What to do if your card details are stolen in the UK

In some UK breaches, attackers take card details: the 16-digit number, the expiry, sometimes the CVV. In others, attackers take identity data without touching card numbers: names, addresses, dates of birth, contact details. The recovery actions differ. Confusing the two creates either friction without protection (cancelling a card the breach never reached) or under-response (treating an identity-data exposure as if the cards are safe).

Read the merchant's notification first. UK GDPR Article 34 requires the merchant to name the categories of data involved when a breach is likely to cause high risk to the people affected.

Card-data breaches and identity-data breaches

The card-data case usually involves a Magecart-style attack on the merchant's checkout page or a compromise of stored card data. The British Airways 2018 attack exposed full card details for around 244,000 customers; the 2018 Ticketmaster attack reached approximately 1.5 million UK customers. Both used Magecart, a technique that injects skimming code into the merchant's checkout page so card data is copied as the customer enters it. Ticketmaster's 2024 breach, via a compromised Snowflake account, exposed only the last four digits and expiry dates of cards: useful for targeted phishing, not enough to make a transaction.

The identity-data case involves access to the merchant's customer database. The April 2025 attacks on Marks & Spencer and the Co-op are the canonical recent examples; both are attributed to the Scattered Spider group, which used DragonForce ransomware. M&S has confirmed that no usable card or payment details were taken. The Co-op has confirmed that no financial data or passwords were taken; the data on all 6.5 million members was identity data only. The 2015 TalkTalk breach was a smaller-scale mixed case: 156,959 accounts with identity data, plus 28,000 partial card numbers and 15,656 sort codes and bank account numbers.

Actions that apply in both cases

Some actions help whichever shape the breach takes; they are short and worth doing first.

Change your password at the breached merchant's account, using one you do not use anywhere else. Reused passwords are the most common bridge from a single-merchant breach to the takeover of unrelated accounts. If you reused this password elsewhere, change it on those accounts too. A password manager makes this practical.

Turn on multi-factor authentication on every account that supports it: your email first, your bank, any service that holds a payment card. Breach data combined with a known email password gives an attacker enough to reset accounts elsewhere. MFA breaks that chain.

Treat anything in your inbox or by text claiming to be the breached merchant as suspicious. Breach data is most often sold quickly and used in targeted phishing within weeks: messages quoting your real name, real address, real order history, asking you to click a link or confirm details. The merchant will not ask you to confirm a password, a full card number, a one-time code, or a bank login. Suspicious text messages can be forwarded to 7726 (which spells SPAM on a keypad), the UK industry shortcode that routes the message to your mobile network for blocking.

If your card details were stolen

If the breach exposed your full card number, the expiry, and especially the CVV:

Tell your bank now. Most UK banks have a 24-hour fraud line on the back of the card; many also offer in-app card freeze and instant cancellation. The bank issues a replacement and cancels the old number, and any merchant that had it fails to charge it.

Cancelling the card does not always cancel the merchant's link to your account. Visa and Mastercard run an Account Updater service that sends merchants the new card number when the old one is reissued, so subscriptions and saved-card merchants may continue to charge your replacement. If a stolen card was used with a merchant you do not trust, cancel the relationship with the merchant directly, not just the card.

Watch the account for unauthorised transactions and dispute any you find. The Payment Services Regulations 2017 give you the right: your bank must refund unauthorised payments unless you were grossly negligent. This applies to credit and debit cards, with no minimum transaction value. The bank usually refunds you and recovers from the merchant's bank using chargeback. The right to the refund is statutory; chargeback is the operational mechanism. A bank that tells you a small fraudulent transaction is below a threshold for action is wrong; there is no threshold.

For non-fraud disputes, where the goods did not arrive or the merchant misrepresented something, use chargeback or section 75. Chargeback applies to credit, debit, and prepaid cards under Visa, Mastercard, and Amex scheme rules, with no minimum amount. The window is normally 120 days from the transaction or from when you expected to receive the goods. Chargeback is not a statutory right; it is a scheme rule the bank can refuse to action, though they rarely do without cause.

Section 75 of the Consumer Credit Act 1974 applies only to credit cards, and only on items priced between £100.01 and £30,000. It gives you joint and several liability against the card issuer for the merchant's breach of contract or misrepresentation, the strongest UK consumer right where it applies. You have six years from the purchase to bring a claim. Section 75 still applies if you only paid part of the price on the credit card: a £20 deposit on a £500 booking gives cover on the full £500. It does not apply when payment is via a third-party processor like PayPal that breaks the direct cardholder-merchant link.

