At Lacey Solicitors, we understand how distressing it can be to learn that your personal information has been mishandled. Whether it’s your financial data, medical records or employment details – your privacy matters.  Our data protection and privacy law solicitors in Dublin and Belfast, help individuals, employees, and professionals across Ireland and Northern Ireland take action when organisations fail to protect their personal data.

With specialist advice in data protection, privacy and GDPR claims and a proven track record of successful outcomes, we are here to help you claim compensation and protect your constitutional rights.

What Is a Data Breach Under GDPR?

A data breach occurs when personal data is lost, shared, exposed, or accessed without permission. This could happen due to poor cybersecurity, human error, or even malicious hacking. Under the EU General Data Protection Regulation (GDPR) and the Data Protection Acts, individuals are entitled to claim compensation if they’ve suffered emotional, psychological, or financial harm due to a breach.

Common examples of GDPR data breaches include:

• Sending emails or letters containing personal data to the wrong person

• Files or databases being left unsecured or accessible to unauthorised parties

• Sensitive health information being shared without consent

• Data being exposed during a cyberattack due to inadequate IT systems

• Personal details being leaked online or passed to third parties without your knowledge

Who Is Responsible?

Under GDPR, organisations that collect and process personal data – called Data Controllers – are legally required to protect it. The law requires data controllers to demonstrate ‘accountability.’ The business should establish clear, documented procedures to continuously review and monitor the data they collect.   This includes employers, public sector bodies, healthcare providers, insurers, financial institutions, and online service platforms.

If they fail to uphold these duties, and your data is breached as a result, they may be liable to compensate you.

Real-World Data Breach Cases at Lacey Solicitors

At Lacey Solicitors, we have acted in a number of high-profile and sensitive data breach matters, including:

• The PSNI Data Breach (2023): We represent several PSNI officers whose personal and employment data, including names, ranks and work locations, were mistakenly published online. Many clients expressed genuine concerns for their safety and are now pursuing claims for distress and loss of privacy.

• NHS Medical Records Misuse: We acted for a Antrim-based client whose confidential medical notes were inappropriately accessed by a third party following a poorly handled subject access request. The breach resulted in considerable emotional distress and embarrassment and we ultimately secured a settlement of several thousand pounds.

• Banking and Financial Data Breaches: We have pursued claims for clients whose financial data was exposed due to outdated cyber security practices or internal processing errors at financial institutions.

Each case is handled with care, discretion, and strategic legal insight to maximise your entitlement and hold organisations accountable.

What Can You Claim For?

As outlined in our previous article You may be entitled to claim for:

• Emotional distress or anxiety

• Damage to your reputation or professional standing

• Financial loss, fraud or identity theft

• Loss of control over personal information

• Breach of confidence

Compensation for Data Breach Claims in Ireland:

Each case is assessed individually. The more serious the impact, the higher the potential award.

What Are My Rights Under GDPR?

You have strong legal rights under GDPR, including the right to:

• Be informed how your data is being used

• Access your personal information on request

• Rectify inaccurate or incomplete data

• Erase data in certain circumstances (“right to be forgotten”)

• Restrict or object to processing

• Claim compensation for unlawful processing or data loss

If you’re not satisfied with an organisation’s response, you also have the right to make a complaint to the Data Protection Commission in Ireland or the Information Commissioner’s Office in Northern Ireland — or to take legal action with our help.

How Lacey Solicitors Can Help

At Lacey Solicitors, we combine legal precision with compassionate client service. Whether the breach involves public bodies, employers, medical organisations, or private companies, our dedicated data protection team is here to guide you every step of the way.

Why Choose Us?

• Proven Track record in GDPR and Privacy Law Claims in both Ireland and Northern Ireland

• Offices in Dublin and Belfast – Local knowledge with cross-border capability

• Discreet, strategic approach tailored to your needs

• Free initial advice and transparent fees

Take Action Today

If your personal data has been exposed, mishandled or used without your consent, you do not have to accept it. At Lacey Solicitors, we are here to help you hold the responsible party accountable and secure the compensation you deserve. With offices in Dublin and Belfast, our experienced data protection solicitors offer clear, confidential advice tailored to your situation. Contact us today by phone or through our secure online enquiry form to begin your data breach claim.

Lacey Solicitors are now initiating legal proceedings against Cabot Financial Ireland Limited on behalf of affected individuals. If your personal or financial data was compromised in the recent cyberattack, you may be entitled to claim compensation for both financial losses and emotional distress.

What Happened?

In September 2024, Cabot Financial Ireland Limited, a prominent debt collection and credit servicing firm regulated by the Central Bank of Ireland, suffered a significant cyberattack. The breach involved the theft of approximately 394,000 sensitive data files. These files contained personal, financial, and in some cases, even health-related or marital status information.

