Record fines for data breaches
By Richard Wright | 31st August 2021
The information watchdog issued a record sum in fines last year and took a total of 66 enforcement actions over data breaches.
The Information Commissioner's Office (ICO) issued £42 million in fines last finanical year to businesses including British Airways, Ticketmaster and the Marriott Hotel chain.
Last year enforcement included action against businesses trying to exploit the Covid crisis.
A firm misusing data to send text messages promoting a hand sanitising product was fined £60,000. Penalties totalling £110,000 were handed out to three companies who sent unlawful marketing messages to sell face masks.
The watchdog also sought to ensure that businesses didn't use contact tracing information to push marketing material or sell the data on to others.
Other fines included £90,000 for American Express over more than four million direct marketing messages, pizza company Papa John's, fined £10,000 for sending 168,022 nuisance marketing messages to its customers, transgender charity Mermaids fined £25,000 for failing to keep the personal data of its users secure, and the Conservative Party fined £10,000 for sending 51 marketing emails to people who did not want to receive them.
Nicola Wood, senior independent director at the ICO, said: "Our regulatory work has been hugely important and impactful."
The biggest fines went to British Airways, the Marriott Hotel group and Ticketmaster.
In October 2020, the ICO fined British Airways £20 million for failing to protect the personal and financial details of more than 400,000 of its customers.
An ICO investigation found the airline was processing a significant amount of personal data without appropriate security measures in place and did not detect a cyberattack in 2018 for more than two months.
Later the same month, it fined Marriott International Inc. £18.4 million for failing to keep millions of customers' personal data secure. An estimated 339 million guest records worldwide were affected following a cyber-attack in 2014.
The ICO found that the company had failed to put appropriate measures in place to protect the personal data and did not detect the attack for four years.
In November 2020, the ICO fined Ticketmaster UK Limited £1.25 million for failing to keep customers' personal data secure. The company failed to put appropriate security measures in place to prevent a cyber-attack on a chat bot installed on its online payment page.
The data breach affected 9.4 million customers, including 1.5 million in the UK. The ICO investigation found that 60,000 payment cards had been subjected to known fraud because of the breach.
Elizabeth Denham, Information Commissioner, wrote in the Annual Report: "Our lives are now more digital than ever before.
"Data protection is, at its core, about trust. The digital opportunity before us today will only be realised where people trust their data will be used fairly and transparently."
The ICO polices information rights for the UK public. This includes legislation under the Data Protection Act 2018 (DPA 2018), the General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulations 2003 (PECR).
The ICO closed its offices in March 2020 because of Covid and its 800 staff worked from home.
Copyright 2021 Moose Partnership Ltd. All rights reserved. Reproduction of any content is strictly forbidden without prior permission.