Since the introduction of the General Data Protection Regulation (GDPR) in May 2018, data protection authorities (DPAs) across Europe have issued fines totalling tens of millions of pounds for data breaches; and Britain’s Information Commissioner’s Office (ICO) is no different.
Since its formation, the ICO has issued some of its biggest fines for historic data breaches involving a host of major organisations, including airlines, online retailers and a global hotel chain.
Under GDPR, organisations that fail to protect customer data can face potentially devastating fines from their respective DPAs.
In Britain, the ICO is capable of issuing companies with a fine equalling 4% of their annual turnover, which gives the data watchdog greater scope to seriously clamp down on organisations with lax data protection practices. Indeed, before the introduction of GDPR, the ICO could only impose a maximum fine of £500,000 under the General Data Protection Act (1998).
1. British Airways – £20 million (2020)
In October 2020, the ICO fined British Airways (BA) a record-breaking £20 million after it ruled the airline failed to protect customers’ personal data.
The ICO said it found the airline had been processing “a significant amount” of personal data without adequate security measures in place.
Subsequently, the company’s lacklustre security meant it failed to detect a major 2018 security breach for nearly two months.
Investigators found the airline did not detect the June 22nd attack themselves, and instead were alerted by a third party on 5th September 2018.
Once BA was made aware of the breach, it “acted promptly” and notified the relevant authorities, the watchdog said.
The 2018 BA cyber-attack saw hundreds of thousands of customers affected, with hackers believed to have accessed the personal data of 429,612 customers and staff.
Data exposed in the attack included the names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.
Usernames and passwords belonging to BA employee and administrator accounts were also exposed in the attack, as well as usernames and PINs of up to 612 BA Executive Club accounts.
According to the ICO, there were “numerous measures” the airline could have used to prevent the risk of attackers being able to access its network.
While the fine is the largest issued by the ICO under GDPR, the penalty still falls considerably short of the £183m the watchdog said it intended to impose last year.
2. Marriott Hotels – £18.4 million (2018)
Just two weeks after the BA announcement, hotel chain Marriott was fined £18.4 million by the ICO for failing to protect customer data.
An investigation into the Marriott data breach found the hotel giant failed to put in place “appropriate technical measures” to protect data being processed on its systems.
Marriott estimates that around 339 million guest records were exposed as a result of the 2014 cyberattack on Starwood Hotels and Resorts. The attack remained undetected for several years, however, and was only discovered in September 2018 following Marriott’s acquisition of the Starwood chain.
Personal data exposed in the breach included names, email addresses, phone numbers, unencrypted passport numbers and loyalty programme membership numbers.
The exact number of people affected still remains unclear, as there may have been multiple records for an individual guest. It is believed that anywhere up to seven million exposed guest records belonged to British customers.
Information Commissioner Elizabeth Denham said the company failed in its duty to protect customer data.
Although this marks one of the biggest ICO fines ever imposed – and was the second in the space of a month – the eventual penalty represents just a fraction of what the regulator previously said it would impose. In 2019, the ICO said it intended to hand down a fine of £99.2 million.
3. Ticketmaster – £1.25 million (2018)
On 13th November 2020, Ticketmaster was fined £1.25 million for a 2018 data breach.
The ICO ruled that the events ticket retailer failed to implement appropriate security practices to prevent a cyber-attack on a chat-bot installed on its online payment page.
In a statement, the ICO said Ticketmaster’s data protection failures constituted a breach of the General Data Protection Regulation (GDPR).
Up to 9.4 million Ticketmaster customers across Europe, including 1.5 million in the UK, were affected by the data breach.
User data was first exposed in 2018 following Ticketmaster’s decision to host a third-party chatbot on its online payment page. Security vulnerabilities meant that attackers were able to access customers’ financial details through the site.
Data exposed by the incident included customer names, payment card numbers, expiry dates and CVV numbers.
The ICO investigation revealed that, despite repeated warnings over fraudulent activity, Ticketmaster took nine weeks to identify and address the problem.
It also ruled that Ticketmaster failed to ‘adequately assess the risks’ of using a chatbot on its payment page and implement ‘appropriate security measures to negate the risks’.
4. Equifax – £500,000 (2017)
Equifax was handed a £500,000 fine over a 2017 cyber-attack that saw personal information belonging to up to 15 million Brits exposed.
The data breach, which happened between 13th May and 30th July 2017 in the US, affected more than 146 million customers worldwide.
An investigation by the watchdog found that while the breach took place on US information systems, the credit reference agency was responsible for the personal information of UK-based customers.
The company’s UK arm failed to take “appropriate steps” to ensure its American parent company was protecting critical data.
Carried out in parallel with the Financial Conduct Authority, the ICO probe revealed a string of failures at Equifax which led to personal information being retained for longer than necessary and vulnerable to unauthorised access.
Crucially, the investigation was carried out under the Data Protection Act 1998 rather than GDPR, which meant the maximum penalty was no more than half-a-million pounds.
The aftermath of this particular data breach saw Equifax spend more than £1 billion in clean-up costs and on upgrades to its information security practices.
5. Facebook – £500,000 (2018)
October 2018 saw Facebook fined £500,000 for its role in the Cambridge Analytica scandal.
As the scandal itself took place before the introduction of GDPR, at the time the penalty was one of the biggest ICO fines allowed under the General Data Protection Act (1998).
An investigation by the ICO ruled that Facebook was guilty of ‘improperly’ sharing data belonging to an estimated 87 million users.
The Cambridge Analytica scandal saw user data shared with the political consultancy via a series of quizzes that harvested their data. The ICO said that, despite the issues being flagged, Facebook failed to take adequate steps to address concerns over data privacy.
Facebook failed to keep user data secure, the ICO said, because it did not carry out proper and frequent checks on third-party apps used on the social media platform.
At the time, ICO Commissioner Elizabeth Denham said: “We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation.
“One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data.”