The compromised data affects:

• Cabot’s direct customers

• Customers of financial institutions for whom Cabot acts as credit servicer

• Current and former Cabot employees

The exposed information includes:

• Names, addresses, and contact information

• Loan book and debt details

• Potentially sensitive information shared by customers (e.g. health issues or family circumstances)

Cabot’s website and phone systems were temporarily disabled following the attack, and forensic IT specialists were brought in to assess the extent of the damage.

Cabot Financial Ireland Limited’s Response and Public Concern

Cabot states it has:

• Notified the Data Protection Commission (DPC), Central Bank of Ireland, and Garda National Cyber Crime Bureau

• Obtained a protective court order to reduce the likelihood of stolen data being misused online

• Begun contacting impacted individuals

However, many former customers and staff have criticised the speed, clarity, and scope of these communications. Some did not receive timely notification despite their data being involved.

Your Rights as a Victim of a Data Breach

Under GDPR (General Data Protection Regulation) and the Data Protection Act 2018, individuals have a legal right to claim compensation when their personal data is exposed due to a company’s failure to protect it.

You may be eligible to claim for:

Material Damages

• Fraudulent transactions

• Identity theft

• Out-of-pocket costs for credit monitoring or account security

• Lost income

• Banking and administrative fees

Non-Material Damages

• Anxiety, distress, and emotional upset

• Fear of future misuse of your personal data

• Loss of sleep or mental wellbeing

• Reputational damage or embarrassment

Recent developments in Irish data protection law outlined previously by our office namely the Supreme Court decision in Dillon v Irish Life Assurance PLC [2025] IESC 37 has removed the requirement to obtain IRB authorisation for such claims, as they do not constitute personal injuries. This has significantly reduced the procedural burden for claimants, allowing claims to proceed directly in the District Court (for amounts up to €15,000.00), making the process quicker and more accessible.

In the context of the Cabot breach, where nearly 400,000 files containing personal and financial data were compromised, these legal standards are highly relevant. Many affected individuals are likely to have experienced emotional consequences, such as fear, distress, or anxiety, especially if the compromised data included sensitive information like marital or health status. Based on recent court awards in similar cases—ranging from €2,000.00 to €7,500.00 for non-material harm—Cabot may face a significant volume of claims.

Lacey Solicitors is now writing to Cabot Financial Ireland Limited, representing victims seeking compensation for the violation of their data rights.

Lacey Solicitors – Data Breach Litigation Solicitors

At Lacey Solicitors, we are now intimating formal legal proceedings against Cabot Financial Ireland Limited. We are representing individuals affected by the breach and seeking compensation for both material and non-material damages.

We understand how unsettling it is to learn your private information may be in the hands of criminals. Ruaidhrí Austin, Partner is experienced in both Defence and Plaintiff GDPR litigation, and is committed to helping you secure the compensation you deserve.

We can assist with:

• Submitting a Subject Access Request (SAR) to confirm if your data was affected

• Gathering evidence of emotional distress or financial harm

• Managing the full legal process with clear and transparent legal fees.

What Should You Do Now?

If you suspect or know that your data was part of the Cabot data breach, you should:

1. Contact Lacey Solicitors for a confidential case review

2. Request confirmation from Cabot via a Subject Access Request (we can assist with this)

3. Monitor your financial accounts for suspicious activity

4. Report any suspected fraud to the Gardaí

5. Follow cybersecurity best practices — e.g. change passwords, enable 2FA, and avoid phishing scams

How to Spot Suspicious Activity

Criminals may now impersonate Cabot or use your stolen information to conduct scams. Be wary of:

• Unsolicited emails or phone calls asking for bank details

• Messages claiming your Cabot account is in arrears or frozen

• Unfamiliar credit card or loan applications appearing on your credit report

• Social engineering attempts using your personal details

Cabot has published advice on how to protect yourself, and we encourage all victims to also consult trusted sources like:

• FraudSmart.ie – Banking and Payments Federation

• National Cyber Security Centre (NCSC)

• Garda National Cyber Crime Bureau

Contact Lacey Solicitors, Data Breach Solicitors, Belfast & Dublin

If you believe your personal information was exposed in the Cabot data breach, contact Lacey Solicitors today. With offices in Dublin and Belfast, our experienced team specialises in data protection and privacy claims, and we are currently acting on behalf of individuals affected by this breach. We offer clear, confidential advice on your rights under GDPR and can help you pursue compensation for the harm caused.

Call us on +353 1 513 4375 (Dublin) or +44 28 9089 6540 (Belfast), or contact Lacey Solicitors today for a free consultation using our Online Portal.

Lacey Solicitors, are known and respected as Insurance Defence litigators and represent a number of insurers across the entire island of Ireland.  Our office is at front of one of the fastest-growing areas of litigation namely Data Breach Claims in Ireland.  Particularly, those involving non-material damages—claims for emotional harm like distress or anxiety, rather than specific financial loss.

What Are Non-Material Damages?