If your identity data was exposed but your cards were not touched

If the breach exposed your name, address, date of birth, contact details, or order history but no card numbers, the immediate fraud risk is low. The first weeks are mostly about the shared actions: strong unique passwords, MFA on key accounts, and vigilance against phishing. The rest mitigates the longer-tail risk of identity fraud.

Strengthen your bank account and email. A determined attacker with your name, date of birth, and address can attempt account-recovery flows at services where you have accounts. Strong unique passwords, plus MFA on bank, email, and any account holding payment cards, is the practical mitigation.

Monitor your credit file at all three UK credit reference agencies: Experian, Equifax, and TransUnion. Each agency runs its own statutory credit report service, and some lenders only report to one agency, which is why checking all three matters. Free options exist: Experian's basic report is free direct, Credit Karma uses TransUnion data, ClearScore uses Equifax data, and MoneySavingExpert's Credit Club uses Experian data. New accounts opened in your name without your knowledge are the signal to watch for.

Cifas Protective Registration where exposure is confirmed and identity fraud is plausible. Cifas runs the UK's National Fraud Database. A Protective Registration places a flag on your record so any organisation receiving an application in your details is alerted to verify identity carefully. The cost is £30 for two years. Cifas notes the service is most effective in the first months after exposure and counsels against indefinite use, since over-flagged records dilute lender attention to the records most at risk. Apply where the breach exposed enough data to attempt identity fraud (date of birth plus full address plus contact details, on top of name), where the merchant's notification confirms your data was in the affected set, and ideally where unusual activity has already appeared on your accounts. For lower-risk exposures, an email address only for example, Cifas is more friction than benefit.

How fraudsters use the data, and why timing matters

Stolen card data has a short shelf life. Cards exposed in a breach are typically sold within hours to days, often before the victim knows the breach has happened, and used quickly: small test transactions to confirm the card works, followed by larger transactions or onward sales to other criminals. The window is measured in hours and days, not weeks. This is why the priority for the card-data case is to freeze the card immediately. Once the card is dead, the data is worthless.

Identity data has a longer half-life. A name, address, and date of birth remain useful for impersonation, account-recovery attacks, and synthetic-identity fraud for years. This is why the priority for the identity-data case is sustained vigilance over months, rather than minutes.

When and how to escalate beyond the bank

Report the crime to Report Fraud (formerly Action Fraud). On 4 December 2025, the UK's national fraud-reporting service was renamed Report Fraud, accessible at reportfraud.police.uk and on 0300 123 2040. The actionfraud.police.uk URL still redirects there. In Scotland, fraud is reported to Police Scotland on 101. A reference number from Report Fraud is useful for the bank's investigation if fraud later appears. Report Fraud does not investigate every case individually, but the data feeds the National Fraud Intelligence Bureau and informs national policing priorities.

If the bank refuses to refund a fraudulent transaction or rejects a chargeback you believe is valid, escalate to the Financial Ombudsman Service. The Ombudsman is free for consumers and binding on the bank if it rules in your favour. You have six months from the bank's final response to bring a complaint.

If the breach itself was handled badly by the merchant, the complaint route is the Information Commissioner's Office. "Handled badly" means specific failures: not notifying affected individuals as required, taking an unreasonably long time to disclose, or providing misleading information about what was stolen. UK GDPR Article 33 requires merchants to notify the ICO within 72 hours of becoming aware of a personal data breach. Article 34 requires direct notification to affected individuals where the breach is likely to result in high risk. The ICO investigates breach handling and can fine merchants under a two-tier penalty regime; it does not award compensation. Compensation requires a separate civil claim, usually through a specialist law firm running a group action. Specialist firms have launched several such claims after recent UK breaches, including British Airways, Ticketmaster, and the 2025 M&S and Co-op attacks.

The pattern underneath these breaches

In all of these breaches, the underlying failure is the same. The merchant retained customer data they did not need to retain, in a form they could not adequately protect. M&S and the Co-op held customer addresses and dates of birth long after the orders had been delivered. British Airways logged plaintext card numbers from 2015 to 2018, in violation of PCI DSS rules. Ticketmaster ran a third-party chatbot on its payment page; compromising the chatbot was the same as compromising the cards. The TalkTalk database held bank details that the company itself acknowledged were not encrypted, on the basis that encryption was not legally required.

UK GDPR Article 5(1)(c), the data minimisation principle, requires that personal data be "adequate, relevant and limited to what is necessary" for the stated purposes. Each of these breaches was, among other things, a failure of that principle.