Home
/
News
/
Individuals
/
Lloyds, Halifax & Bank of Scotland Data Breach: What Are Your Legal Rights?

Lloyds, Halifax & Bank of Scotland Data Breach: What Are Your Legal Rights?

Individuals

17/3/2026

4
Min
Lloyds, Halifax & Bank of Scotland Data Breach: What Are Your Legal Rights?

Published by David Whelan, Associate Solicitor, Complex Law | Simple, Clear Legal Support for Your Case

What happened?

On the morning of Thursday 12 March 2026,customers of Lloyds Bank, Halifax and Bank of Scotland were exposed to a serious data breach affecting the banks' mobile applications. Between approximately 7am and 9am, customers logging into their banking apps were shown the private financial transactions of complete strangers, not their own.

Reports from affected customers paint a deeply concerning picture. One customer described being able to see salary payments from specific employers, dozens of gambling transactions, account balances in the tens of thousands of pounds, and highly localised spending data, enough, she said, to identify where a stranger lives. Another customer initially feared he had fallen victim to fraud when he saw unfamiliar transactions displayed in his own account.
Lloyds Banking Group has confirmed the incident, apologised, and stated that it was "quickly resolved." The Information Commissioner's Office (ICO)and the Financial Conduct Authority (FCA) have both confirmed they are making enquiries.

Cybersecurity experts believe the breach was caused by a failure in the banks' caching systems which is the temporary digital stores used to speed up data retrieval as opposed to a deliberate cyberattack.  This, however, does not diminish any right of action you may have against the bank nor does it undermine the seriousness of what has happened.

Why this matters and what redress is available to people who have been affected:

As we say above, just because a data breach is not a cyberattack, this does mean there is no legal liability. When a bank exposes your private financial data to strangers, even for a short period and accidentally, your legal rights are engaged.

Your Rights Under UK GDPR and the Data Protection Act 2018

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, your bank is a data controller with strict, statutory obligations to keep your personal data secure. These include but are not limited to: 

  • Ensuring that your data is not disclosed to unauthorised third parties
  • Implementing appropriate technical and organisational measures to protect your data
  • Notifying the ICO promptly where a breach poses a risk to individuals

Where a bank fails in these obligations, individuals who suffer damage, including distress and non-material damage maybe entitled to compensation under Article 82 UK GDPR as a result of these breaches/omissions. This is a direct right of action against the data controller. The courts have confirmed that non-material damage, including anxiety, distress, and loss of control over personal data, can found a claim even where there has been no direct financial loss.

The Financial Conduct Authority's Consumer Duty

Aside from the obligations the bank owes you under the GDPR / Data Protection Act, they must also adhere to the FCA's Consumer Duty.  This came into force in July 2023 and requires firms to put customers' needs first and act to deliver good outcomes. A breach of this nature, which exposed sensitive financial data including salary information, gambling habits and account balances, is precisely the kind of harm the Consumer Duty was designed to prevent.

The FCA has already confirmed it is engaging with Lloyds Banking Group regarding this incident. Regulatory scrutiny of this kind often precedes significant enforcement action and has historically resulted in heavy fines. However, customers who have been affected by an incident such as this and where a fine is levied against the firm responsible, are unlikely to receive any civil compensation from that fine and must bring their own, separate civil claim to recover any damages they are owed.

A troubling pattern of IT failures:

Unfortunately, this is not an isolated incident.  According to the Treasury Select Committee, there were at least 158 IT failures across the major banks between January 2023 and February 2025,the equivalent of over a month of continuous outages. Millions of customers were left unable to access funds as recently as 27 February 2026 when Nationwide, First Direct, Lloyds and Halifax all suffered simultaneous outages.

Consumer rights experts have pointed to ageing IT infrastructure as a root cause and/or systems that are repeatedly patched rather than properly replaced. This enables banks who profit handsomely from cutting corners on the technology that protects your most sensitive data to be held to account by the law and their regulators.

Who can claim?

You may have grounds to bring a data breach claim if:

  • You are a Lloyds, Halifax or Bank of Scotland customer who was shown someone else's transaction data on 12 March 2026
  • You are a customer whose own transaction data was visible to strangers during the breach
  • You have suffered distress, anxiety or worry as a result of learning your data was exposed
  • You have suffered any financial loss connected to the breach

You do not need to have lost money to bring a claim. The loss of control over your private financial data, wages, spending or your financial circumstances are likely to be considered a recognised form of harm and fall within the definition of non-material damage as set out in the GDPR / Data Protection Act.

What should you do?

If you were affected by this breach, were commend taking the following steps:

  1. Preserve evidence. If you took screenshots of unfamiliar transactions in your app, keep them safe. Note the time and date you accessed the app.
  1. Report to your bank. Contact Lloyds, Halifax or Bank of Scotland in writing (email is fine) to formally notify them that you were affected. Ask them to confirm in writing what data of yours was exposed and to whom.
  1. Consider reporting to the ICO. You can make a complaint to the Information Commissioner's Office at ico.org.uk. You are not required to do this before bringing a claim, but it creates a formal record.
  1. Seek legal advice promptly. Data breach claims are subject to limitation periods. Do not delay in getting advice.
  1. Keep a record of any distress.  Note down how the breach has made you feel, anxiety about your financial security, concerns about being identified from your data, worry about who  may have seen your salary or transactions. This matters in compensation assessments.

How Complex Law can help you:

At Complex Law, we provide simple and clear legal support for exactly these situations with a team of experts who have years of experience in dealing with data protection claims such as this. We understand that taking on a major bank can feel daunting but you do not have todo it alone.

Our team can advise you on:

  • Whether you have a viable claim
  • The likely value of any compensation
  • How to pursue your claim efficiently and effectively

We offer a free initial consultation to anyone who believes they were affected by this breach. There is no obligation, and we will give you an honest assessment of your position from the outset.

Get in touch today:

If you were affected by the Lloyds, Halifax or Bank of Scotland data breach on 12 March 2026, we want to hear from you.

Contact Complex Law today for your free initial advice session. Your data matters, your rights matter and we are here to help you enforce them.

Complex Law | Simple, Clear Legal Support for Your Case

Table of contents

Loading...

Get the results that you deserve

Start a claim online

Legal advice in plain English

Get in touch to find out how Complex Law can help you resolve your legal issues quickly, efficiently and with the best possible outcome.

Speak to a solicitor
Start a claim online