d been given your details by your card provider, then a breach may have happened.

What Is A Credit Card Data Breach Claim Against A Credit Card Company?

The ICO website provides the full definition of a personal data breach. It explains that they happen when a security incident leads to the unlawful or accidental loss, destruction, alteration, unauthorised access or disclosure of personal data. It goes on to explain that deliberate and accidental actions can lead to breaches and they cover more than just personal data loss.

You may have read about cybersecurity incidents that cause data breaches these days. They include criminal activities that begin with keyloggers, firewall exploits, ransomware and viruses. However, all types of data containing personal information are covered by the new data protection legislation. For example, paperwork recording personal details in a personnel filing cabinet has to be secured too.

Here are some examples of where a credit card data breach could happen. However, remember that you could only claim if the breach exposed your data and  caused you to suffer financially, psychologically or both:

  • If your card statement is sent out to the wrong customer.
  • Where the credit card provider’s website is accessed, exposing your account details, due to insufficient security measures.
  • Where somebody is able to get information about your account over the phone because the operator failed to identify them correctly.

If you are interested in making a credit card data breach claim, please get in contact with our team today.

What Should A Credit Card Provider Do If They Have A Data Breach?

Companies should have an action plan in place so that they know what to do in the event of a breach. The actions that they should take if a data breach occurs include:

  • Initiating an investigation to find out what has happened.
  • Contacting the ICO to let them know about the breach and the investigation (if it’s reportable).
  • Contacting customers whose data was exposed by the breach if it puts them at risk.

A letter or email should be sent to you without undue delay if your data was affected by a breach. Importantly, that letter may be used as evidence to help prove that the breach happened should you decide to claim. However, that’s just one part of the claim. To be eligible to claim compensation, some form of suffering will also have to be proven.

Examples Of Credit Card Data Breaches

The ICO has a range of tools including enforcement and financial penalties at its disposal. Any action it takes is recorded on its recent action database. At the time of writing, there weren’t any recent fines relating to credit card companies listed. Therefore, we’re going to take a look at enforcement action the ICO took against Experian instead.

Following a 2-year process, the ICO investigated Experian and other credit reference agencies in relation to credit brokering services. They found that lawful basis was used incorrectly for processing user’s data and privacy information wasn’t clear enough.

While Experian did improve its practices, the ICO report says that they did not go far enough. Therefore enforcement action has been issued to make them change their procedures within 9 months or face further action.

Report: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/10/ico-takes-enforcement-action-against-experian-after-data-broking-investigation/

When Could You Have The Right To Claim For A Data Breach?

Under the GDPR, data subjects have a number of rights. They are:

  1. A right to be informed about data use.
  2. The right of access.
  3. The right to ask for errors to be rectified.
  4. A right to request the erasure of personal information.
  5. The right to restrict the processing of your personal data.
  6. A right to data portability. This means being able to obtain and use your data.
  7. The right to object to your data being used.
  8. Rights concerning profiling and automated decision making based on your data.

There is a lot more to these rights than we are able to list here. Therefore, if you would like more details about your data protection rights, please visit this ICO webpage.

What Evidence Could Support Your Claim For A Data Protection Breach?

When seeking compensation, it is important that you are able to demonstrate how you have been affected. To do this you will need to supply evidence. In data breach claims, that could take the form of:

  • Proof of financial losses. This could come from bank statements, credit card statements or other financial documents.
  • Evidence that the breach took place. As part of any data breach investigation, data subjects must be contacted if they are put at risk. Therefore, that letter or email could be used as evidence. Failing that, an ICO investigation could be requested.
  • Medical evidence. To prove that you have suffered in the way that you claim you have, evidence is needed. This could be in the form of medical records and a report following a medical assessment. If you could prove psychological injuries resulted from a breach, you could claim.

Our advisors can review your evidence for you to see if you have the grounds to continue. If it appears that you do, they’ll advise you of the process and could pass your claim to one of our data breach lawyers.

Calculating Compensation For A Credit Card Data Breach

In this part of our guide, we are going to move on to look at how much compensation might be paid following a credit card data breach. Specifically, we are going to cover claims for psychiatric injuries resulting from anxiety, distress and similar conditions. Although we have supplied example amounts here, you could be given a more detailed estimate after your claim has been assessed.

First of all, let’s look at a data breach case at the Court of Appeal. In the hearing of Vidal-Hall and others v Google Inc [2015], two important rules were established. They were that:

  1. It is permissible for claims to be made for injuries that result from data breaches without a financial losses claim.
  2. If compensation is paid for psychological harm, it should be set at levels seen in personal injury cases.

Our table, therefore, contains compensation figures from the Judicial College Guidelines. This is something legal professionals may use when setting compensation amounts for personal injuries.

Claim TypeSeverityCompensation Bracket
PTSD ClaimsSevere£56,180 to £94,470
PTSD ClaimsModerately Severe£21,730 to £56,180
PTSD ClaimsModerate£7,680 to £21,730
PTSD ClaimsLess Severe£3,710 to £7,680
Psychiatric Damage ClaimsSevere£51,460 to £108,620
Psychiatric Damage ClaimsModerately Severe£17,900 to £51,460
Psychiatric Damage ClaimsModerate£5,500 to £17,900
Psychiatric Damage ClaimsLess SevereUp to £5,500

Importantly, to achieve the correct settlement amount, you will need to show and prove the severity of your injuries. Therefore, you should attend a medical assessment as part of your claim. If you work with a data breach solicitor from our team, they’ll try to book this locally.

Your assessment would be carried out by an independent expert. They’d ask several questions about the impact of the data breach and also look through your medical notes (if available). After they have finished, a report will be compiled for your solicitor. This will detail any injuries you’ve sustained as well as your future prognosis.

