Three and a Half Pence Per Victim: The Currys’ Breach, Nine Years of Legal Theatre, and What Your Business Must Learn

Industry AnalysisPodcast
Written By Noel Bradford

Let’s talk about Darren Warren.

In 2021, Warren brought a claim against DSG Retail for approximately five thousand pounds in compensation. He had been one of the millions of customers whose personal data was caught up in the 2017 Currys till breach. He was not claiming for fraud or specific financial loss. He was claiming for distress, the anxiety and disruption of knowing your data was in criminal hands.

His legal team did not come in with one argument. They came in with four, throwing everything available at DSG to maximise the chance of success. Breach of statutory duty under the Data Protection Act 1998. Misuse of private information. Breach of confidence. Negligence.

The High Court cleared the field. Misuse of private information: struck out. Breach of confidence: struck out. Negligence: struck out. The one surviving thread, the section 13 DPA 1998 claim, was stayed pending the outcome of the ICO's long-running regulatory fight. And there it has largely sat, in legal limbo, while the tribunals argued about whether a 16-digit card number was personal data.

Warren's case is a microcosm of what happened to 14 million people.

Why Misuse of Private Information and Breach of Confidence Failed

The legal logic matters here, because it reveals a gap that surprises most people when they first encounter it.

Both misuse of private information and breach of confidence are torts that require the defendant to have committed a positive wrongful act: actually using your information in an unauthorised way, or disclosing it to someone they should not have.

In the DSG case, DSG did not use your card data. The hackers did. DSG's failure was a failure to prevent: they did not have adequate security controls to stop the attackers from getting in and staying in for nine months.

The High Court held that a failure to prevent a third party from committing a wrongful act does not, of itself, constitute misuse or breach of confidence. The active wrongdoer was the attacker. DSG was, in legal terms, a passive failure. That distinction, however counterintuitive it may feel, eliminated two of Warren's four causes of action in one judgment.

Why Negligence Failed

The negligence claim was disposed of on two separate grounds, both of which reflect structural features of English law that limit data breach litigation.

The first is that where Parliament has created a detailed statutory regime addressing a specific area of duty, such as the Data Protection Act 1998's framework for data controller obligations, courts are very reluctant to layer a parallel common law duty of care on top of it. The concern is duplication and unpredictability. The statutory regime is presumed to be the intended mechanism for enforcement. If you want additional remedies, you argue within that regime.

The second, and in many ways more significant, is that English negligence law does not generally award damages for distress alone. You need physical injury or quantifiable financial loss. Warren had not alleged either. His claim was for the anxiety and worry of knowing his data had been stolen. That, standing alone, does not found a negligence claim in English courts.

This distinction matters enormously for the practical viability of data breach litigation. The harm that most people suffer in a consumer data breach is exactly what Warren described: worry, inconvenience, the need to monitor accounts, the background anxiety of not knowing what happened to your information. Hard-to-quantify, diffuse, real, and largely unavailable as a damages head in negligence.

The Group Action That Fizzled

Warren was not alone. When DSG disclosed the breach in June 2018, multiple specialist claimant law firms launched "Were you affected by the Currys data breach?" campaigns. The websites were professionally produced. No-win-no-fee terms. Sign up and we'll handle the rest.

Firms including Group Action Lawyers, Barings Law, and HNK Solicitors were among those running Currys breach campaigns at various points. The theory was sound: 14 million potential claimants, a clear breach, a cooperative regulatory process with the ICO expected to confirm liability. A group action seemed plausible.

By 2024, the websites had changed. "We are no longer accepting new cases in this matter." No big headline settlement. No distribution to claimants. The campaigns closed without result.

Several factors combined to produce that outcome. The High Court's striking out of three of the four causes of action in Warren's case significantly narrowed the available routes. The stayed section 13 claim was tied to the pace of the regulatory process. Claimant firms running no-win-no-fee cases apply their own commercial logic: if the path to recovery looks uncertain and slow, they redirect resources to cases with better prospects.

And then the clock ran.

The Limitation Problem

Under the Limitation Act 1980, a claim for breach of statutory duty must generally be brought within six years of when the breach occurred and damage was suffered.

DSG publicly disclosed the breach in June 2018. The most natural reading of the clock starting point places expiry around June 2024. Some legal teams argued that the relevant date should be the ICO's January 2020 monetary penalty notice, which would give claimants until January 2026. Others suggested that for individual claimants who became aware later, the date of knowledge might shift the starting point.

However the technical arguments ran, the practical reality is this: the Court of Appeal delivered its February 2026 judgment, confirming clearly that DSG had breached its data protection duties and that the ICO's fine was justified, at the precise moment that most individual claimants' realistic litigation windows had closed.

The legal system validated the grievance and simultaneously shut the door on the remedy. Not through anyone's deliberate design. Through the structural interaction of slow regulatory process, a capped fine regime that created incentives for extended appeal, and standard civil limitation rules. The outcome for victims was the same regardless of intent: nothing.

