Police Federation Data Breach

Around 180,000 police officers were affected.
They are still waiting for answers.

New Data Breach Alert: Metropolitan Police

If you have received notification of your involvement in this breach, please sign up to our group action compensation claim. 

We are helping PFEW members fight for justice following the 2019 data breaches

In March 2019, The Police Federation of England and Wales (PFEW) suffered two ransomware cyber-attacks. During the attacks, the hackers accessed the PFEW’s systems and encrypted several of its databases, making them inaccessible to the PFEW. The attacks also gave cybercriminals access to the same databases, which contained the personal information of around 130,000 police officers at all levels.

In March 2022, three years after the incident, the PFEW finally admitted liability for unlawfully processing police officers’ personal data by not having the appropriate technical and organisational measures in place. PFEW claims there is no evidence that data was actually taken. Nevertheless, PFEW members affected by the data breaches still haven’t been told exactly what happened.  

Many members have experienced lasting distress following these cyberattacks and have contacted us to help establish the facts and make a compensation claim.

KP Law has now launched a group action and is acting for 13,000 police officers affected by the PFEW data breach.

Are you affected by the PFEW data breach?

Your data might have been compromised in this attack if any of the following apply:

Are you a retired police officer? If so, you could have a PFEW data protection compensation claim

The PFEW has failed to notify retired police officers of the attacks directly

Because the Federation holds officer data until their death (or their 100th birthday), retired officers could be involved in this data privacy violation, even if they were not PFEW members at the time of the breach.

Many retired officers were affected but not notified of the PFEW cyber incidents directly. This is a significant failure by the PFEW.  

If you retired before 2019 but were – or were previously – a PFEW member, you might be affected and have the right to claim compensation. 

The PFEW asserts that there isn’t a valid claim

On its website, the PFEW states that it is highly unlikely that personal data has been “exfiltrated”. It claims that, without proof of exfiltration, PFEW members and retired officers do not have a claim for compensation.

This is not true!

“Exfiltration” is not the legal basis for our action against the PFEW.

Under the GDPR, a ‘personal data breach’ is any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed. The mere fact that the PFEW’s databases were encrypted by the cybercriminals shows that personal data was unlawfully processed – and PFEW has admitted that it failed to take appropriate technical measures to protect its members’ data!

The PFEW has admitted that it cannot recover much of the data, that data has been lost, and that data has been destroyed because of the cyber-attacks. Furthermore, the PFEW cannot confirm exactly what happened to its members’ data. Although it continues to claim that there is ‘no evidence’ that data was taken by cybercriminals during the attacks, it cannot say for sure.

For these reasons, and because of the distress caused by not knowing what has happened to the compromised data, affected members and former officers have valid compensation claims against PFEW.

It is misleading., and the PFEW does its members a disservice, to suggest otherwise.

Affected PFEW members are angry and distressed

Organisations are expected to make efforts to prevent any loss, destruction, or unauthorised disclosure of the personal data they have collected. Further, they are expected to share details about data breaches with those who have been affected.

The PFEW states that it is highly unlikely that personal data has been “exfiltrated” in the security incidents. However, even if this is the case, a clear GDPR data protection breach has occurred. As such, affected serving and retired officers are entitled to claim against PFEW. 

The PFEW data breach could have significant consequences for its members. Our clients have told us that they are appalled the PFEW did not inform them about the data breach, that they are worried that the breach has put them and their families at risk, and that they feel let down by the PFEW.

I was appalled that the data breach occurred and then the most alarming thing was not to be informed of the actual data breach meaning I could not do anything about to protect myself and my personal details.”

Police Federation Member

“I thought I would receive a full response from the Police Federation and information regarding their response and actions they were going to take in the future. I felt like the Police Federation were unable to protect my information. I feel like they don’t care about it, I don’t feel valued.”

Police Federation Member

“I was surprised that such a professional organisation could allow such an act to happen. As serving Officers we place a level of trust within the PFEW in providing us with layers of protection and ensuring that we are treated with fairness and equality and providing us with a service that protects our interests and safety. I immediately thought that the PFEW had failed my colleagues and oneself in respect of this data breach.”

Police Federation Member

“I thought that this was a very unsafe position to leave me in. I have been part of one of the largest organised crime investigations ever in UK history and had a key role in ensuring this successfully put dozens of top level criminals in prison. The exposure of my data made me think that the police Federation did not take data security seriously and left me and my family at risk.”

Police Federation Member

“The PFEW should 100% have had things in place to prevent this from happening. It’s absolutely outrageous that this was allowed to happen.”

Police Federation Member

“I felt physically sick. I thought about the physical risk to myself and my family from criminals and I couldn’t sleep at night. I had nightmares and would wake up to any small sound until we moved house. It made me paranoid about new or strange people I saw on my street. It’s was really horrible and I felt terribly let down by the organisation whose job it is to keep us and our personal information safe.”

Police Federation Member

“I did not understand how such an important breach could occur, I placed my trust in the police federation and thought that this would put myself and family at risk of harm.”

Police Federation Member

“My trust in the organisation has definitely been affected negatively and that should not have been allowed to happen. I think the years I have spent reducing the risk of my information being easily accessed has been completely wasted.”

