Which? is calling for tougher penalties on firms that fail to prevent data breaches as new research reveals the huge financial loss for consumers.
When data breaches occur following a cyberattack, stolen information such as passwords or credit card and bank details can be sold onto fraudsters.
A survey of Which? members revealed 46% of people whose data was stolen by hackers following a breach at a large company went on to experience fraud.
One British Airways customer, had his trip of a lifetime ruined when he became one of the 500,000 customers whose names, email addresses and card details were stolen by cybercriminals.
When he arrived for his holiday in Thailand he found that RBS (RBS.L) had frozen his account, saying there had been a lot of suspicious activity including someone attempting to take £15,000 ($9,139) from his account, and Nationwide had also blocked his debit card.
Several large companies have been subject to huge data breaches this year.
EasyJet (EZJ.L) told around nine million customers that their data had been compromised in a breach whilst Marriott also hit the headlines for losing around 5.2 million people’s contact and personal information — its second data breach in three years.
The Information Commissioner's Office (ICO) announced its intention to fine BA £183m ($233m) for its 2018 breach and Marriott (MAR) just under £100m for losing around 339 million guests’ records. But the deadlines to issue the fines were extended and both companies are expected to appeal. The IAG Group (IAG.L), which owns BA, released a report in June, estimating the fine would be €22m (£20m).
Which? is calling for the ICO to issue intended fines when organisations breach data protection law.
Jenny Ross, Which? Money editor, said: “We need the ICO to be a regulator with teeth that is prepared to step in and issue fines in the event of companies breaking data protection laws, to ensure more businesses better protect consumers from data breaches.
“Consumers should also have a much clearer route to redress when they suffer the financial and emotional toll of data breaches — and that’s why the government must allow for an opt-out collective redress regime that deals with mass data breaches.”