[2024] UKUT 287 (AAC)

In respect of the “substantial damage or distress” requirement, the FTT directed itself that the test it was required to apply was whether the contravention was of a kind likely to cause substantial distress, not whether the attack did so. It concluded that contravention was of such nature, having regard to the range and volume of personal data held by DSG and the considerable worry and concerns throughout modern society about the risks of identity fraud. Its reasons for so concluding are in paragraph 113 of its decision, which reads:

“113.

In contrast to the approach taken in the MPN, we are not persuaded that the most significant risk arising from contravention was that of the fraudulent use of payment cards. We note from expert evidence that the use of PAN and expiry date alone provides only limited opportunity for unauthorised use. This appears to be reflected in the limited extent to which such data may have been used by the Attackers in this case. However, we find it more likely than not that individuals, whether customers or employees, who became aware that their names, dates of birth, addresses and email addresses had been accessed by a sophisticated criminal group would be caused substantial distress. As previously stated, we find in addition that, in relation to an unknown number of individuals, these records of personal data could potentially be linked to their payment card PAN, a circumstance we are satisfied is likely to compound feelings of distress. We therefore conclude that the personal data in relation to which this contravention occurred was of a kind likely to cause substantial distress both qualitatively and quantitatively.”

The FTT also concluded that DSG knew or ought to have known about the contravention and failed to take reasonable steps to ensure that the external IT security consultant was prioritising this critical risk.