Do you have a 2plan data breach compensation claim?  


In 2023, advisory network 2plan experienced a data breach. Worryingly, it took the firm almost a year to inform all affected clients about the security violation. Delaying the notification has exposed these clients to potential cyberattacks, as victims of data breaches are frequently targeted by phishing and other fraudulent schemes. 

What happened in the 2plan data breach?

2plan Wealth Management provides independent financial advice, service, and support along with wealth management, investment, retirement, and financial planning services. In May 2023, the firm experienced a cyberattack.  

In March 2024, some 10 months later, 2plan contact some former clients to warn them that their data may have been stolen in the ‘cyber incident’. The letter states that:  

  • Following the breach, 2plan quickly contained the incident and took the ‘necessary steps’ to reinstate secure systems. It also alerted the FCA and the Information Commissioner’s Office about the breach (as it is legally required to do). 
  • While 2plan alerted some affected customers at the time of the breach, following an ‘extensive review’ of the incident, it has discovered that more clients are affected than was first thought.  

The letter also said the nature of the data stolen meant it was at risk of being used by scammers and that victims of this breach may be targeted by cybercriminals.  

What should victims of the 2plan data breach do now?

Victims of the data breach should take immediate steps to protect themselves. Not least because 2plan has warned victims that “there is sufficient data about you to enable attempts to impersonate you or approach you (via telephone or email) with potentially believable scams.” 

Our data protection experts advise victims of this breach to:  

  • Contact their bank or credit card provider immediately if they discover that their financial data has been exposed or if there is any suspicious activity on their accounts 
  • Check all bills and emails for goods or services they have not ordered and their  
  • bank accounts/credit cards for unfamiliar transactions. 
  • Monitor their credit score for any unexpected dips and contact the credit reference agencies to ensure credit isn’t taken out in their names. Consider registering with the Cifas protective service to slow down credit applications made in their name 
  • Never provide their PIN or full password to anyone (even someone claiming to be from their bank). If a bank believes a transaction has been fraudulent, they will not ask for this information to cancel the transaction.   
  • Never be pressured into moving money to another account for “fraud reasons”. A legitimate bank won’t ask you to do this or ask you to make a financial transaction on the spot. 
  • Never automatically click on any suspicious links or downloads in emails or texts.  Be cautious of unsolicited communications that refer them to a web page asking for personal data.   
  • Never assume an email or phone call is authentic just because someone has their details. Know that, even if they recognise a name or number, it might not be genuine.   
  • Be careful who they trust – criminals often use scare tactics to try and trick people into revealing their security details. 
  • Refuse ALL requests for personal or financial information and stop discussions if they are at all unsure.   
  • Review their online privacy settings.  
  • Report suspected fraud attempts to the police and Action Fraud. 

Victims of this breach should also follow the security instructions provided by 2plan.  This includes accepting 2plan’s offer of a two-year free subscription to Experian’s web monitoring service. However, when accepting the offer of free web monitoring, victims should ensure they are not inadvertently waiving their rights to make a data breach claim against 2plan. 

In our experience, most firms only offer these services for one year following a data security incident, so the 24 months complementary subscription could reflect the potential the scale of this breach.  

KP Law is investigating this incident, and we are considering a no-win, no-fee group action claim to help victims living in England & Wales claim compensation. To register your interest in joining this action, sign up below and we will be in touch to invite you to join our claim.     

In March 2024, our firm changed its name to KP Law. 

Share this article: