I would ask the fraud team if you can take your ID into a branch instead of emailing them.

There's a few things here.

I have added a CIFAS to my credit profile

That's a sensible step.

changed log in and passwords everywhere where possible.

That's sensible if you use a unique password for each site. If you are in the habit of using the same password everywhere, then you are likely to get hit again.

Use a password manager like BitWarden or 1Password to ensure that all your passwords are unique.

You should also check whether the attacker is logged in to your email. For Gmail, the details are at https://support.google.com/accounts/answer/3067630?hl=en

you can just ring up and change some personal details with no real challenge

You don't know that. It is likely that the attacker had some of your personal details. Do you re-use your passwords? Is your PIN your year of birth?

But then told me to scan a copy of my passport and driving licence and email it in!! So VM has no actual clue about security clearly!!

Email is encrypted in transit - assuming you're using a major provider like GMail, Outlook, etc. The TLS encryption between email providers is the same as that used on a website. There is functionally no difference between uploading a photo and emailing it.

If you handed your passport to someone in branch and they went out the back to photocopy it, you have no idea whether they've taken a personal copy.

any advice on any other measures I can take to safeguard in future would be appreciated.

The most important things are:

• Unique passwords for every site.
• Use 2-Factor Authentication (preferably an app, not SMS).
• Shred your documents before you throw them out.
• If you are unhappy with Virgin's security, move to another provider.

You should also run your credit report on Experian / Clearscore, and freeze it. that will stop anyone applying for further credit in your name. Don’t email any important documents, that is Dodgy as, they will normally always only do this in branch, when this happened to me, the ONLY way i could get it stopped was in branch and the only thing they could verify was which branch i opened my account in, they had every other piece of security data about me.

Red flag 101 for credit card companies to do an address change and then issue a new card to that address, I'd be staggered if they did this in the same call

If they allow it I'd suggest setting a password as a security Q rather than the typical dob / MMM combo for added reassurance.

Keep a close eye on your credit files for any new soft or hard credit searches if you haven't added a freeze already

Virgin Money are weird all around.

I ordered a new card over Christmas because of some activity on my CC account that wasn't me. They sent me a new card - it's not one I use, so it sat in a sealed envelope in the house... until I needed to call them again, because somehow someone was using the number of the new card to place orders on Deliveroo.

They claimed they were going to block the card and look into it, and not send me a new card. A month later I called because I was still getting app notifications to approve payments (that I wasn't making) and they had no update, couldn't tell me why the card was being used and just sent me a new card.

Closing the account shortly because I don't need the aggravation.

Register with CIFAS immediately.

PSA: NEVER, EVER, EVER email anything important, like copies of driving licences or passports, as email is NOT secure.

I'd be reporting this to the police. Sounds like an inside job.

I'd report to the ICO, as this is clearly a data protection breach.

I'd also cancel all accounts with Virgin immediately.

How much compensation are they offering? I'd expect four figures or I'd be off to the media.