Why is the Metropolitan Police being sued for a data breach, when it wasn’t hacked?

The Metropolitan Police data breach has led to a flurry of lawsuits, raising an important question: why is the Met being sued when it wasn’t directly hacked? Understanding the intricacies of this situation requires a closer look at data protection laws, the role of third-party suppliers, and the responsibilities of data controllers.

A brief overview of the Met data breach

In August 2023, a data breach was discovered involving the Metropolitan Police Service (Met) in London. The breach didn’t result from a direct attack on the Met’s systems but through a ransomware attack on Digital ID, an IT services company and supplier to the Met.

Digital ID, responsible for producing warrant cards and identification badges, had a wealth of sensitive data about Met officers and staff, which cybercriminals managed to access.

The breach exposed a wide range of personal information, including:

  • Names
  • Ranks
  • Photos
  • Vetting levels
  • Pay numbers
  • Warrant numbers
  • Pass numbers
  • Geolocation data

The compromised data potentially affected tens of thousands of personnel, leading to significant concerns about the safety and security of officers, especially those in undercover or sensitive roles.

Why the Metropolitan Police is being sued

Despite the breach occurring at a third-party supplier, the Metropolitan Police is facing lawsuits. 

Data Controller Responsibility

Under the UK General Data Protection Regulation (GDPR), the Metropolitan Police is a ‘data controller’, as it owns and manages the personal data of its officers and staff. As a data controller, the Met is legally responsible for ensuring that personal data is processed securely, regardless of whether the processing is done internally or by a third-party supplier. If the Met failed to adequately vet Digital ID’s security measures or neglected to monitor its compliance with data protection standards, it could be found negligent.

Affected individuals have the right to seek compensation for damages resulting from data breaches. Claimants can argue that the Met violated GDPR by failing to protect their personal data and not ensuring the supplier complied with necessary security standards.

Conclusion

The Metropolitan Police is being sued for a data breach that occurred at a third-party supplier because it is ultimately responsible for the security of the personal data it controls. This situation underscores the importance of robust data protection practices and the need for organisations to diligently manage their relationships with third-party suppliers.

Are you eligible to join the Metropolitan Police data breach compensation claim?

Could you qualify for a NO-WIN, NO- FEE Metropolitan Police compensation claim. Find out instantly with our easy-to-use eligibility checker!

Check your eligibility today

If you have a claim, register your interest and we’ll connect you with a UK law firm running a Metropolitan Police data breach group action. 

You may also like:

Thousands of drivers given permission to sue BMW for illegal emissions devices

In January 2024, the High Court ruled that drivers could sue BMW for fitting some diesel vehicles with devices that tricked emissions tests. The illegal devices made it seem like BMW’s diesel cars were less-polluting than they actually were.

Asda equal pay claim: Can store workers fight for fair wages?

Asda store workers may be underpaid. Check if you qualify for an equal pay claim and take action to seek the compensation you deserve.

Capita data breach: Legal response & ongoing investigations

Capita’s data breach exposed pension holders’ personal data. Stay updated on the latest legal action, investigations, and regulatory responses.

You might also like

See more resources

Several bottles of Johnson's baby powder on a store shelf, symbolising the Johnson and Johnson talc lawsuit over alleged asbestos contamination and cancer risks.
  • News, Product Liability

Johnson & Johnson talc lawsuit in the UK: What you need to know

A UK lawsuit claims Johnson & Johnson’s talc products cause cancer. Learn about the case,...
Low-angle view of people walking in a city, symbolising unity and collective action, related to key facts about group litigation for seeking justice.
  • News

10 must-know facts about group litigation for first-time claimants

Discover 10 essential facts about group litigation for first-time claimants. Learn how joining a group...
  • News, Travel

Flight cancelled or delayed for 3+ hours? You could be due compensation!

Flight delays and cancellations can completely disrupt your travel plans, costing you time, money, and...

Did you know we have a newsletter?

Sign up for our newsletter to stay up to date.

We connect consumers with their legal dream teams to ensure they get the compensation and support they deserve.

claims
About
Legal
Connect

Join the Claim is not a law firm. We connect individuals with top law firms for group action claims, and our service is free to use. While we may receive a fee from the law firms we introduce you to, this will not affect your costs or compensation. We are not responsible for the advice or services provided by these firms. Please note, nothing on this website is legal advice, and while we check claim eligibility, we cannot guarantee a law firm will accept a case.

Join the claim is a registered trading name of Big on Media ltd. Big on Media is registered in the United Kingdom under licence number 09878028 with its registered office located at Big on Media, 6 Sunderland Street, Tickhill, Doncaster, DN11 9QJ

© Join the Claim All Rights Reserved | 2025

Go to claims