Since the introduction of the General Data Protection Regulation (GDPR) in May 2018, data protection authorities (DPAs) across Europe have issued fines totalling tens of millions of pounds for data breaches; and Britain’s Information Commissioner’s Office (ICO) is no different.
Since its formation, the ICO has issued some of its biggest fines for historic data breaches involving a host of major organisations, including airlines, online retailers and a global hotel chain.
Under GDPR, organisations that fail to protect customer data can face potentially devastating fines from their respective DPAs.
Over 2020-2021, the ICO saw a record 1580% rise in fines given. Research published by DLA Piper shows that between January 2020, and January 2021, global GDPR fines rose by almost 40%.
“Prior to GDPR, companies had always viewed data as their own asset, something that was theirs and they did whatever they wanted with it,” says John Mitchison Director of Policy and Compliance at the DMA.
He adds: “GDPR flipped the data protection regime on its head, changed the relationship a great deal and put the individual firmly at the heart of everything the data operator does.”
In Britain, the ICO is capable of issuing companies with a fine equalling 4% of their annual turnover, which gives the data watchdog greater scope to seriously clamp down on organisations with lax data protection practices. Indeed, before the introduction of GDPR, the ICO could only impose a maximum fine of £500,000 under the General Data Protection Act (1998).
1. British Airways – £20 million (2020)
In October 2020, the ICO fined British Airways (BA) a record-breaking £20 million after it ruled the airline failed to protect customers’ personal data.
The ICO said it found the airline had been processing “a significant amount” of personal data without adequate security measures in place.
Subsequently, the company’s lacklustre security meant it failed to detect a major 2018 security breach for nearly two months.
Investigators found the airline did not detect the June 22nd attack themselves, and instead were alerted by a third party on 5th September 2018.
Once BA was made aware of the breach, it “acted promptly” and notified the relevant authorities, the watchdog said.
The 2018 BA cyber-attack saw hundreds of thousands of customers affected, with hackers believed to have accessed the personal data of 429,612 customers and staff.
Data exposed in the attack included the names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.
Usernames and passwords belonging to BA employee and administrator accounts were also exposed in the attack, as well as usernames and PINs of up to 612 BA Executive Club accounts.
According to the ICO, there were “numerous measures” the airline could have used to prevent the risk of attackers being able to access its network.
While the fine is the largest issued by the ICO under GDPR, the penalty still falls considerably short of the £183m the watchdog said it intended to impose last year.
2. Marriott Hotels – £18.4 million (2018)
Just two weeks after the BA announcement, hotel chain Marriott was fined £18.4 million by the ICO for failing to protect customer data.
An investigation into the Marriott data breach found the hotel giant failed to put in place “appropriate technical measures” to protect data being processed on its systems.
Marriott estimates that around 339 million guest records were exposed as a result of the 2014 cyberattack on Starwood Hotels and Resorts. The attack remained undetected for several years, however, and was only discovered in September 2018 following Marriott’s acquisition of the Starwood chain.
Personal data exposed in the breach included names, email addresses, phone numbers, unencrypted passport numbers and loyalty programme membership numbers.
The exact number of people affected still remains unclear, as there may have been multiple records for an individual guest. It is believed that anywhere up to seven million exposed guest records belonged to British customers.
Information Commissioner Elizabeth Denham said the company failed in its duty to protect customer data.
Although this marks one of the biggest ICO fines ever imposed – and was the second in the space of a month – the eventual penalty represents just a fraction of what the regulator previously said it would impose. In 2019, the ICO said it intended to hand down a fine of £99.2 million.
3. Clearview AI – £7.5 million (2022)
The facial recognition tech company hit headlines earlier in the year after offering its tech to the Ukrainian Government to aid its ongoing conflict with Russia.
Fast forward to May 23rd, and the ICO has fined Clearview AI Inc £7,552,800 for using images of people in the UK, and elsewhere, to create a global online database that could be used for facial recognition.
As well as a fine, the ICO issued an enforcement notice, ordering the company to stop obtaining and using the personal data of UK residents that is publicly available on the internet, and to delete the data of UK residents from its systems.
The ICO enforcement action comes after a joint investigation with the Office of the Australian Information Commissioner (OAIC), which focused on Clearview AI Inc’s use of people’s images, data scraping from the internet and the use of biometric data for facial recognition.
Clearview AI Inc has collected more than 20 billion images of people’s faces and data from publicly available information on the internet and social media platforms all over the world to create an online database.
People were not informed that their images were being collected or used in this way.
4. Ticketmaster – £1.25 million (2018)
On 13th November 2020, Ticketmaster was fined £1.25 million for a 2018 data breach.
The ICO ruled that the events ticket retailer failed to implement appropriate security practices to prevent a cyber-attack on a chat-bot installed on its online payment page.
In a statement, the ICO said Ticketmaster’s data protection failures constituted a breach of the General Data Protection Regulation (GDPR).
Up to 9.4 million Ticketmaster customers across Europe, including 1.5 million in the UK, were affected by the data breach.
User data was first exposed in 2018 following Ticketmaster’s decision to host a third-party chatbot on its online payment page. Security vulnerabilities meant that attackers were able to access customers’ financial details through the site.
Data exposed by the incident included customer names, payment card numbers, expiry dates and CVV numbers.
The ICO investigation revealed that, despite repeated warnings over fraudulent activity, Ticketmaster took nine weeks to identify and address the problem.
It also ruled that Ticketmaster failed to ‘adequately assess the risks’ of using a chatbot on its payment page and implement ‘appropriate security measures to negate the risks’.
5. Cabinet Office – £500,000 (2021)
It was found that the Cabinet Office breached data protection law as it failed have the appropriate measures – both technical and organisational – in place to stop the breach.
The breach, which occurred in December 2019, saw the Cabinet Office publish a file on the government website containing the names and unredacted addresses of more than 1,000 people announced in the New Year Honours list.
People from a wide range of professions across the UK were affected, including several high profile individuals such as Sir Elton John, Gabby Logan and Nadiya Hussain.
The personal data was available online for well over two hours and was accessed 3,872 times.
6. We Buy Any Car – £200,000 (2021)
In September last year, car trader We Buy Any Car was fined £200,000 for sending 191.4 million marketing emails and 3.6 million marketing SMS messages to individuals without fully satisfying the requirements of the soft opt-in, resulting in 42 complaints to the Commissioner.
This was the heftiest fine between a three-way penalty that included three companies – We Buy Any Car, Sports Direct and Saga – totalling £495,000.
None of the companies had permission from people to send them marketing emails or texts.
At the time, Andy Curry, ICO head of investigations, said: “Getting a ping on your phone or constant unwanted messages on your laptop from a company you don’t want to hear from is frustrating and intrusive.
“These companies should have known better. Today’s fines show the ICO will tackle unsolicited marketing, irrespective of whether the messages have been orchestrated by a small business or organisation, or a leading household name. The law remains the same and we hope today’s action sends out a deterrent message that members of the public must have their choices and privacy respected
“Companies that want to send direct marketing messages must first have people’s consent. And people must understand what they are consenting to when they hand over their personal information. The same rules apply even when companies use third parties to send messages on their behalf.”