The frequency of data breaches has made it challenging for individuals to determine the best course of action when their personal information is compromised. While it may be tempting to downplay the severity of the situation, there are potential risks associated with data breaches that should not be ignored.

Falling victim to a data breach can significantly increase an individual's vulnerability to targeted attacks by criminals and scammers, who often exploit stolen information for malicious purposes.

A woman, who shared her experience with the BBC, discovered that her personal details had been leaked online, making her a target for scammers. Sue's case highlights the potential consequences of data breaches.

Sue was subjected to a Sim swap attack, a type of scam where attackers deceive network operators into issuing a new Sim card, granting them access to the victim's mobile device.

The scammers used the new Sim card to gain control over Sue's online accounts, leveraging her phone as a gateway to her digital life. She described the experience as "horrible" and struggled to regain control of her accounts.

According to Sue, the scammers took over her Gmail account and locked her out of her bank accounts after failing security checks, further complicating the situation.

The attackers also opened a credit card in Sue's name and made purchases totaling over £3,000 in vouchers, exacerbating the financial damage.

To resolve the issue, Sue had to visit her bank and mobile phone provider's branches multiple times, a time-consuming and frustrating process.

However, the scammers did not stop there, as they continued to exploit Sue's compromised information.

Sue revealed that the attackers sent disturbing messages to horse riding groups she was part of, warning of an imminent threat to the horses, which she found particularly distressing.

An investigation using online tools, including haveibeenpwned.com and Constella Intelligence, found that Sue's personal details had been exposed in previous data breaches.

The breaches, which occurred in 2010 and 2019 at PaddyPower and Verifications.io, respectively, had compromised Sue's phone number, email address, date of birth, and physical address, making her a vulnerable target.

According to Hannah Baumgaertner, a cyber expert from Silobreaker, the attackers likely utilized the leaked personal data to carry out the Sim swap attack.

Baumgaertner explained that once the attackers gained access to Sue's phone number, they could intercept security codes sent to verify her identity, allowing them to take control of her Gmail account.

Not all scams involve large sums of money; sometimes, the goal is to exploit existing accounts for personal gain.

Fran, a woman from Brazil, discovered that someone had registered to her Netflix account and increased her monthly subscription, resulting in an unexpected charge of $9.90 (£7.50) on her payment card.

Fran immediately contacted her family members to determine if anyone had added a new profile to their shared account, but they all denied making any changes.

It became clear that Fran's Netflix account had been hijacked by someone looking to freeload, a common type of scam.

Although the exact method used to gain access to Fran's account is unknown, it is likely that the perpetrator exploited a vulnerability or used stolen credentials.

The murky nature of cybercrime makes it challenging to pinpoint a single data breach as the cause of the scam, but it is clear that stolen information can be used in various ways.

An investigation using haveibeenpwned.com found that Fran's email address had been exposed in at least four data breaches, including those at Internet Archive, Trellov, Descomplica, and Wattpad, between 2020 and 2024.

While Fran's Netflix password was not found in publicly known databases, it is possible that it may be stored in other, less accessible databases.

Alon Gal, co-founder of Hudson Rock, noted that there is a significant market for compromised accounts, including those for popular streaming services like Netflix, Disney, and Spotify.

Gal explained that stolen data can be used to facilitate widespread abuse, turning a single company's data leak into a lucrative opportunity for scammers.

Scammers often combine stolen private information with publicly available data to launch targeted attacks.

A woman, who wished to remain anonymous, shared her experience of being targeted in a long-running scam originating from Vietnam, which affected her small business that uses Facebook ads.

The woman, referred to as Leah, received a phishing email from a fake Facebook address, prompting her to click on a link and enter her details on a counterfeit Meta page, allowing the scammers to take control of her business account.

The attackers then posted disturbing content under Leah's name, resulting in her account being blocked, and even prevented her from using Messenger to report the issue to Meta.

During the three days it took Leah to regain control of her account, the scammers had run hundreds of pounds' worth of ads, which she eventually managed to recover.

An investigation by Alberto Casares from Constella Intelligence found that Leah's email address and other details had been compromised in data breaches at Gravatar and Qantas.

Casares explained that the attackers likely used a common technique, linking Leah's private email address with her publicly listed business number, to launch a targeted phishing attack against her email account.

The attackers may have carried out this technique themselves or used a data broker to obtain the necessary information, highlighting the complexity of cybercrime.

Mass data breaches are fueling scams and secondary hacks worldwide, with several high-profile attacks occurring in 2025 alone.

According to Proton Mail's Data Breach Observatory, there have been 794 verified breaches, exposing over 300 million individual records, in 2025.

Eamonn Maguire from Proton Mail noted that criminals are willing to pay premium prices for stolen data, as it consistently generates profit through fraud, extortion, and cyberattacks.

Currently, there are no strict guidelines for companies to follow when dealing with data breach victims, aside from notifying customers and regulators.

In the past, offering free credit monitoring was a common practice, but this is no longer the case.

Last year, Ticketmaster, which experienced a breach affecting 500 million people, offered free credit monitoring to some of those affected.

However, this year, fewer companies, such as Marks and Spencer and Qantas, are providing this service to their customers.

Co-op, on the other hand, opted to provide victims with a £10 voucher, but only if they spent £40 in their stores, highlighting the varying approaches companies take to support data breach victims.

Courts are seeing a rise in class action lawsuits as individuals attempt to secure compensation, despite the challenges posed by these cases, which often hinge on the difficulty of demonstrating a direct impact on plaintiffs.

Notable exceptions have emerged, however, where plaintiffs have managed to achieve favorable outcomes.

Following a significant data breach in 2021 that exposed the information of 76 million customers, T-Mobile has initiated compensation payments to those affected.

As part of a settlement, the company has agreed to pay a total of $350 million, with individual payouts said to range from $50 to $300.

To receive a comprehensive summary of the day's key headlines, subscribe to our flagship newsletter by clicking here.