Data breach victim sued for over £1 million 


At KP Law, our specialist team is dedicated to upholding your data protection rights. We take it seriously when organisations don’t fulfil their responsibilities when handling your personal information, and we hold them accountable for lapses in data security. 

Personal information is anything that can identify an individual, either on its own or alongside other data. Organisations that use our personal data have a legal obligation to keep it safe. This is important because criminals regularly use stolen personal information to commit fraud, blackmail, and identity theft. Despite this, some people still like to compare data protection compensation claims to “ambulance chasing”.  

So what if someone’s information is breached? It can’t cause that much harm, right?  

Wrong! The results of a data breach can be devastating. Privacy violations can result in significant financial losses and cause considerable distress, upset, embarrassment, and harm. 

Highlighting the damage that can be done following a data breach, one Australian woman is being sued for around £1.4 million, after her data was stolen in the Medibank data hack.  

While the woman wasn’t initially that concerned that her personal information had been breached, she later discovered that hackers had used the stolen data to access her PayPal account via a credential stuffing attack. Once they successfully gained access to her account, the cybercriminals used it to make hundreds of fraudulent transactions over the course of just two days. And rather than just stealing from her, the hackers traded counterfeit Adidas items under her name. 

If that wasn’t bad enough, when Adidas and the NBA (National Basketball Association) discovered the illegal activity, they took her to court, and she has been charged with cybersquatting, trademark infringement, and IP infringement. The case was held in a US court, and she has since been told that she needs to pay USD$1.2 million in damages.  

The default judgements were made without her even being present to defend herself. And despite being a victim of a data breach, and taking her case to the police, the Australian Consumer Complaints Authority, the Australian Financial Complaints Commission, and the Australian Security Centre, six months later she is still expected to pay up.  

“Riddled with anxiety”, the woman is also facing thousands of pounds in legal bills after appointing an intellectual property lawyer to try and sort this mess out. Speaking about her situation, she said: “The anxiety that this causes, not knowing if they are going to come and take our house, can they freeze my assets, can they get access to my bank accounts? We just don’t know and it really is a case of guilty until I can prove otherwise.” 

Predictably, Mediback, the organisation responsible for the breach of the woman’s personal data in the first place, claims that the situation is not its fault or responsibility.  

Commenting on this case, Head of Privacy & Data Litigation at KP Law, Kingsley Hayes said:  

“This situation is, of course, awful. But while it might be one of the worst escalations we have heard about following a data breach, it’s certainly not a one-off. Over the years, we’ve represented many clients who have suffered significant financial losses after poor data security processes made it easy for cybercriminals to steal their personal data. We’ve also seen situations where the loss of personal information has put vulnerable people at risk of violence and physical harm, so we never downplay the potential consequences of a data security failure.” 

“In this particular case, it is quite likely that the fines will not be enforced as the victim lives outside of the US and in a different jurisdiction. Nevertheless, the worry that she must be experiencing is no doubt overwhelming.  

“Data breach victims commonly experience high levels of apprehension. They can undergo social anxiety and develop oversensitivity or paranoia. They can also acquire mood disturbances and depression, including poor sleep and tearfulness. When talking about the real-life impact of data breaches, people often don’t consider the impact on an individual’s mental state, but this case demonstrates just how significant the financial and psychological effects can be.” 

The sheer scale of the information we share on and offline is enough to leave us open to the threat of fraud and identity theft should it get into the wrong hands. And, with data hacks happening more and more often, something must be done to make companies accountable for their failures to implement adequate data security measures. Claiming compensation could be the only way to ensure that big organisations implement more secure processes. 

In March 2024, our firm changed its name to KP Law. 

Share this article: