Last Updated 20th January 2026. Data protection breach examples include a range of accidental and intentional incidents, such as cyberattacks (e.g., ransomware), the theft of documents or devices, failures to update security software, and personal information being sent to the wrong postal or email address. These breaches can result in personal data being lost, altered, accessed, unlawfully destroyed, or disclosed without authorisation. If you have experienced psychiatric or financial harm (or both) as a result of your personal information being compromised, you may be able to pursue data breach compensation.
To ask further questions or to get a free eligibility check, contact our advisory team today using the details provided here:
Select A Section
- What Is The Definition Of A Data Breach And When Could I Claim?
- Data Protection Breach Examples In The UK
- How Soon Should Data Breaches Be Reported?
- Data Breach Compensation Examples
- Data Protection Breach Claims With A No Win No Fee Solicitor
What Is The Definition Of A Data Breach And When Could I Claim?
A personal data breach can be defined as a security incident that affects the confidentiality, availability, or integrity of personal data. Data breaches can be accidental or deliberate.
Personal data refers to information that can directly identify someone or identify them if combined with other information. Examples of personal data can include your name, home address, date of birth and your email address.
The collection and processing of personal data is handled by data controllers and data processors. Data controllers decide why and how your personal information is processed. Data processors then carry out the task of processing this personal data on behalf of a data controller. Under legislation including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018), data controllers and processors must follow certain procedures when collecting or managing personal data.
It may be possible for you to claim personal data breach compensation if you can establish the following:
- There was a failure on the part of the data controller or processor to uphold their responsibilities as per the DPA and UK GDPR.
- A breach compromising your personal data occurred as a result of their failings.
- The breach of your personal information caused you to experience financial loss and/or mental harm.
To learn more about UK GDPR breach examples, read on. Or, contact our team of expert advisors to learn more about data protection breach examples and when you could make a claim.
Data Protection Breach Examples In The UK
Below, you’ll see 5 recent data protection breach examples in the UK and how the ICO responded to them.
LastPass UK Ltd – Major Data Breach & £1.2m ICO Fine
LastPass UK, a password management service, was fined £1.2 million in 2022 for a massive data breach affecting upwards of 1.6 million of its users in the UK. The ICO determined in December 2025 that LastPass failed to implement appropriate security measures on its backup data, enabling unauthorised access to names, phone numbers, and other records.
Source: https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/12/password-manager-provider-fined/
23andMe Fined £2.31 Million For Data Protection Failures
Genetic testing provider 23andMe was fined £2.31 million after an ICO investigation found a failure to maintain appropriate controls for accessing and downloading raw genetic data prior to a 2023 data breach. The ICO noted that 155,592 UK residents were affected, and that the breach may have revealed names, ethnicities, and health reports, among other personal information.
Source: https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/06/23andme-fined-for-failing-to-protect-uk-users-genetic-data/
Cyber Attack On Kensington And Chelsea/Westminster City Councils
Westminster City, Hammersmith and Fulham, and Kensington and Chelsea councils were subject to similar cyber attacks in November 2025. This affected IT systems shared between the councils, potentially compromising the personal information of hundreds of thousands of individuals.
Source: https://www.bbc.co.uk/news/articles/ce3knggd1lwo
Source: https://www.bbc.co.uk/news/articles/cdxwygkqrx0o
Capita Fined £14 Million For 2023 Breach Affecting Millions (Oct 2025)
The 2023 Capita data breach was one of the largest in UK history, impacting millions of customers and staff. Capita is a professional services giant headquartered in the UK that processes data for multiple large companies and public sector clients. The ICO imposed a £14 million fine after inadequate data security led to the compromise of personal information for 6.6 million people in a March 2023 cyber attack.
Source: https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/10/capita-fined-14m-for-data-breach-affecting-over-6m-people/
Lloyds Banking Group Under ICO Scrutiny (January 2026)
The ICO confirmed in January 2026 that it was making inquiries into Lloyds Banking Group regarding allegations that it accessed personal data belonging to 30,000 staff members during union pay talks in 2025. It is alleged that Lloyds used this data without a legal basis during internal pay negotiations.
Source: https://www.theguardian.com/business/2026/jan/13/lloyds-banking-group-staff-data-pay-talks-ico-accounts
To find out about claiming in your particular circumstances, speak to one of our friendly advisors today. You can get a free eligibility consultation to quickly determine if you could pursue compensation.
How Soon Should Data Breaches Be Reported?
If a personal data breach risks your rights and freedoms, the organisation should notify you within 72 hours of becoming aware of the data breach. The data breach notification can be used as evidence if you choose to claim compensation.
