What Happened to the 14 Million People the Currys’ Breach Left Behind
I want to tell you about Darren Warren.
In 2021, Warren went to court. He wanted five thousand pounds from DSG Retail, the company behind Currys, for the distress of having his data stolen when malware sat on their payment tills for nine months. Not for fraud. Not for money taken from his bank account. Just for the genuine worry and disruption of knowing his personal information had ended up in criminal hands.
He was one of 14 million people in that position.
His lawyers threw four different legal arguments at DSG, trying every available route. Breach of statutory duty under the Data Protection Act 1998. Misuse of private information. Breach of confidence. Negligence.
The High Court knocked three of the four down. The remaining thread, a section 13 DPA 1998 claim, was frozen in place pending the outcome of the ICO's own regulatory battle with DSG. And there it sat for years, going nowhere, while lawyers argued through three levels of tribunal about whether a 16-digit card number counts as personal data.
Darren Warren's case is a microcosm of what happened to all 14 million people affected by the Currys breach. And it is worth understanding in some detail, because it tells you something important about what data law can and cannot actually do for the people it is meant to protect.
Why Most of the Legal Routes Were Closed Off
Let me explain the three claims that were struck out, because the reasons matter.
Misuse of private information and breach of confidence both require the defendant to have actively done something wrong with your data: used it without permission, or disclosed it to someone they should not have. That is not what happened here. DSG did not use your card details. The hackers did. DSG's failure was that they did not have adequate security in place to stop the hackers from getting in and staying in for nine months.
The High Court's position was clear: failing to stop a third party from misusing your data is not the same legal thing as misusing it yourself. Those two claims were gone.
The negligence claim ran into two separate problems. First, when Parliament has already created a detailed legal framework covering something, such as the data protection regime under the 1998 Act, courts are cautious about creating a whole new set of duties on top of it. They prefer you to argue within the existing framework. Second, and this is the really significant part: English law does not generally award damages for distress alone. You normally need to point to physical injury or quantifiable financial loss.
Warren's claim was about anxiety and worry. Knowing your data had been stolen. The background stress of monitoring your accounts, wondering whether your information had been used. Real harm, absolutely. But not the kind of harm that founds a negligence claim under English law.
Here is why that matters for everyone affected by data breaches, not just the Currys case. The harm that most ordinary people actually experience when their data is stolen is exactly what Warren described: worry, inconvenience, uncertainty. It is real, it is disruptive, and it is almost entirely unavailable as a basis for compensation in English civil courts.
The Group Actions That Quietly Closed
Warren was not on his own. After DSG disclosed the breach in June 2018, several specialist claimant law firms launched campaigns. "Were you affected by the Currys data breach?" The websites looked professional. No-win-no-fee. Sign up and leave it to us.
On paper, the conditions seemed right for a large group action. Fourteen million potential claimants. A clear breach. An ongoing ICO investigation expected to confirm liability. It seemed like the kind of case that should produce a significant settlement.
By 2024, those same websites had been updated. "We are no longer accepting new cases in this matter." No settlement announcement. No payout to claimants. The campaigns just closed.
The reasons are straightforward once you understand the landscape. The High Court decision in Warren's case had taken most of the available legal routes off the table. The remaining statutory claim was stuck waiting on the regulatory process. And law firms running no-win-no-fee cases have to make commercial decisions: if the path to recovery is uncertain, slow, and expensive to pursue, resources go elsewhere.
Then the clock ran out.
The Timing Problem
Under the Limitation Act 1980, a claim for breach of statutory duty generally has to be brought within six years of when the breach happened and you suffered damage.
DSG disclosed the breach in June 2018. The most straightforward reading puts the limitation deadline around June 2024 for most people. Some legal teams argued it should run from the ICO's January 2020 penalty notice instead, which would give until January 2026. Either way, by the time the Court of Appeal handed down its judgment in February 2026 confirming that DSG absolutely had a duty to protect that data, the window for most people to act had already closed.
Think about what that means in practice. The legal system spent nine years working through this case. At the end of that process, a senior Court of Appeal judge confirmed: yes, DSG failed its customers. Yes, the duty to protect that data was real. Yes, the ICO was right to fine them.
And by the time that confirmation arrived, most of the 14 million people affected had no realistic legal route left.
The law validated the grievance at the precise moment it could no longer provide the remedy.
What Data Protection Law Is Actually Built to Do
I think it is worth being honest about this, because a lot of people assume the data protection system is primarily about compensating victims when things go wrong.
It is not, really. The ICO's main tool is the monetary penalty notice. The enforcement theory is deterrence: fine organisations enough that other organisations invest in proper security to avoid the same outcome. The benefit to victims is meant to flow indirectly, through better security practices in the future, not directly through compensation in the present.
UK GDPR's Article 82 does give individuals the right to claim compensation from controllers. That right exists and has worked in other contexts. But in a consumer mass breach, where millions of people suffer moderate, hard-to-quantify harm with no clean financial loss, the practical route to using that right is very narrow.
The people the enforcement system is really protecting are future customers, of future businesses, who behave differently because of the fine DSG received. The 14 million people caught up in the 2017 breach are largely outside the system's practical ability to help.
What This Means for Your Business
Here is the practical takeaway, and I want to say it plainly.
If you have a breach, your affected customers are probably not going to get compensation. The ICO may investigate and fine you, which will be expensive and damaging and public. But your customers will get an apology email, possibly some credit monitoring, and then largely nothing.
The only protection that actually reaches them is the decision you make today about how seriously you take their data.
That is not meant to frighten you. It is meant to focus your thinking. Because the alternative, which is assuming that compliance paperwork or the regulatory system will deal with any fallout, is not a plan. It is wishful thinking.
How to Turn This Into a Competitive Advantage
Here is the positive version of the same message.
In most markets, your customers cannot easily tell whether you take their data seriously. They see your privacy policy, which every business has. They see your cookie banner, which every website has. They cannot see what is actually happening underneath.
If you do the work, you can make it visible. A clear, plain-English data stewardship statement. Documented controls. A named person responsible for data security. An honest answer to the question "what would you do if our data was compromised?"
Most businesses cannot answer that last question well. The ones that can are differentiated. In professional services, healthcare, legal, accountancy, education, any sector where clients are handing over sensitive information, being able to answer it builds real trust.
How to Sell This to Your Board
Three straightforward points.
The legal system confirmed DSG was in the wrong nine years after the breach and most victims got nothing. That is not an unusual outcome. It is a structural feature of how data enforcement works.
Under UK GDPR, a serious breach at your organisation could attract a fine of up to £17.5 million or 4% of global annual turnover. That is the current environment, not the £500,000 cap that applied to DSG.
The cost of mapping your data, reviewing who has access, and setting up basic monitoring is a few days of focused work. The cost of not doing it is open-ended. That is the board-level case.
Three Things to Do This Week
One: check whether you have documented your data map and access controls. If the ICO asked tomorrow whether you knew what personal data you held and who had access to it, could you show them? A spreadsheet and an afternoon is enough to start.
Two: make sure your data breach notification process is ready. You have 72 hours under UK GDPR to notify the ICO of a notifiable breach. Do you know who makes that call? Do you know what counts as notifiable? Work that out before you need it.
Three: have a conversation with your team about what your customers are trusting you with. Not a compliance lecture. Just a straightforward conversation about the fact that the data you hold represents real people who are relying on you to look after it.
Darren Warren asked for five thousand pounds and got nothing. Your customers deserve someone who will make sure they never need to ask.
