4 times data breaches ramped up the UK's fraud risk

Two apparently linked cyberattacks have caused chaos for UK high street stalwarts M&S and Co-op, and both companies confirm customer data was taken by the hackers.

Which? has warned M&S and Co-op customers to be wary of calls, emails or messages claiming to come from either firm, as well as keeping an eye on bank accounts and credit reports for suspicious activity. 

That's because identity theft or ransacked bank balances aren't the only threats for customers of hacked firms to be wary of. Fraudsters often take advantage of data breaches and IT meltdowns to launch sophisticated phishing attacks in which they impersonate beleaguered firms. The goal is to trick you into divulging valuable personal or payment information. 

In many cases, the criminals targeting you may not be connected with the hackers. They may not even have access to your stolen data, but are just using news of the breach as a hook to lure you in.

Read on to learn how big data breaches have been followed by a wave of fraudulent activity, and how to protect yourself if it happens to you.

Sign up for scam alerts

Our emails will alert you to scams doing the rounds, and provide practical advice to keep you one step ahead of fraudsters.

Sign up for scam alerts

1. Ticketmaster

In 2018, a Ticketmaster data breach was revealed after digital bank Monzo spotted a spike in the numbers of recent Ticketmaster customers reporting fraudulent activity on their bank accounts.

Monzo replaced 6,000 bank cards in response to the breach, which the BBC reported affected up to 40,000 people.

Compromised data included names, addresses, email addresses, telephone numbers, payment details and Ticketmaster login details.

Ticketmaster said the breach had occurred due to malicious software on a customer support product run by a third-party supplier.

2. TalkTalk

In a 2015 cyberattack, 157,000 customers of telecoms provider TalkTalk had their details stolen. 

In 2016, the firm received a then record fine of £400,000 from the Information Commissioner's Office in respect of the breach. Two perpetrators were jailed in 2018 for their role in the hack.

Though it's difficult to attribute fraud attempts directly to data breaches, TalkTalk customers reported frequent scam calls and identity theft attempts in the aftermath of the cyberattack. 

In 2019, a BBC investigation found the personal details of approximately 4,500 TalkTalk customers available online after a Google search. 

3. Equifax

One of the largest data breaches in history, the 2017 hack of credit reference agency Equifax saw the data of almost 700,000 UK consumers stolen. 

Cybercriminals accessed names, dates of birth, phone numbers, Equifax membership login details, partially exposed credit card details and residential addresses.

In 2023, the firm was fined more than £11m by the Financial Conduct Authority (FCA) for 'failing to manage and monitor the security of UK consumer data'.

The regulator said the massive breach had 'exposed UK consumers to the risk of financial crime', and the Washington Post reported that thousands of banking impersonation email scams had been sent out as a result of the cyberattack.

4. Tesco Bank

A 2016 cyberattack on Tesco Bank saw more than £2m stolen from a total of 9,000 customers in an attack described as 'unprecedented' by the FCA.

In some cases, hundreds of pounds were drained from people's account balances. All money was refunded and Tesco Bank was later fined £16.4m by the regulator for 'failing to exercise due skill, care and diligence in protecting its personal current account holders against a cyberattack.'