Tesco Clubcard Data Breach Compensation Claims Guide – How Much Compensation Can I Claim? – Amounts For Tesco Clubcard Data Breach
My Data Privacy Was Breached By Tesco Clubcard, Could I Claim Compensation?
By Stephen Hicks. Last Updated 24th August 2021. Welcome to our guide about Tesco data breach compensation claims. Organisations who hold personal data about you have a legal duty to keep it safe and secure under the General Data Protection Regulation (GDPR), which was enacted into our laws by The Data Protection Act 2018. It’s not just those companies who hold financial data. For instance, this guide is about making data protection breach claims against Tesco Clubcard.
You might think that Tesco Clubcard is exempt because they simply provide rewards points for your shopping. However, as they hold personal information about you on file, you could claim against them if you suffered harm because of a data breach.
The rules of the GDPR mean that your permission has to be sought before anybody collects data from you. It also means that if a breach happens, you need to be informed quickly and advised what data was accessed.
While the systems used by retailers who operate loyalty schemes are technically sound, a Tesco data breach did occur in 2020 when scammers accessed the accounts of around 620,000 customers. If the scam has caused you any harm, it might be possible for you to start a compensation claim against Tesco Clubcard provided you can prove that you’ve been impacted by the breach.
If you do decide that’s the course you want to follow, Legal Expert could help. Our advisors are able to offer a telephone assessment of any claim on a no-obligation basis. They’ll also provide free advice and check if the claim has merit. If it does, you could be referred to one of our specialist solicitors who’ll work on any claim they accept on a No Win No fee basis.
To start your claim today, please feel free to call us on 0800 073 8804. For more information on claiming for Tesco Clubcard data breach before contacting our team, please continue reading.
Select A Section
- A Guide To Data Protection Breach Claims Against Tesco Clubcard
- What Is A Data Protection Breach Claim Against Tesco Clubcard?
- Requirements For Businesses To Comply With The GDPR
- Details Of The Tesco Clubcard Data Breach
- Could The ICO Help If My Personal Data Was Hacked?
- What Compensation Could You Get For A Data Breach?
- How Much Compensation Could You Be Awarded For A Tesco Clubcard Data Breach?
- How To Claim For A Breach Of Data Protection Regulations By A Private Company
- How To Get Help From A Data Protection Breach Solicitor
- No Win No Fee Data Protection Breach Claims Against Tesco Clubcard
- Start Your Data Breach Claim
- Additional Resources For Claimants
A Guide To Data Protection Breach Claims Against Tesco Clubcard
If you logged in to your Tesco account earlier in 2020 and thought, “What’s happened to my Tesco Clubcard points?”, then you might’ve been the victim of a hack where scammers tried to spend the Clubcard points of over 600,000 Tesco customers.
Under the GDPR rules, companies who store your data have an obligation to keep it safe and as secure as possible. When they fail to do so, and your personal information is exposed, you could be entitled to claim for any harm caused.
When you sign up to Tesco Clubcard, you may be asked to enter personal information and also agree with how your data can be used. When you’ve finished the signup process, it’s important that Tesco adheres to your requests and only use your personal information in the ways that you’ve authorised.
During the course of this guide, we’ll look at what type of Tesco Clubcard data breaches could happen, what harm they might cause and when you could be compensated.
If you are considering starting a compensation claim following a data breach, you’ll need to be aware that there is a 6-year time limit (which is reduced to 1-year if your claim is based around a breach of your human rights).
This might sound like a lot of time but we’d advise starting your claim as soon as possible to ensure your solicitor has plenty of time to gather evidence and so that you find it easier to recall how you’ve been affected.
What Is A Data Protection Breach Claim Against Tesco Clubcard?
A data breach is an event where information containing personal data is accessed, disclosed, destroyed or lost because an action you hadn’t authorised took place. In some cases, the data that’s exposed in the breach could contain sensitive or confidential information like your name, address, passwords or card details. It is sometimes possible that you could claim compensation for the harm caused by data breaches.