In addition, one of the organisation’s data protection officers (or relevant party) should inform the ICO of the data breach as soon as possible. The Information Commissioner’s Office may fine the organisation for breaching personal data.
However, if the data breach isn’t notifiable, the organisation doesn’t have to inform you or the ICO.
How Long Do I Have To Claim Following A Breach Of Data?
Before we discuss examples of how a data breach could happen, it is important that you understand what the limitation period is. This refers to the time you have to take action after you suffer a psychological injury or financial harm from a breach of your data.
However, the time limit for data breach claims differs from the limitation period for personal injury claims under the Limitation Act 1980. Instead, you generally have 6 years from the date of the breach to begin your claim if it involves a private organisation.
Get in touch if you would like a data protection solicitor from our panel to assist you during the claims process. They’ll ensure your claim is submitted in a timely manner. Alternatively, continue reading to see some UK GDPR breach examples.
Data Breach Compensation Examples
You may wish to know more about compensation for a data breach claim. Article 82 of the UK GDPR sets out the eligibility criteria. You must be able to prove that you suffered damage, either material or non-material, due to the compromise of your personal data. Additionally, you must be able to prove that the data controller or processor did not adhere to the data protection legislation in place.
Non-Material Damage
If the compromise of your personal data caused psychological distress or made existing mental health problems worse, you could claim for non-material damage. This is the psychological harm you suffered because of the breach.
To help assign value to this suffering, legal professionals may use a document called the Judicial College Guidelines (JCG). Its suggested brackets of compensation cover many kinds of harm, including psychological damage. As there are many variables that can impact your claim, we have only provided it as guidance to help you understand how mental health damage could be valued.
Compensation Table
Please be aware that the top entry in this table is not a JCG figure.
| Type of Harm | Severity | Guideline |
|---|---|---|
| Very Serious Psychological Distress with Material Damage | Very Serious | Up to £500,000 and above |
| General Psychiatric Harm | Severe (a) | £66,920 to £141,240 |
| Moderately Severe (b) | £23,270 - £66,920 | |
| Moderate (c) | £7,150 to £23,270 | |
| Less Severe (d) | £1,880 to £7,150 | |
| Post-Traumatic Stress Disorder | Severe (a) | £73,050 to £122,850 |
| Moderately Severe (b) | £28,250 to £73,050 | |
| Moderate (c) | £9,980 to £28,250 | |
| Less Severe (d) | £4,820 to £9,980 |
Material Damage
If the compromise of your personal data caused you financial losses, a payout for this could also be included in your data breach compensation. These losses are referred to as material damage. For example, you may have had to pay out of pocket to boost your home security or fund counselling sessions following the data breach.
Call our advisors for further information about data breach compensation amounts in the UK. They can value your potential claim for free.
Data Protection Breach Claims With A No Win No Fee Solicitor
If you are eligible to make a personal data breach claim, one of the solicitors on our panel could help you. Additionally, they may offer their services under a type of No Win No Fee arrangement called a Conditional Fee Agreement.
When making a claim with a solicitor under this arrangement, you won’t be expected to pay them any upfront fees for them to begin working on your case. Furthermore, you will not have to pay them for their services if your claim fails.
If your data protection breach claim succeeds, your solicitor will deduct a success fee from your settlement award. This fee is taken as a small, legally-capped percentage.
Why Work With Public Interest Lawyers
At Public Interest Lawyers, our panel of dedicated data breach solicitors have decades of experience in dealing with claims just like yours. Some individual solicitors have been practising for decades, so when you choose to contact our advisors for an eligibility assessment, you know you may be put through to a legal representative with a long track record of winning for their clients.
Here are a few of the ways a solicitor from our panel can help you during the claims process:
- Ensuring you receive any required counselling, therapy, or other rehabilitative support.
- Helping you assemble a body of supporting evidence.
- Keeping you informed of how the claim is moving forward and explaining all the complicated legal jargon.
- Determining a fair and accurate compensation figure, taking into account both material and non-material damage.
- Negotiating a settlement with the defendant’s representatives.
Contact Us
To find out if you could be eligible to work with a solicitor from our panel, contact our advisors today by:
- Calling us on 0800 408 7825
- Using our online form to contact us
- Interacting with the live chat feature at the bottom of the screen.
Talk To Us For More Information On Data Protection Breach Examples In The UK
If you wish to claim compensation for a data breach, we hope this guide has been helpful. Please feel free to read these guides to find out more about the process of making a data breach claim.
- Claim For A Wrong Postal Address Data Breach
- Claim For A Failure To Use BCC Data Breach
- How to make a complaint to the ICO
If you still have any questions related to data protection breach examples or data breach claims, please feel free to contact Public Interest Lawyers today to talk to one of our advisors.