A Freedom of Information Act (FOIA) disclosure by the Information Commissioner's Office (ICO) suggests that, over the last five years, 127 million data subjects may have been affected by personal data breaches “involving economic or financial data”, which were subsequently notified by data controllers to the ICO.
Even allowing for duplicates, and for the fact that some of these data subjects could be overseas, it indicates that there are probably few people in the UK whose personal data hasn't potentially been compromised.
Where there has been a "personal data breach", which is defined at Article 4(12) of the UK GDPR as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”, a controller must make a notification to the ICO under Article 33, unless the personal data breach is "unlikely to result in a risk to the rights and freedoms" of individuals (sections 67 and 108 of the Data Protection Act 2018 contain similar notification obligations where the processing is for law enforcement or security services purposes).
Although the ICO has at times bemoaned a tendency to "over report" personal data breaches, it remains the case that a large number of Article 33 notifications are still made. When a notification is made, Article 33(3)(a) requires the reporting controller to say the "approximate number of data subjects concerned" and, in response to a FOIA request, the ICO has now disclosed that the total number, from notifications " involving financial and economic data", is 127,147,851 since 1 October 2019.
There are a few points worth noting.
The fact that a “personal data breach" has occurred does not necessarily mean that there has an infringement of legal obligations: a personal data breach can occur, in circumstances where the controller has still complied with all of its obligations – put another way, a "personal data breach" does not mean a "breach of the law". Secondly, as the ICO points out, some of the data subjects may be duplicated across two or more separate personal data breaches. Third, the applicant's use of the term “involving economic or financial data” derives from the ICO's own reporting form, where examples are given of "credit card numbers or bank details", but the term is not specifically defined anywhere.
All that said, and assuming it accurately reflects the number of times personal data has been compromised as described at Article 4(12) it is a remarkable figure, indicating just how vulnerable financial personal data is to accidents and attacks.