Currys case sparks new data breach class action threat

Company bosses believing they had seen the threat of data breach class actions evaporate have been forced to think again after a case against Currys Retail – dating back to a 2015 cyber attack – has been granted permission to move forward in the courts.

The breach, which saw the personal data on 2.4 million customers held by Currys Retail-owned Carphone Warehouse compromised, sparked a £400,000 fine from the Information Commissioner’s Office; one of the largest issued at the time.

Almost 2,000 victims have signed up to the case against the company being brought by Manchester-based Barings Law.

In the most recent hearing, held at the end of last month at Manchester Crown Court, Barings presented an application to amend the particulars of its clients’ claims, which was granted by Judge Bird KC, although Currys had argued against the procedure.

Barings head of data breach Adnan Malik said: “This is a good indication that the court is willing to hear us out on behalf of the countless people impacted by the case.

“People’s private information is of huge importance. It’s heartening to see the court taking a stand in favour of the victims, showing a commitment to upholding the principles of justice.

“The overwhelming response with nearly 2,000 sign-ups underscores the magnitude of this data breach’s impact. It is clear that people are seeking justice and resolution, and we are committed to representing their interests effectively.”

If successful, Barings claims the case – which has been deferred several times – could be worth millions of pounds in compensation for those impacted.

Malik added: “Our clients impacted by this have felt distressed by the breach of their personal information and they want to see justice for what happened. We’ve stood firm from day one despite the delays, and at Barings Law, our primary goal is to secure justice for our clients and to establish ourselves as a leading authority in handling data breach cases.

“The recent ruling reflects the growing recognition of the serious consequences that data breaches have on individuals and the need for accountability.”

A Currys spokesperson said: “This was one of a number of procedural hearings which were required to deal with numerous defects in the particulars of the claim presented by Barings Law. The claim, which relates to a cyber attack as long ago as 2015, continues to be defended by the Company.”

The rise of US-style class actions was triggered by GDPR, which came into force after the Currys incident, with a raft of “no win, no fee” cases being brought against firms who had suffered breaches, including British Airways, EasyJet, Virgin Media, TalkTalk, Marriott International, the British Dental Association and Google to name but a few.

However, many of these cases were scuppered by the Supreme Court ruling in the Lloyd v Google case, brought by former Which? director Richard Lloyd that sought billions of pounds in damages on behalf of millions of people on the basis of privacy harms.

Lloyd’s team had claimed £750 in damages should be awarded to each of a proposed class of 4 million Apple iPhone users in England and Wales, arguing that their online activity was secretly tracked by Google between 2011 and 2012. They claimed the tech giant had then used the data to enable advertisers to target ads at users based on their browsing history.

But the Supreme Court rejected Lloyd’s argument, ruling that each claimant must establish they had personally suffered some form of material damage, such as financial loss or mental distress, resulting from the alleged breach.

Since then, many cases have been dropped, including action against TikTok brought by former children’s commissioner for England Anne Longfield in May last year.

At the time, Longfield said: “The Supreme Court’s decision in Lloyd v Google has created an enormous amount of legal uncertainty around privacy class actions, and this unfortunately proved too great a risk for the funders and insurers in this case. Without funders and insurers, we cannot protect parents of affected children from bearing the financial burden of the case.”