The ICO has been very active recently, slapping data protection violation fines left and right. In view of the recent and a rather modest fine of £120,000 on Heathrow Airport Limited for their failings on the data protection front, let’s take a look at the biggest fines ever enforced by the ICO and see how bad things can get if a company remains non- compliant with regulations.
1.Facebook – £500,000 (Cambridge Analytica) + $ 1,63bn (September 2018 Data Breach)
The ICO’s investigation found Facebook guilty of two breaches of the Data Protection Act 1998: failing to safeguard user information and lacking transparency about how their data was harvested. For that they intend to slap Facebook with the maximum possible fine of £500,000 for the social network’s role in the Cambridge Analytica scandal.
Since the GDPR has come into force the penalties for the September 2018 Data Breach which affected 50 mil users are going to be much more severe. Estimates predict $1.63bn in fines, or 4% of its $40.7bn in annual global revenue for the previous financial year.
2. Equifax – fined £500,000
The Information Commissioner’s Office fined Equifax Ltd £500,000 for failing to protect the personal information of up to 15 million UK citizens during a cyber-attack in 2017.
Hackers stole information including names, dates of birth, addresses, passwords, driving licenses and financial details after failures at the company led to data being retained for longer than necessary and vulnerable to unauthorised access. Although the compromised systems were based in the US, the ICO issued the fine because the company’s UK branch had failed to ensure that its American parent was protecting the information of its UK customers.
The £500,000 penalty is the maximum that the ICO could issue under the Data Protection Act 1998, but under GDPR, Equifax would’ve faced a fine of up to €20 million, or 4% of annual global turnover.
3. TalkTalk – fined £400,000
Telecoms company TalkTalk has been issued with a record £400,000 fine by the ICO for security failings that allowed a cyber attacker to access customer data “with ease”. ICO investigators found that the cyber-attack between 15-21 October 2015 took advantage of technical weaknesses in TalkTalk’s systems. The attacker accessed the personal data of 156,959 customers including their names, addresses, dates of birth, phone numbers and email addresses. In 15,656 cases, the attacker also had access to bank account details and sort codes.
4. Keurboom Communications – fined £400,000
The company behind 99.5mill nuisance calls has been fined a record £400,000 by the ICO. The calls related to a wide range of subjects from road accident claims to PPI compensation. Some people received repeat calls and the company hid its identity, making it hard to make complaints. Following the investigation the company was placed in voluntary liquidation.
5. Carphone Warehouse – fined £400,000
An external cyber-attack originating from an IP address in Vietnam gained access to databases containing credit card data and other personal information from over three million customers and 1,000 employees. The compromised customer data included: names, addresses, phone numbers, dates of birth, marital status and, for more than 18,000 customers, historical payment card details. The records for some Carphone Warehouse employees, including name, phone numbers, postcode, and car registration were also accessed. Following a detailed investigation, the ICO identified multiple inadequacies in Carphone Warehouse’s approach to data security and determined that the company had failed to take adequate steps to protect the personal information.
6. Your Money Rights – fined £350,000
Your Money Rights has been fined £350,000 by the ICO for making the record 146 million illegal calls in just four months. Companies can only make automated marketing calls to people if they receive specific consent, which Your Money Rights failed to obtain. The unsolicited calls concerned PPI claims that caused numerous recipients to complain of feeling harassed and threatened. The calls also broke the rules by not including the company’s name and contact details in the recorded message. Following the investigation, the company entered liquidation.
7. Miss-sold Products UK – fined £350,000
Miss-sold Products UK was fined £350,000 after the claims that the company made 75 million nuisance calls in a four-month period. The calls contained recorded messages, primarily promoting PPI compensation claims, but the company did not have the recipients’ consent for making marketing calls. Miss-sold Products UK also failed to identify the organisation making the calls, and used ‘added value’ numbers, which cost money when people called back after a missed call. The ICO received 146 complaints from the public about Miss-sold Products. Some people complained that they were not able to opt out of the calls, while others said they had been called a number of times.
8. Crown Prosecution Service – fined £325,000
The Crown Prosecution Service (CPS) received a £325,000 fine after the agency lost unencrypted DVDs containing recordings of police interviews with 15 victims of child sex abuse that were to be used at trial.
The DVDs contained sensitive details about both the victims and the personal data and further identifying information about other parties. The DVDs went missing after they were left in reception in following a tracked delivery sent between two CPS offices. The DVDs were sent in November 2016, but it was not discovered that they were lost until December. The CPS notified the victims in March 2017, and reported the loss to the ICO the following month. It is not known what happened to the DVDs after they were lost.
It also found that, despite being fined £200,000 following a separate breach in November 2015 – in which victim and witness video evidence was also lost – the CPS had not ensured that appropriate care was being taken to avoid similar breaches re-occurring.
9. Brighton and Sussex University Hospitals NHS FT – fined £325,000
Brighton and Sussex University Hospitals NHS Foundation Trust was hit with a £325,000 fine in 2012, which at the time was the largest penalty imposed by the ICO. The breach occurred when a contractor sold Trust hard drives on eBay that he had been hired to destroy. The drives contained sensitive personal data about patients and staff, including details of people being treated for HIV.
The Trust attempted to reach a settlement that recognised errors were made but no harm arose from them, but the ICO rejected their efforts. The Trust then elected to pay the monetary penalty early in order to receive a 20 percent discount on the fine, which brought it down to £250,000.
10. Holmes Financial Solutions – fined £300,000
Holmes Financial Solutions was fined £300,000 for making 8.8 million marketing calls without receiving consent. The 8,792,907 calls contained recorded messages, primarily promoting PPI compensation claims, but the company did not have the recipients’ consent for sending direct marketing, which is against the law.