Guidance

A data breach occurs when information held by an organisation is stolen or accessed without authorisation.

Cyber criminals can then use this information when creating phishing messages (such as emails and texts) so that they appear legitimate. These message are designed to make it sound like you are being individually targeted, when in reality the criminals are sending out millions of these scam messages.

They may even send messages pretending to be from an organisation that has suffered a recent data breach. Even if your details are not stolen in a data breach, the criminals will exploit high profile breaches (whilst they are still fresh in people’s minds) to try and trick people into clicking on scam messages.

Be aware of scam call, texts, or emails that may try to trick you into revealing sensitive or personal details such as your banking details or passwords or request access to your computer.

Actions to take following a data breach

If you’re a customer of an organisation that has suffered a data breach you should take the following actions.

  • Find out if you’ve been affected by contacting the organisation using their official website or social media channels. Don’t use the links or contact details in any messages you have been sent.
  • Be alert to suspicious messages which may be sent some time after the breach is made public. Remember, your bank (or any other official organisation) will never ask you to supply personal information. Our blog ‘Phishing Explained’ includes top tips for spotting tell-tale signs of a phishing attack.
  •  Change your password. If you receive a suspicious message that includes a password you’ve used in the past you should change it as soon as you can. If any of your other accounts use the same password, you should change them as well.
  • Check your online accounts to confirm there has been no unauthorised activity.
  • To check if your details have appeared in any other public data breaches, there are a number of online tools that you can use, such as https://haveibeenpwned.com. Similar services are often included in antivirus or password manager tools that you may already be using.

You should refer to the NCSC’s guidance on data breaches if you have any concerns.

Back to top of the page