Police Federation Member

Victims of the PFEW data breach deserve answers, justice, and compensation

We believe that our group action against the PFEW has legal merit for several reasons:

Personal information has been compromised including sensitive special category health data.

The compromised information includes:

Our clients have experienced distress

Our PFEW clients have experienced significant and lasting distress as a result of these cyberattacks. They have told us about experiencing fear, anxiety and stress because of the violation; others have had their existing conditions exacerbated. Not knowing how cybercriminals were able to access their sensitive details, or what they have done with this data, has caused our clients considerable distress – especially given the nature of their jobs.

The lack of answers from the PFEW following the breach has also added to our clients’ distress. Unable to get an explanation for why this breach was allowed to happen, many have turned to KP Law for help.


Why use KP Law?

Our data breach team includes some of the most skilled litigation lawyers in England & Wales. We have the experience, diligence and means to fight our clients’ corner and win. We are never afraid of a fight and are ready to take on the large organisations that other law firms shy away from.

We are representing police officers in this case on a no-win, no-fee basis to ensure they have access to the absolute best lawyers without worrying about legal fees.

Ultimately, we act for clients who deserve to win and do everything we can to ensure that they do.

“Police officers deserve to have the highest possible level of protection when it comes to their valuable personal data. Criminals could use this extremely sensitive information to cause serious harm.

“The impact of the PFEW’s data protection failure has had a significant effect on those affected, and the lack of care shown by the federation after the incident has raised further questions about what happened.

We are helping over 13,000 police federation members who are concerned that they are affected by the data protection failure, and we can help you too.”

Where is our PFEW case up to?

Admitted facts

While the PFEW is attempting to discredit the affected officers’ right to claim compensation for this breach, it has admitted to several facts that we believe strengthen our case. For example:


Despite repeated attempts to open negotiations with the PFEW, it has consistently refused to engage with our data breach solicitors about the claim. In response, KP Law had no choice but to take this matter to Court.

In December 2022, we took an important step forward when we issued a claim form against the PFEW at the High Court. At a hearing in March 2023, the High Court agreed that it was appropriate to make case management directions for a trial of the lead claims. This means that the claims against the PFEW will be managed by the Court going forward in a manner that protects the overall position of the victims and will ensure that the case is litigated efficiently and treated seriously by the PFEW. This increases the chances of success (via Court or settlement) for those affected by the breach. Given the large numbers of people affected by the PFEW hack, we believe that collective litigation is the best and most efficient way to conduct this claim.

The CCMC (Costs and Case Management Conference) is scheduled for two days in September 2024.

Claimant anonymity

On behalf of our clients, we applied for a blanket anonymity order to keep their identities a secret. However, the PFEW asked that we amend this order. As such, claimants may be named in the action, but their addresses and other personal details will be anonymised.

Why are PFEW members joining our group action?

Despite this incident happening almost four years ago, the PFEW still has not fully explained to its members why criminals were able to access its systems. This has left many members frustrated and distressed.

In addition, although the PFEW notified a small proportion of its members directly, the PFEW did not notify all its members who were affected by the attacks. Under the GDPR, the PFEW was required to notify all those affected ‘without undue delay’. The Federation claims that its delay was due to its email being down for several weeks because of the attacks.

At KP Law, we have seen victims of similar data breaches become the target of cybercriminals, with instances of phishing, fraud, and identity theft. By failing to take sufficient steps to notify all those affected, PFEW members were left exposed as they were not given the opportunity to protect themselves from such threats. This added to victims’ worry when they eventually found out about the breach.

Years later, we are still receiving enquiries from police officers who were never notified about the breach. We think this is unacceptable.

Is the PFEW to blame for the attack?

Where personal and sensitive information is held, significant and robust processes must be in place to secure that data and prevent successful cyberattacks. This is known as the integrity and confidentiality principle. While the PFEW was the victim of two cyberattacks in March 2019, it was the PFEW’s inadequate security measures which created the initial vulnerability.

As such, we believe that the 2019 PFEW data breaches are a clear and serious infringement of data protection laws and a violation of officer trust and safety.

In data breach cases, action is needed to make companies accountable for serious security failures. Claiming compensation is often the only way to ensure that secure processes are implemented. What’s more, in a world that is increasingly digital, cyber-attacks are going to happen. Any organisation that holds sensitive personal data should have taken out insurance to cover the risk of cybercrime.  

Organisations like the Police Federation must treat your data lawfully and be held to account when they fail to do this.

How much does it cost to make a PFEW claim with KP Law?

At KP Law, we are running the PFEW data breach action on a no-win, no-fee basis. This means you won’t pay a penny towards your case if your claim is unsuccessful. There are no hidden charges or fees.