In some cases, human error leads to a data breach. For instance, if your personal information is sent to another customer. One common mistake that people make is where they send an email to an entire mailing list using the CC function rather than the BCC function, meaning everyone else can see who the email was sent to. If that email contained personal or sensitive information that could be used to identify you, then you could be entitled to claim compensation for any harm caused.
In the event of the Tesco Clubcard incident, the data breach was caused when hackers tried to access customer accounts using username and password combinations used on other websites.
Requirements For Businesses To Comply With The GDPR
As we’ve explained already, the GDPR has come into law to provide individuals with better control over who holds their data, who is able to access it, what purposes it’s used for, and who it can be shared with. The definition of personalised data is any piece of information which could help identify an individual (directly or indirectly). The types of information we’re talking about include names, addresses, telephone numbers, email addresses, gender, ethnicity and location details.
In accordance with GDPR, businesses need to identify different roles such as data handlers and data processors. A data processor must adhere to several principles about data including:
- The data subject (Clubcard customers in this instance) has to be informed about the legitimate purpose behind the processing of their data.
- Any personal information that’s retained should be kept up to date.
- The data should only be retained for the length of time specified at the time it was collected.
- Processing of customer data should be lawful, fair and transparent.
- Only the minimum amount of data required should be collected.
- Data processing needs to be confidential and secure i.e. it might mean data needs to be encrypted.
The person responsible for holding any personal data within an organisation, the data controller, needs to be able to demonstrate compliance with the principles listed above.
If you would like to find out if you’re able to start a data protection breach claim against Tesco Clubcard, please contact one of our advisors for free advice on your options. It may be worth writing down some notes about how you’ve been affected by the breach before calling.
Details Of The Tesco Clubcard Data Breach
Now we’re going to review what happened in the data incident which affected Tesco Clubcard. The recent event, in early 2020, resulted in 620,000 accounts being blocked by Tesco as a security measure.
Tesco management believes that their systems were not hacked by the scammers involved in the scheme. Instead, it’s believed they tried to access customer accounts with username and password combinations stolen from other websites.
It is thought that the hackers had hoped to gain access to customer reward points which can be used to buy vouchers, gifts and days out at different establishments. Tesco made a statement to inform customers that any reward points that had been stolen would be replaced.
After their internal systems picked up what was happening, Tesco took immediate steps to block accounts that had been affected and forced customers to reset their passwords the next time they logged in.
The ICO was informed by Tesco of what had happened, but it was reported that they didn’t expect to receive a fine because no personal financial data had been accessed. However, although the hackers were trying to steal Tesco Clubcard points, there is a potential that they could’ve seen customer’s personal data for any account they logged into (not including payment information).
In 2018, Tesco Bank was fined £16.4 million after criminals carried out a cyberattack in which they stole over £2 million from 34 Tesco Bank customer’s accounts.
If you believe that the hacking of Tesco Clubcard has adversely affected you, and you’d like some free advice, please call and discuss your case with an advisor today.
How A Private Company Could Be In Breach Of Data Protection Regulations
When we talk about a GDPR data breach, we’ll often think of computer hackers trying to steal information over the internet, as was the case with the Tesco data breach. However, it’s also possible for a breach to happen in other ways that usually involve human mistakes.
While the GDPR is quite a new law, that’s not an excuse for not complying with its rules. That means businesses need to invest in training any staff who have access to data so that they understand their obligations in relation to the new regulation. Many of the rules associated with the GDPR are not that different from previous laws so for some staff, training could simply be a refresher with the new rules explained to them as well.
It is possible for human errors to cause a data breach where:
- Personal information is emailed to the incorrect customer.
- Documents containing personal information are left in public places (on trains for instance).
- Staff accessing personal records of customers when there is no business requirement to do so.
- Data containing personal information is sold or shared with unauthorised organisations.
- Computer screens are left unlocked and data is observed by unauthorised individuals.
- Computers become infected by malware, ransomware or viruses.
It’s quite possible that a data breach might never be spotted by the business who holds your records. However, if they do become aware of what’s happened, then one of their duties under the GDPR is to let you know what happened and what information was obtained.
