Re: What Exactly Was The Breach ???
Just wait for GPDR to come through.
They are going to have to seek EXPLICIT consent for absolutely everything they store, and it ain't going to go down well.
Though bank accounts (without overdraft) wouldn't attract a credit check necessarily, everything else you list is... well... credit. (Which should always be replaced with the word "debt"... it's a "debt card". You bought your phone "on debt". etc.).
Though they could legitimately claim that you gave your consent by applying for credit at the moment, it's not going to be pretty for them implementing GPDR, especially if the ICO etc. are sniffing around because of breaches like this.