Types Of Non-Material And Material Damages Which Could Be Claimed

As you are only allowed to make a single compensation claim for each case, it is important to consider how you have suffered already and whether you could continue to do so in the future. We’ll look at this more in this section.

Claims for suffering resulting from data breaches are generally split into two. The first part, material damages, covers the financial side of things. Initially, you’d look at expenses, losses and costs that have already been sustained. Then you might need to consider future losses as well. For example, where your credit card details have been shared online, you could sustain additional losses until all of your accounts have been blocked.

Non-material damages focus on the injuries you’ve sustained following a data breach. Again, you should first look at conditions that have previously been diagnosed. This could include suffering resulting from data breach distress, anxiety or depression. After that, you might have to factor in any longer-term suffering that is brought up in your medical report. This could include conditions like Post-Traumatic Stress Disorder (PTSD).

As you can see, there is a lot to prove when making your claim. That’s the reason we advise having a specialist data breach solicitor on your side. If your case is accepted by one of our data breach solicitors, you could benefit from their legal training and experience. To try and ensure you are compensated fairly, they’d thoroughly review your claim with you so that they fully understand the ways in which you have suffered.

Credit Card Data Breach Claims With A No Win No Fee Solicitor

Working with our team of data breach solicitors could make the claim far less stressful. That’s because if your case is accepted, you’ll benefit from a No Win No Fee service. As a result, you won’t need to worry about losing money for the solicitor’s fees if the claim doesn’t work out.

At the start, a solicitor will need to check if your claim is suitable to proceed. If they agree to take you on as a client, you’ll be given a Conditional Fee Agreement (CFA) to read. This explains what your solicitor needs to do before they will be paid. It will also show you that:

  • No money needs to be paid for the solicitor’s work upfront.
  • You don’t need to cover any solicitor’s fees as the case progresses.
  • If the claim doesn’t work out, you’re not liable to pay your solicitor’s fees at all.

Should there be a positive result in your case, meaning you are compensated, you will have a success fee deducted from your settlement. This is a percentage of your damages used to cover the solicitor’s efforts. So that you know how much you’ll pay, the success fee (which is capped) is listed in the CFA.

To learn whether your claim is suitable for a No Win No Fee service, please contact our team today.

Talk To Our Team

We are fast approaching the end of this article on credit card provider data breaches. Hopefully, our information has proven helpful and you know what you want to do next. If you’re interested in claiming, please get in touch with our team by:

We will support you throughout the claims process and won’t offer false hope if your claim isn’t suitable. If it does appear to be strong enough, we could refer you to a data breach lawyer from our team who will act on a No Win No Fee basis if they accept your case.

Frequently Asked Questions About The GDPR

To support you further, we have answered some common GDPR data breach claim questions in this section. If you would like to know more, please get in touch today.

How do I know if I suffered a data breach?

According to the GDPR, you must be informed by the data controller if your personal data is exposed in a breach. That means you should receive an email or letter explaining what has happened.

What is the data breach claim time limit?

Most data breach claims can be made within a 6-year time limit. If the case is based on a human rights breach, you may only have 1 year to claim.

How long will my data breach claim take?

The time it takes to finalise a data breach claim will vary. Where the defendant admits liability early on, the case could be over in a matter of months. Cases that require an ICO investigation, for instance, might take considerably longer.

What Other Credit Card Data Breach Incidents Have Happened?

Not all credit card data breach incidents all the faults of credit card provider. If another organisation breaches your personal data this could lead to your credit card details being exposed. This could leave you open to becoming a victim of credit card fraud or theft. Some examples of other credit card data breach incidents include:

The Marriott Data Breach

In 2018, a huge data breach involving hotel chain Marriott was discovered. It was reported that up to 500 million people’s personal information could have been breached. Some of the information that may have been exposed, although it was encrypted, with credit card details and expiry dates.

The Vision Direct Data Breach

Up to 6600 vision direct customers, may have had their personal data breached. The information that was breached could have included credit card details including CVC codes. While the breach only affected customers that logged into the portal within a specified space of time, the breach could still significantly impact those whose data has been exposed.

Source: https://www.computerworld.com/article/3412255/the-most-significant-data-breaches-in-the-uk.html#slide17

How Common Are Data Breaches In the Financial Sector?

According to the Information Commissioners Office, during the period of Q1 2021- 22, there were a total of 259 incidents reported in the Finance, Insurance and Credit Sector. You can see how this compares to other sectors below.


The causes of these data breaches were mixed, with some relating to cyber security incidents and others that were non-cyber related. While many other sectors have reported more non-cyber incidents than those related to cyber security, the financial sector has similar numbers in both categories. Remember though, you to make a claim, you’d need to prove that the data breach happened because the company acted wrongfully. You would also have to prove your data was exposed and you suffered harm from it.

Related Guides

Thank you for reading our article on credit card data breaches. In our final section, we have supplied a few more articles that might come in handy. Should you need anything further, please call our advisors.

The Financial Conduct Authority: The FCA regulates over 60,000 financial service providers in the UK.

About Anxiety: Information on the physical and psychological symptoms of anxiety.

Data Protection Officers: Details of the role played by data protection officers in organisations.

Finally, you will find a few more of our articles listed below for your reference.

Medical Data Breach: Details about how to claim if you suffer following a medical data breach.

GP Surgery Data Breach: Advice on your rights if you suffer because of you’re GP’s data breach.

Dismissed While Off With Stress: Data breaches can lead to stress. Here, we provide information on what to do if you’re sacked while off work stressed.

Thank you for reading our guide to making a credit card data breach.

Guide by BH

Edited by RV