We can help with data protection breach claims against Tesco Clubcard so please let us know if you believe their data breach has caused you any harm. Our team of specialist advisors will assess your claim for free and work out whether a claim might be possible.
Could The ICO Help If My Personal Data Was Hacked?
As with any customer service issue with Tesco, you are able to contact them directly to complain about what’s happened. Any retail complaints are likely to be investigated by the customer services department or by the store you’re complaining about. If you’re complaining about a data breach, somebody will probably assess what has happened and contact you with their findings.
If you’re not happy with the response you receive, you do have the option to raise a complaint with the Information Commissioner’s Office (ICO). Should you decide that’s the route you’d like to take, then you should be aware that the ICO won’t generally become involved with complaints that have taken a long time to reach them. It’s best to let the ICO know about your issue around 3-months after you last had meaningful communication with the business you’re complaining about.
While an ICO investigation might provide more answers about what happened, it won’t result in you receiving any compensation. The ICO are able to fine companies for data breaches and they could provide a view on your case but the only way you’ll be compensated is if you claim against the company directly.
Legal Expert is able to help with data protection breach claims against Tesco Clubcard. If your claim is accepted, a solicitor will help you decide on the best way to claim. They might recommend trying to reach a settlement directly or they might consider it a good idea to wait for the results on an ICO investigation.
To find out if you’re able to start a data breach claim against Tesco Clubcard, please contact a member of our team. Your case will be assessed on a no-obligation basis and free advice will be provided even if you don’t go on to make a claim.
What Compensation Could You Get For A Data Breach?
In this section and the next, we’re going to consider what it is that you could be compensated for and how much might be paid. When making a data breach claim, a solicitor is able to claim for:
- Material Damage – This is compensation designed to cover any financial losses you’ve suffered as a direct result of the data breach. For instance, you could be eligible to claim for losses caused by identity theft.
- Non-material damage – This compensation is awarded to cover suffering caused by psychological injuries, distress or anxiety.
What can be included in your claim will be completely different from any other case as each person is affected differently. Therefore, one of our solicitors will need to fully assess your case before you’ll know what you’ll be claiming for.
First of all, your solicitor will consider what financial impact has been caused by the data breach (if any). For instance, if your information is used by an identity thief to obtain credit, your credit file might be affected for a long time afterwards so the financial impact would need to be calculated.
The emotional harm, if any, that’s been caused by the breach will need to be assessed to determine whether your ability to cope with life, work or education has suffered. A specialist will also be used to assess whether you’ve suffered from anxiety, stress or confusion because your data was stolen.
From what we’ve listed in this section, it should be apparent that assessing what could be claimed for is quite a tricky process. If you let one of our specialist solicitors work with you, they’ll try to ensure that every aspect of your case is considered before submitting your claim so that they can try and achieve the correct level of compensation for you.
How Much Compensation Could You Be Awarded For A Tesco Clubcard Data Breach?
In many types of claims, you need to prove that you suffered a financial loss before you can seek compensation. However, in the case of Vidal-Hall and others v Google Inc , the Court of Appeal decided that claims for harm caused by data breaches could be made without any pecuniary loss. Furthermore, they decided that compensation for non-material damage should be paid in line with personal injury claims.
Therefore, we’ve provided the table below that shows some example compensation figures for relevant injuries. The figures are from a document that courts use to determine settlement amounts called the Judicial College Guidelines (JCG).
