Green light for legal action over UK’s biggest data breach

Class action filed over breach at Carphone Warehouse affecting up to 14 million people.

A class action on behalf of members of the public affected by the UK’s biggest data breach has been given the go-ahead after a ruling at Manchester Crown Court. 

Almost 2,000 people have signed up to a case being brought against Carphone Warehouse owner Currys Retail by Manchester-based legal firm Barings Law. The action relates to a data breach that affected 14 million personal records and 5.6 million pieces of credit card information.

“It is clear that people are seeking justice and resolution, and we are committed to representing their interests effectively,” Barings head of data breach Adnan Malik told Computer Weekly.

Data protection

The attack on the retailer’s system occurred in August 2015. The company published a statement on its website saying that the names, addresses, dates of birth and bank details of 2.4 million customers and the credit card details of 900,000 more, along with records relating to 1,000 members of staff, had been compromised. There was criticism that the announcement of the breach on August 8 came three days after it occurred on August 5.

Carphone Warehouse was eventually fined £400,000 ($498,500) by the Information Commissioner’s Office (ICO) after multiple inadequacies were found in the company’s approach to data protection. Intruders had, for example, been able to use valid login credentials to access the system via an out-of-date version of WordPress.

Statista estimates that up to 14 million personal records and the payment card information of 5.6 million people may ultimately have been affected.


Carphone Warehouse was found to have contravened principle 7 of the Data Protection Act 1998, the precursor to GDPR in the UK. The principle required companies to take “appropriate technical and organizational measures” against unauthorised or unlawful processing of personal data.

GDPR tightened up those obligations and introduced more stringent penalties, including fines of up to 4% of annual turnover. The ICO fine was described as a “shot across the bow” of large companies to remind them of their obligations ahead of the introduction of GDPR.

Currys are continuing to defend the claim brought by Barings. If the claim is successful it could result in millions of pounds in compensation for those affected, and there could be implications for those affected by other breaches.

10 biggest UK data breaches

After Carphone Warehouse, the most significant data breaches in the UK between July 2011 and May 2023 by impact, according to Statista, were;

  • Equifax – 15.2 million records;
  • Easyjet – 9 million customers and 2,200 credit card details;
  • NHS – 1.8 million records;
  • Virgin Media – 900,000 customers;
  • JD Wetherspoon – 650,000 customers;
  • British Airways – 500,000 payment card details;
  • Wonga –  270,000 customer records;
  • Three Mobile UK – 130,000 customer records;
  • TalkTalk – 157,000 records.

The biggest data breach on record affected global web giant Yahoo. It discovered in 2016 that a hacking group had accessed the accounts of more than one billion customers three years previously. By the time it had finished investigating, the figure was revised upwards to an astonishing three billion.

The discovery came as media conglomerate Verizon was acquiring Yahoo, and led to the deal being completed at a reduced price. The investigation into the breach revealed that while security questions and answers were compromised, plaintext passwords, payment card and bank details were not.

10 biggest global data breaches

Coming joint second behind Yahoo are India-based ID database Aadhaar and Chinese shopping site Alibaba. Both found attackers had compromised 1.1 billion pieces of user data – at Aadhaar in 2018 and at Alibaba in 2019. In the case of Aadhaar, this consisted of biometric data such as fingerprints and iris scans.

The rest of the global list is;

  • LinkedIn (2021) – Hackers posted data associated with 700 million users on the dark web after deploying a data scraping device;
  • Sina Weibo (2020) – Names, usernames, gender information, location details and phone numbers of 538 million users were obtained and sold on the dark web;
  • Facebook (2019) – Information including phone numbers, account names and IDs relating to 533 million users was posted on the dark web;
  • Marriot International (2018) – An attack on the hotel chain’s customer database exposed details including guests’ names, email addresses, phone numbers, passport numbers, account information, dates of birth, gender, arrival and departure information, reservation dates, and communication preferences. Some 500 million customers were affected.
  • Yahoo (2014) – In a separate attack to the one at the top of the list, account details of 500 million customers were accessed and sold on the dark web.
  • Adult Friend Finder (2016) – Details of 412.2 million users of the casual hookup and adult content site were stolen by thieves who exploited the SHA-1 algorithm.
  • MySpace (2013) – The famously weak SHA-1 algorithmn is also believed to have been the trigger for an attack that saw details of 360 million user accounts leaked.