Received a Data Breach Notification? Here's What to Do
Data breaches happen when a company's systems are compromised and customer data — email addresses, passwords, phone numbers, payment details — is stolen. If a company has contacted you to say your data was involved, this guide tells you exactly what to do next.
Read the Notification Carefully
The breach notification should tell you what type of data was exposed, when the breach occurred, what the company is doing about it, and what they recommend you do. The actions you need to take depend on what was exposed. Email-only is lower risk than passwords, payment details, or identity documents.
Change Your Password on the Breached Service
Do this immediately, even if the notification says passwords were "hashed" (encrypted). Hashed passwords can sometimes be cracked. Create a new, unique password you don't use anywhere else.
Check if You Used That Password Elsewhere
This is critical. If you used the same password on other accounts — especially email, banking, or shopping sites — change it on every one of those accounts now. Use a password manager if you don't already have one. UK users can use Bitwarden (recommended by the NCSC) to store unique passwords for every site.
Enable Two-Factor Authentication
On the breached service, and on every other important account, enable 2FA. Even if attackers have your password, 2FA blocks them from logging in.
Check all your security basics
Get a free Security Score and personalised protection checklist — 10 minutes.
Get your free Security ScoreMonitor for Suspicious Activity
Check the following over the next 30 days:
- Your email inbox for unexpected password resets or login alerts from sites you use
- Your bank statements for any transactions you don't recognise
- Your credit file via Experian, Equifax, or TransUnion for any new applications
Use Have I Been Pwned (haveibeenpwned.com) to check if your email has appeared in additional breach databases.
Be Alert to Follow-On Scams
Data breaches are routinely followed by targeted phishing attacks. Attackers use the stolen data to craft convincing emails that appear to come from the breached company or from your bank. Be suspicious of any email you receive in the weeks after a breach notification — especially those asking you to click a link or enter credentials.
Understand Your Rights Under UK GDPR
- You can request full information about what data of yours was involved (Subject Access Request)
- You can complain to the Information Commissioner's Office (ICO) at ico.org.uk if you believe the company was negligent
- You may be entitled to compensation for material damage or distress caused by the breach — this can be pursued via the ICO complaint process or through the courts
Frequently Asked Questions
The company says my password was "hashed." Do I still need to change it?
Yes. Hashing is a form of protection, but it is not unbreakable. Common passwords and short passwords can be cracked via brute force against hashed databases. Change the password regardless — it takes 30 seconds and removes the risk entirely.
How do I report a data breach to the ICO?
Go to ico.org.uk/make-a-complaint. You should first raise your complaint with the company that was breached — the ICO expects you to do this first and give them time to respond (usually 3 months). If unsatisfied, escalate to the ICO.
I received a notification about a breach that happened 2 years ago. Why so late?
Companies are legally required to report breaches to the ICO within 72 hours of discovery — but they may not discover the breach for months or years if it involved a third-party supplier. Older breach data is still actionable — change the password regardless.