“You can be a major business – contributing to the UK economy, jobs and growth – and one slip means regulators at your door, a class action, and hundreds of millions in costs.”
Last week, the government confirmed that the medical information of 500,000 participants of UK Biobank had been listed for sale on Alibaba, a Chinese e-commerce platform. Three separate listings appeared, at least one of which contained data belonging to the entirety of the database’s half-million volunteers – DNA, blood markers, lifestyle data, and body scans, advertised on one of the largest retail platforms on earth.
This was, according to Luc Rocher, an associate professor at the Oxford Internet Institute, the 198th known exposure of UK Biobank data since last summer. Intelligence agencies have warned for years that bulk datasets from Western populations are precisely the kind of material that Beijing treats as a strategic asset.
The question that deserves more than a passing headline is this – what happens next?
We do not need to speculate. When Marks & Spencer fell victim to a cyberattack in April 2025 the legal industry moved within weeks. Law firms launched group actions. Claims management companies ran Facebook campaigns. Thompsons Solicitors described the volume of Scottish claimants as ‘unprecedented’ for a case of its type. M&S estimated total costs of approximately £300 million, saw its market capitalisation fall by over £700 million, and was required to notify regulators immediately.
Join the Claim, a claimant book building website, have posted a speculative page on their website declaring they are assessing the BioBank situation. This leaves us to wonder about the differences in the threat of a class action when a public entity is attacked, versus a private.
In 2021, Chinese state-linked hackers breached the Electoral Commission’s servers – gaining access to the names and home addresses of approximately 40 million people registered to vote between 2014 and 2022. The attack went undetected for twelve months. The Information Commissioner’s Office investigated, found that ‘basic’ security failures had made the breach ‘highly likely’, and issued a reprimand. No fine. No compensation scheme. No class action.
This is not a coincidence. Since 2022, the ICO has formally adopted what it describes as a ‘public sector approach’ – favouring reprimands and remediation plans over financial penalties when the data controller is a government body, on the grounds that fines effectively transfer money from one part of the public purse to another.
The logic has a certain administrative tidiness. Its effect is that the accountability calculus for a Whitehall department that loses your data is fundamentally different from the one that applies to a retailer or insurer that does the same.
When Capita, an outsourcing firm, suffered a cyberattack in March 2023 that compromised the data of 6.6 million people – including pension records and medical information – the ICO fined it £14 million in October 2025. Leigh Day solicitors launched a group action. Affected individuals were told they likely had viable compensation claims.
The gap is not subtle. To set that asymmetry out in plain terms: a private software provider that disrupted NHS services through security failings was fined £3.07 million by the ICO for exposing 79,000 records. The Electoral Commission was reprimanded – and not fined – for exposing 40 million.
It is worth being precise about why class actions have not followed these government breaches.
Under the UK GDPR, the right to compensation applies equally to any data controller – public or private. The obstacle is not the law. It is the economics. Litigation funders and claims management firms go where the money is. A public body with no insurance policy, no market capitalisation to downgrade, and a minister willing to say in Parliament that compensation ‘must wait’ is not a compelling defendant. The chap with the litigation funding spreadsheet closes the tab and goes looking for the next supermarket.
Perhaps the threat of a class action against UK BioBank brought on by Join the Claim, might cause people in the public sector to think carefully about the claims culture they facilitate. In either case, you have to ask – who will really be left to foot the bill of these lawyers?
What is the message an entrepreneur takes from this normality? You can be a major business – contributing to the UK economy, jobs and growth – and one slip means regulators at your door, a class action, and hundreds of millions in costs. A public body holding far more sensitive data could lose it, decline to compensate the businesses they have paralysed, and emerge with a ministerial letter and a strongly worded reprimand.
Multiply that asymmetry across employment law, planning, environmental compliance, tax, and health and safety, and the cumulative effect is a country in which it is rationally less attractive to start, scale, or run a job-creating business than it was a generation ago. The downside, if something goes wrong, is potentially ruinous and very public. The upside, if things go well, is taxed at every step and lectured about at every turn.
That is not a healthy economy. It is a managed decline – sustained, more often than we admit, in headlines like the one last week. The ones we read, sigh at, and scroll past.
Leave A Comment