Police Federation Data Breach Timeline

  • 9th March 2019
    The Police Federation of England & Wales detected an attack on its computer systems.
  • 11th March 2019
    The PFEW reported the incident to the Information Commissioner's Office and the National Crime Agency.
  • 21st March 2019
    Following the initial attack on its systems, the Police Federation of England and Wales (PFEW) was subjected to a multi-pronged, sustained cyber-attack. Early indications showed that the attack was different from the first and has affected the wider Federation network.
  • In a tweet, the PFEW confirmed that it had been subject to a malware attack. The PFEW said: “There is no evidence at this stage that any data was extracted from our systems but this cannot be discounted”.
  • Questions were raised about why it had taken the PFEW almost two weeks to inform the affected parties.
  • 6 December 2022
    We issued a claim against the PFEW at the High Court.
  • 13 March 2023
    At a hearing on 13 March 2023, the Court agreed to make directions for the ongoing management of the claims against the PFEW.

Latest News



Find out more about making a group action claim for compensation.



What does no-win, no-fee actually mean and are there really no costs if you appoint us?

Why use KP Law to make a claim?

We are one of the most experienced multi-claimant law firms in the UK.

Our GDPR, data breach and cybercrime specialists have a combined experience of over 50 years.

We represent clients in group actions with innovation, resources, and expertise.

We work with expert barristers to ensure you get the very best level of legal support available.

We have all the resources and global expertise necessary to take on complicated cases and win.

We have offices in London, Liverpool, Manchester, and Birmingham, and the technology to provide a nationwide service to clients across England & Wales.

We use technology to deliver a better legal experience to our clients.

We work on a no-win, no-fee basis.

We make the process straightforward and hassle-free.


Your questions answered

See our answers to the FAQs we get asked about the PFEW Data Breach.

FAQs about the PFEW data breach

The Police Federation of England and Wales (PFEW) suffered a severe data breach across a number of its databases and servers. The first attack occurred on 9 March 2019 when entry to the PFEW’s network was gained via a “password spraying” attack. This happens when common username and password combinations are used to gain access to a system or network. A robust password protocol should have stopped this initial attack from being successful.

A further, and separate ransomware attack took place on 21 March 2019. This attach impacted the PFEW’s wider IT network. This entry point was via a remote access support tool used by an IT service provider. According to the PFEW, while it has uncovered no evidence that any personal data was accessed, downloaded, or targeted as a result of the cyber incidents “the attackers’ unauthorised access to PFEW’s network means that they had the theoretical ability to access certain personal data held by PFEW.”

Ransomware is a type of malicious software. Typically cybercriminals use ransomware to threaten to publish the victim’s data, or to block access to it unless a ransom is paid. Ransomware attacks are becoming more widespread.

As a result of the PFEW ransomware attack, there was some disruption to services and backup data was also deleted.

Those affected should have been contacted by the PFEW. However, if you suspect your data was compromised, and you have not been told that your information was breached, you can contact our data protection experts for help.

What can you claim for?

While each case is judged on its own merits, there are some things we would typically look for when it comes to when claiming compensation following a data breach, cybercrime or other GDPR violation:

Financial loss

With stolen data, cybercriminals can make purchases using your bank and credit cards, apply for credit in your name, set up fraudulent bank accounts and access your existing online accounts.


GDPR failures, cybercrime and data breaches can have a significant impact on you, both mentally and physically. They can cause or exacerbate anxiety, stress and other psychological conditions.

Loss of privacy

Your data has value, and organisations must be held to account if they fail to protect your right to data privacy or otherwise do not uphold your GDPR rights.

How to protect yourself following a data breach or cybercrime

  • Contact your bank or credit card provider immediately if your financial data has been exposed.
  • Check all bills and emails for goods or services you have not ordered.
  • Check your bank account for unfamiliar transactions.
  • Alert your bank or credit card provider immediately if there is any suspicious activity.
  • Monitor your credit score for any unexpected dips.
  • Call Credit, Experian and Equifax to ensure credit isn’t taken out in your name.
  • Never provide your PIN or full password to anyone (even someone claiming to be from your bank).
  • Never been pressured into moving money to another account for fraud reasons. A legitimate bank won’t ask you to do this.
  • Follow the security instructions provided by the organisation that breached your data.
  • Never automatically click on any suspicious links or downloads in emails or texts.
  • Don’t assume an email or phone call is authentic just because someone has your details.
  • Be careful who you trust – criminals often use scare tactics to try and trick you into revealing your security details.
  • Know that, even if you recognise a name or number, it might not be genuine.
  • Don’t be rushed or pressured into making a decision. A trustworthy organisation would never force you to make a financial transaction on the spot.
  • Never provide your full password, pin or security code to someone over the phone (or via message). If a bank believes a transaction has been fraudulent, they will not ask for this information to cancel the transaction.
  • Listen to your instincts and ask questions if something feels “off”.
  • Refuse requests for personal or financial information and stop discussions if you are at all unsure.
  • Contact your bank or financial service provider on a number you know and trust to check if a communication is genuine.
  • Be cautious of unsolicited communications that refer you to a web page asking for personal data.
  • Don’t accept friend requests from people you don’t know on social media.
  • Review your online privacy settings.
  • Report suspected fraud attempts to the police and Action Fraud.
  • Register with the Cifas protective registration service to slow down credit applications made in your name.
  • Change your passwords regularly and use a different password for every account (a password manager can help with this).
  • Protect your devices with up-to-date internet security software.