|Type of Claim||Severity||Compensation||Details|
|Psychiatric Damage||Less Severe||Up to £5,500||This compensation bracket will consider the period that the disability existed and the time sleep and daily activities were affected.|
|Psychiatric Damage||Moderately Severe||£17,900 to £51,460||This bracket is for suffering which caused the claimant to struggle with education, work, or life in general. It also considers how they've struggled to manage relationships. While the claimant might remain vulnerable in the future, their overall prognosis will be optimistic.|
|Post-Traumatic Stress Disorder||Less Severe||£3,710 to £7,680||This bracket is used to cover PTSD where virtually a full recovery has been made within 1 to 2-years.|
|Post-Traumatic Stress Disorder||Moderately Severe||£21,730 to £56,180||This bracket is used to cover PTSD which leads to some significant disability for the foreseeable future. The claimant's symptoms should improve though with the help of professional support.|
|Post-Traumatic Stress Disorder||Severe||£56,180 to £94,470||This bracket is for PTSD which has caused a bad affect on all aspects of the claimant's life. They will not be able to function at anywhere near the same levels as previously and the permanent effects will mean work is not possible.|
To help ensure the right level of compensation is awarded, you’ll need to attend a local medical assessment as part of the claims process. The specialist who conducts the appointment will review your medical records and ask questions about how you’ve been affected. They’ll then prepare a report with their findings for your solicitor.
How To Claim For A Breach Of Data Protection Regulations By A Private Company
As discussed earlier, the first thing you should do if you believe a data breach has occurred is to complain to the company in question first. If you don’t agree with their response, you could use a solicitor to raise a claim against them. In some cases, your solicitor could negotiate on your behalf and reach a settlement without the need for an ICO investigation.
How To Get Help From A Data Protection Breach Solicitor
So, what’s the easiest way to find a solicitor who’ll help you with a data breach claim? Well, many people simply look for the nearest law firm to where they live, others ask friends for advice and others read online reviews (here are some of ours).
Any of those steps could mean you end up finding a solicitor who’ll take your case on. However, our advice would be to simply contact Legal Expert and have your case assessed for free. If the case is accepted, you’ll be connected with one of our team of solicitors who have many years experience handling all sorts of compensation claims.
No Win No Fee Data Protection Breach Claims Against Tesco Clubcard
To provide you with important access to justice while reducing your financial risk, our solicitors offer a No Win No Fee service for any claim they accept.
After your claim has been assessed by a solicitor, they’ll provide you with a Conditional Fee Agreement (CFA) if they’re happy to take your claim on. The CFA is the contract that funds your case and provides many benefits, including:
- No upfront fees.
- No solicitor’s fees to pay while the claim continues.
- You won’t pay any of your solicitor’s fees at all if the claim fails.
Should your claim be won, your solicitor will retain a success fee to cover their work. This is a small portion of your compensation that’s limited by law. To ensure there are no surprises, the percentage you’ll pay as a success fee will be listed in the CFA from the start.
Start Your Data Breach Claim
If you would like to begin a claim with Legal Expert on your side, here are the best ways to contact us:
- Call our team on 0800 073 8804 for free claims advice.
- Claim online and we’ll arrange a call back at a suitable time.
- Let an online advisor know what’s happened via our live chat channel.
- Email details of your claim to email@example.com.
Additional Resources For Claimants
Thanks for reading our guide about data protection breach claims against Tesco Clubcard. In this final part of the guide, we’ve linked to some further guides and resources which might prove useful.
Tesco Accident Claims – Information on claiming for injuries sustained in a Tesco store.
Professional Negligence Claims – Details on how to claim against a business who’s advice has caused you to suffer.
Tesco Pharmacy Claims – Guidance on when you might be able to make a medical negligence claim against Tesco pharmacy.
Complain To The ICO – Details on what you need to do to raise a formal complaint with the ICO.
The GDPR – The full 88-page document listing the GDPR rules.
Mental Health Services – A list of NHS mental health services.
At Legal Expert, we can also provide advice and other support on personal injury claims. You can check out our guides on such claims, including the following examples below:
- Medical Negligence Claims – Our guide on how different types of medical negligence claims can be made.
- Slip, Trip or Fall Claims – This guide discusses claiming for an accident involving either a slip, trip or fall.
- Accident at Work Claims – Your rights and legal options for claiming if you have an accident at work.
- Restaurant Accident Claims – Learn more about how you may be able to claim compensation when harmed by a restaurant.
- Road Traffic Accident Clams – A deep look into the different types of road traffic accidents which could lead to a compensation claim.
Thank you for reading our guide about Tesco data breach compensation claims.