Under the General Data Protection Regulation (GDPR), companies that fail to protect customer data face potentially crippling fines from the Information Commissioner’s Office (ICO), which is empowered to issue fines of up to 4% of the offending organisation’s turnover in the preceding financial year.
Before GDPR, the ICO could impose a maximum fine of £500,000, which to many global organisations is a drop in the ocean.
In its annual report published in July, the ICO said last year was record-breaking for issuing monetary penalties, although these only totalled £3 million in the 12 months to the end of March.
Of the four main offence types the ICO handles, data breaches, email, SMS and nuisance calls, data breaches are by far the most fined offence. According to research by The SMS Works, 50.9% of ICO fines were issued for data breaches.
In this list we look at the biggest fines issued by the ICO due to data breaches, however, it should be noted that any organisation issued with a monetary penalty notice has the right to appeal the decision to the First-tier Tribunal.
While some of these fines have been upheld some are in the process of being appealed.
British Airways – Fined £183M – July 2019
In July 2019, the ICO announced it intended to fine the iconic British airline a record amount following an investigation that found poor security standards at the company had compromised the personal information of 500,000 customers.
The hack, which took place between August 21st and September 5th 2018 was described by BA chief executive Alex Cruz as a “sophisticated, malicious criminal attack”.
The hackers lifted customers’ names, email addresses and credit card information such as their credit card number, expiration date and the three-digit code on the back of the credit card. Part of the hack saw customers being diverted to a fake website through which their details were stolen.
In November 2018, it was reported by cybersecurity firms Flashpoint and Risk IQ that the credit card details of nearly 25,000 BA customers were being sold on the dark web by Russian hackers.
The ICO fine amounts to roughly 1.5% of the airline’s turnover. Had the ICO imposed the maximum fine BA would be facing a fine of £500m, equaling 4% of its turnover. This record fine is roughly 367 times as high as the previous record, and the first to be made public under the new rules, according to the watchdog.
British Airways plans to appeal the decision. A recent High Court ruling by Justice Mark Warby granted affected customers permission to join a class-action lawsuit against the company.
Already more than 5,000 affected customers are being represented by SPG Law and an additional 230 are being represented by Your Lawyers Limited, according to the Daily Mail.
Marriott Hotels – Fined £99m – July 2019
Just one day after issuing a record-breaking fine to BA, the ICO revealed its intention to fine hotel chain Marriott International more than £99m due to a massive data breach. Approximately 339 million customer records were exposed during the breach, of which around 30 million related to residents of 31 countries in the European Economic Area, and 7 million related to UK residents.
In November 2018, Marriott announced it had detected an intrusion and that an unauthorised party had copied and encrypted information from its Starwood, which was acquired by Marriott in 2016, booking database in the US. When the company undertook an investigation of the hack it discovered there had been unauthorised access to its network since 2014.
In an update, published on January 4th 2019, the company revealed that the hackers had accessed and taken more than more than 5.25m unencrypted passport numbers, as well as 20.3m encrypted numbers.
Compromised information included some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences.
Marriott’s data vulnerabilities, the regulator said, appear to have begun when the systems of the Starwood hotels group were compromised in 2014. The group was subsequently acquired by Marriott in 2016, however, the exposure of customer information was not brought to light until 2018.
The ICO’s investigation into the breach ruled that the hotel chain “failed to undertake sufficient due diligence” when it purchased Starwood and should also have “done more to secure its systems”. However, the ICO noted that Marriott had cooperated fully with its investigation and has since made improvements to its security. The company will now be given an opportunity to make representations to the regulator as to the proposed findings and sanction.
Facebook – Fined £500,000 – October 2018
For its part in the Cambridge Analytica Scandal, Facebook was slapped with the maximum fine allowed under the General Data Protection Act 1998. Facebook narrowly escaped a massive fine, which could have been as high as £10.3 billion had GDPR been in effect.
Although Facebook has agreed to hand over the sum it has made no admission of guilt. However, the company said it wished it had done more to investigate Cambridge Analytica at the time.
The ICO’s investigation found Facebook guilty of improperly sharing the data of an estimated 87m users with the disgraced political consultancy via a quiz that harvested data from the participants and their friends. The company was also found to have taken inadequate action once the misuse was discovered.
Facebook was found to have failed to keep the personal information of its users’ secure because it did not carry about suitable checks on apps and developers using its platform.
At the time, ICO Commissioner Elizabeth Denham said: “Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data. A company of its size and expertise should have known better and it should have done better.”
“We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data.”
Equifax – Fined £500,000 – September 2018
At the time, Equifax was fined a record amount by the ICO for failing to protect the data of up to 15m UK citizens who were hit by a 2017 cyber attack on the company.
Although based in the US, the ICO went ahead and fined the company’s UK brand had failed to ensure that its parent company was protecting the data of its British customers. As with Facebook, this was the maximum penalty that the ICO could issue under the GDP.
However, this £500,000 figure seems paltry compared to the settlement agreement the company made with the Federal Trade Commission (FTC), which will see the credit score agency pay £561m for exposing at least 147m people’s data.
Much of that cash has been earmarked to go towards paying for identity theft services and other related expenses run up by the victims.
The FTC accused the company of failing to take “basic” steps to secure its network, which left it vulnerable to attack. Mark Begor, Equifax chief executive, said: “This comprehensive settlement is a positive step for US consumers and Equifax as we move forward from the 2017 cybersecurity incident.”
Equifax also plans to roll-out an “aggressive” advertising campaign to ensure those entitled to compensation are aware of it. The campaign will be carried out via social media, radio, print and other various digital outlets.
Since the breach, the company has spent more than one billion in cleanup costs and overhauled its information security program. The costs relate to outstanding litigation, potential fines, incremental technology and data security costs, and an accrual for losses associated with legal proceedings and investigations.
Bounty UK – Fined £400,000 – April 2019
The ICO issued the UK’s fastest-growing pregnancy club Bounty, a £400,000 fine for illegally sharing the personal information of more than 14m people. Bounty was found to have quietly shared approximately 34.4m records with 39 credit reference and marketing agencies, including Acxiom, Equifax, Indicia and Sky without clearly informing people their information was being passed on.
The data included the personal information of potentially vulnerable new mothers or mothers-to-be and infants whose birth date and gender were included. The data was gathered via the company’s website, mobile app, merchandise pack claim card, and new mothers at hospital bedsides.
Steve Eckersley, ICO’s Director of Investigations, said: “The number of personal records and people affected in this case is unprecedented in the history of the ICO’s investigations into data broking industry and organisations linked to this.
“Bounty were not open or transparent to the millions of people that their personal data may be passed on to such a large number of organisations. Any consent given by these people was clearly not informed.
“Bounty’s actions appear to have been motivated by financial gain, given that data sharing was an integral part of their business model at the time.
“Such careless data sharing is likely to have caused distress to many people, since they did not know that their personal information was being shared multiple times with so many organisations, including information about their pregnancy status and their children.”
The company admitted in a statement that it “did not take a broad enough view of our responsibilities” and has pledged to appoint an independent data expert whose findings will be published annually on the company’s website.
Join us at DIGIT’s 3rd annual Data Protection Summit on 10th of December at Dynamic Earth in Edinburgh to learn more about the changing regulatory landscape and the business impact of the GDPR. Book online https://www.dataprotectionscot.com/