Few things are as unsettling as an email telling you that a company you trusted has lost your data. Data breaches have become a routine feature of online life, hitting retailers, banks, hospitals and social networks alike. The good news is that being caught up in one rarely means disaster, provided you act quickly and methodically. This guide sets out exactly what to do. This is general information, not legal or security advice.
What a data breach is
A data breach is a security incident in which personal information is accessed, disclosed, lost or stolen without authorisation.
The data exposed varies enormously. At the milder end, it might be just your email address. At the more serious end, it can include passwords, dates of birth, home addresses, or payment and identity details. Breaches happen in several ways:
- Hacking and cyberattacks, where criminals break into a company's systems.
- Human error, such as an email sent to the wrong people or a misconfigured database left open.
- Lost or stolen devices containing personal data.
- Insider misuse, where someone with access takes or leaks data.
What matters for you is not usually how it happened, but what was exposed and what you do next.
First, work out what was exposed
Before you act, find out what the breach actually involved. The notification you received — or news coverage — should say. The right response depends heavily on the type of data:
| Data exposed | Main risk | Priority |
|---|---|---|
| Email address only | More spam and phishing | Stay alert to scam messages |
| Password (or reused password) | Account takeover | Change passwords urgently |
| Payment or card details | Fraudulent transactions | Contact your bank |
| Identity details (name, address, DOB) | Identity theft | Monitor closely, consider extra checks |
The single most dangerous situation is a leaked password you have used on more than one site. Criminals routinely try stolen passwords across many services, a tactic that turns one breach into many.
The immediate steps to take
If you have been affected, work through these in order. Speed matters, but so does covering each base.
- Change the affected password straight away. Make the new one strong and unique.
- Change it everywhere you reused it. If the same password protected other accounts, those are now at risk too. This is the step people most often skip, and it is the most important.
- Turn on two-factor authentication. This adds a second step to logging in, so a stolen password alone is not enough. Our guide to two-factor authentication explains how it works and how to set it up.
- Contact your bank if money or card details were involved. Banks have processes for suspected fraud and can watch for or block unusual transactions.
- Watch your accounts. Check for logins you do not recognise, unexpected emails about password changes, or transactions you did not make.
- Be alert to follow-up scams. Criminals often use breached details to make phishing messages more convincing, sometimes posing as the very company that was breached. Treat unexpected contact with suspicion and learn the signs in our guide to spotting phishing emails.
A password manager makes the first two steps far easier, because it can generate and store a unique password for every account, so a single breach can never cascade across your digital life.
How to monitor for trouble afterwards
A breach can have a long tail, so keep watch for weeks, not just days.
- Review bank and card statements regularly for transactions you do not recognise, however small — fraudsters sometimes test with tiny amounts first.
- Check your accounts' login activity where the service offers it, and sign out unknown sessions.
- Stay wary of phishing and impersonation. The risk rises after a breach; our guide to avoiding impersonation scams covers how to verify that contact is genuine.
- Consider your credit report if identity details were exposed, watching for new accounts or credit searches you did not initiate, which can be an early sign of identity theft.
If you spot anything suspicious, act on it immediately rather than waiting to see whether it gets worse.
How and where to report it in the UK
Reporting matters: it can help you, and it feeds the wider effort to hold organisations to account and to disrupt fraud.
- The Information Commissioner's Office (ICO). The ICO is the UK regulator for data protection. If you are concerned about how an organisation collected, stored or lost your personal data, you can raise it with them. Companies are themselves required to report serious breaches to the ICO, and to tell affected people when there is a high risk to their rights.
- Action Fraud. If you have lost money, or been targeted by fraud or attempted fraud as a result of a breach, report it to Action Fraud, the UK's national reporting centre for fraud and cybercrime. In Scotland, report to Police Scotland on 101.
- The National Cyber Security Centre (NCSC). You can forward suspicious emails to the NCSC's reporting service and suspicious texts to 7726, which helps take scams down.
Keep a simple record of what happened and what you did — dates, reference numbers and any correspondence — in case you need it later.
Your rights and getting help
Under UK data protection law, you have rights over your personal data, and organisations have legal duties to keep it secure and to be transparent when things go wrong. If a breach caused you harm, you may in some cases be entitled to a remedy, but this depends on the specifics. The ICO explains your rights in plain language, and Citizens Advice can help you understand your options if you are unsure what to do. For anything with legal or financial stakes, consider professional advice rather than relying on a general guide. This is general information, not legal advice.
How to reduce the damage from future breaches
You cannot stop companies being breached, but you can limit what any single breach can do to you:
- Use a unique password for every account, so one leak never unlocks others.
- Turn on two-factor authentication everywhere it is offered, especially email and banking.
- Share less data. Provide only what is genuinely needed when signing up for services.
- Keep devices and apps updated to close known security holes.
- Stay sceptical of unexpected messages, even ones that seem to come from familiar names.
These habits turn a breach from a potential crisis into a minor inconvenience.
The bottom line
A data breach exposes personal information without permission, and being caught in one is increasingly common rather than catastrophic. The response that matters is fast and orderly: find out what was exposed, change the affected password and any reused copies, switch on two-factor authentication, contact your bank if money is involved, and stay alert to follow-up scams. Report concerns to the ICO and any fraud to Action Fraud, keep a record, and use unique passwords so the next breach cannot ripple across your accounts. Acting calmly and quickly is almost always enough to keep you safe.