What the System Is Actually Built to Do

It is worth being direct about this, because it matters for how you think about your own responsibilities.

UK data protection law, as the DSG case reveals it in operation, is primarily a compliance and deterrence regime. Its main instrument is the monetary penalty notice. Its main beneficiary is the future: by fining DSG, the ICO sends a signal to other organisations about the consequences of similar failures.

It is not, in practice, a victim compensation regime. Article 82 of UK GDPR does provide individuals with a right to claim compensation directly from controllers. That right is real and has been used in other contexts. But the practical pathway to exercising it in a consumer mass breach, with diffuse harm and narrow available causes of action, is extremely limited.

The people who are protected by a strong regulatory enforcement regime are future customers of future organisations who take the deterrent signal seriously and invest in better security. The people who were harmed by DSG's failures are largely outside the system's ability to help.

What This Means If You Run a Business

If you hold other people's data and you have a breach, here is an honest picture of what the regulatory and legal system will deliver.

The ICO may investigate. That investigation will take months to years. You may receive a fine, the scale of which depends on the nature and scale of the breach and the regulator's current enforcement priorities. Your legal team will assess whether to contest.

Your affected customers will receive a notification and probably an offer of credit monitoring. They will be worried and upset. Most will have no practical route to compensation. If they do seek legal advice, they will encounter the same structural barriers Warren encountered: limited causes of action, distress-only harm, and a limitation clock that runs independently of when any regulatory process concludes.

The people who trusted you with their data will be worse off. You will be financially and reputationally damaged. Neither of those outcomes is reversible after the fact.

The only meaningful intervention is the one you make before anything goes wrong.

How to Turn This Into a Competitive Advantage

The honest conversation about the limits of victim protection is not a cause for despair. It is a cause for clarity.

Your customers cannot rely on the law to make them whole after a breach. What they can rely on is your decision to protect them before one happens. That decision, made visible through clear data stewardship practices, is a genuine differentiator.

In sectors where data changes hands routinely, professional services, healthcare, legal, accountancy, charitable services, that differentiator is worth quantifying. When you pitch for work or renew contracts, the business that can say "here is how we map, protect, and monitor the data we hold about you" is offering something concrete that the law cannot.

How to Sell This to Your Board

Three lines. That is all you need.

The regulatory system confirmed DSG was in the wrong nine years after the breach and most victims got nothing. Under UK GDPR, the fine ceiling for a similar breach is now £17.5 million or 4% of global annual turnover. Our investment in data protection before a breach is the only thing that protects our customers and protects us.

The board that understands the DSG story understands that post-breach PR, offers of credit monitoring, and regulatory cooperation are damage limitation, not protection. Protection happens in the architecture.

Actions This Week

One: remind your team that your customers cannot rely on the law to help them if you get breached. That is not a threat. It is a fact. And it is a reason to take data stewardship seriously as a cultural value, not just a compliance obligation.

Two: check whether you have documented your data map, access controls, and security measures. If the ICO asked you to demonstrate reasonable steps tomorrow, could you do it? One afternoon's work can change that answer.

Three: review your data breach notification procedure. Under UK GDPR, you have 72 hours to notify the ICO of a notifiable breach. Do you know who decides whether a breach is notifiable? Do you know who makes the notification? That process needs to be rehearsed before it is needed.

Darren Warren asked for five thousand pounds and got nothing. Your customers deserve better than that. The good news is that better is achievable. The bad news is that it requires you to choose it now, not after the breach.

Noel Bradford

Noel Bradford – Head of Technology at Equate Group, Professional Bullshit Detector, and Full-Time IT Cynic

As Head of Technology at Equate Group, my job description is technically “keeping the lights on,” but in reality, it’s more like “stopping people from setting their own house on fire.” With over 40 years in tech, I’ve seen every IT horror story imaginable—most of them self-inflicted by people who think cybersecurity is just installing antivirus and praying to Saint Norton.

I specialise in cybersecurity for UK businesses, which usually means explaining the difference between ‘MFA’ and ‘WTF’ to directors who still write their passwords on Post-it notes. On Tuesdays, I also help further education colleges navigate Cyber Essentials certification, a process so unnecessarily painful it makes root canal surgery look fun.

My natural habitat? Server rooms held together with zip ties and misplaced optimism, where every cable run is a “temporary fix” from 2012. My mortal enemies? Unmanaged switches, backups that only exist in someone’s imagination, and users who think clicking “Enable Macros” is just fine because it makes the spreadsheet work.

I’m blunt, sarcastic, and genuinely allergic to bullshit. If you want gentle hand-holding and reassuring corporate waffle, you’re in the wrong place. If you want someone who’ll fix your IT, tell you exactly why it broke, and throw in some unsolicited life advice, I’m your man.

Technology isn’t hard. People make it hard. And they make me drink.

https://noelbradford.com
Next

Your Encryption Isn't Protecting You. Microsoft Just Proved It.