Under Article 82 of the GDPR, individuals can claim compensation for:

• Material damage (e.g. financial loss)
• Non-material damage (e.g. distress, anxiety, embarrassment, or loss of control over personal data)

These claims are supported by the Data Protection Act 2018 in Ireland.

Where Are These Claims Heard?

As of January 2024, the District Court can hear data protection claims up to €15,000. This makes it the default forum for most non-material damages claims. If a claim is filed in the Circuit Court but is worth less than €15,000, insurers should seek to remit it to the District Court to reduce costs.

Do Claimants Need PIAB/IRB Authorisation?

Previously yes.  If the claim involved distress, anxiety, or upset, it was be considered a personal injury. In that case, the claimant needed an authorisation from the Injuries Resolution Board (IRB) before issuing proceedings.

The Supreme Court judgment in Dillon v Irish Life Assurance PLC [2025] IESC 37 recently  overturned that previous position. the High Court’s decision in Keane v CSO which held that IRB authorisation was a prerequisite for non-material damage claims arising from data breach.

The Supreme Court ruled that a freestanding claim in tort or contract seeking damages solely for emotional disturbances like anxiety, distress, and upset, which do not amount to a recognised psychiatric disorder, is not considered a “personal injury” claim under the PIAB Act 2003, and thus does not require PIAB authorisation as a prerequisite.

Key Irish and EU Cases

Here are the most important cases shaping how non-material damages are assessed:

Irish Cases

1. Kaminski v Ballymaguire Foods Ltd [2023] IECC 5
   • Facts: Employee’s photo used in a training session without consent.
   • Award: €2,000 for distress and embarrassment.
   • Key Point: No medical evidence needed; plaintiff’s testimony was enough.
2. MH v Child and Family Agency (Tusla) [2023]
   • Facts: Sensitive childhood abuse data disclosed to third parties.
   • Award: €7,500 for emotional harm.
   • Key Point: Seriousness of breach and lack of mitigation increased the award.
3. McCabe v AA Ireland Ltd [2024] IECC 6
   • Facts: Employee was secretly recorded by a manager while on sick leave.
   • Award: €5,500 for distress and embarrassment.
4. Dillon v Irish Life Assurance PLC [2025] IESC 37
   • Issue: Whether PIAB authorisation is needed for distress claims.
   • Decision: No—distress and anxiety do not fall under personal injury.

EU Cases (CJEU)

1. Österreichische Post (C-300/21)
   • Key Point: A GDPR breach alone is not enough—actual damage and a causal link are required.
2. VB v Natsionalna agentsia za prihodite (C-340/21)
   • Key Point: Data controllers must prove they had strong security in place. Strict liability doesn’t apply automatically, but the burden is high.
3. AT, BT v PS GbR (C-667/21)
   • Key Point: Fear of future misuse of data can be compensable—but only if it’s real and proven, not hypothetical.

What can you receive Compensation for?

Under the GDPR, individuals can claim compensation for certain types of emotional harm caused by data breaches. Compensable non-material damages include distress, anxiety, embarrassment, and loss of control over personal data—these are recognised by courts as legitimate impacts of a breach.

However, not all emotional responses qualify. Mere upset or annoyance, as well as hypothetical fears that are not supported by evidence, are generally not compensable. Courts require a clear and demonstrable link between the breach and the emotional harm suffered.

How Much Are Courts Awarding for Data Breach Claims in Ireland?

Awards over €10,000 are rare and would require exceptional circumstances.

Strategies for Insurers dealing with Data Breach Claims in Ireland

When defending GDPR-related claims, insurers should take a practical and proactive approach. One of the first steps is to assess whether the case belongs in the District Court, especially if the claim is under €15,000—this can help manage legal costs more effectively. Insurers should also look closely at the evidence—is there clear proof of actual harm and a direct link to the alleged breach? If not, that’s a strong basis for challenge.

Taking early steps to apologise and correct the issue can also go a long way in reducing potential damages. In some cases, if the data in question is already accessible through a secure online portal, that may be enough to satisfy the claimant’s request. Finally, it’s worth considering mediation or other forms of alternative dispute resolution to settle matters quickly and avoid drawn-out litigation.

What About Cyberattacks?

Insurers should note:

• Controllers are not automatically liable for every breach.
• They must show they had strong security measures in place.
• In complex cases, expert evidence may be needed to prove the breach was unforeseeable.

Need help defending a Data Breach Claim in Ireland?

At Lacey Solicitors, we offer expert legal advice and proven defence strategies tailored to the needs of insurers, businesses, and data controllers across Ireland. Ruaidhri Austin, Partner deals with data protection claims, as well as broader issues involving privacy law and cyber security. Whether you’re facing a data breach allegation, a non-material damages claim, or need guidance on compliance, Ruaidhri and our dedicated team are here to help.

Click through to our online portal to arrange a confidential discussion and see how we can support you: