The biggest ICO fines for data protection and GDPR breaches

The biggest fines issued by the Information Commissioner's Office (ICO) both before and after GDPR

The risks of data breaches in the UK grew immensely on 25 May 2018, when the General Data Protection Regulation (GDPR) was introduced. The legislation raised the maximum penalty for contraventions to up to €20m (£17.5m) or four percent of global turnover - whichever is the greater - but it was more than a year until the ICO found its first offender: British Airways, which was slapped with a proposed fine of £183m for a breach of customer data.

Fragmented image of a Boeing 787 airplane represented in encrypted data.
Luka Slapnicar / Matejmo / Getty Images

Cathay Pacific fined £500,000 in March 2020

In March 2020, the ICO handed the Hong Kong based airline Cathay Pacific a £500,000 fine, the maximum possible due to the breach taking place before the introduction of GDPR.

In 2018, Cathay Pacific Airways revealed that between October 2014 and May 2018, hackers were able to gain access to the personal details of 9.4 million global customers, 111,578 of whom lived in the UK. These details included names, passport details, dates of birth, phone numbers, addresses and travel history.

After the airline referred itself to the ICO, the regulator uncovered "a catalogue of errors", including back-up files that were not password protected, unpatched internet-facing servers and inadequate anti-virus protection.

Equifax breach  >  Equifax logo amid broken, disrupted binary code
Equifax / Valery Brozhinsky / Getty Images

Equifax - fined £500,000 in September 2018

Equifax was fined a record-equalling £500,000 for failing to protect the personal information of up to 15 million UK citizens affected by a 2017 cyber attack on the credit reference agency.

Hackers stole information including names, dates of birth, addresses, passwords, driving licences and financial details after failures at the company led to data being retained for longer than necessary and vulnerable to unauthorised access.

Although the compromised systems were based in the US, the ICO issued the fine because the company's UK branch had failed to ensure that its American parent was protecting the information of its UK customers.

The fine joins the one imposed on Facebook as the highest ever issued by the ICO, but the costs could have been far higher if the breach had occurred after the GDPR implementation date.

The £500,000 penalty is the maximum that the ICO could issue under the Data Protection Act 1998, but under GDPR, Equifax would face a fine of up to €20 million, or four percent of annual global turnover.

However, there are no such restrictions in the US. In January 2020 it was announced that Equifax has set aside a minimum of $380.5 million to compensate its 147 million US customers that were affected by the 2017 breach.

The final settlement approval was granted by US District Court in Georgia and customers have until 23 January to file a claim. Individuals can claim up to $20,000 if they can prove they have been left out of pocket as a direct result of the data breach.

In addition to the $380.5 million of compensation, the company has also agreed to spend a minimum of $1 billion updating its information security and related technologies over the next five years.

Fragmented image of a Boeing 787 airplane represented in encrypted data.
Luka Slapnicar / Matejmo / Getty Images

British Airways - fined proposed £183m in July 2019

The ICO announced it intended to fine British Airways a record £183.39 million over a data breach that compromised the personal information of approximately 500,000 customers.

An ICO investigation found that users of British Airways' website had been diverted to a fraudulent site where personal data including names, addresses, credit card information (including numbers, expiry dates, and CVV codes), log-ins and travel booking details were stolen. The ICO cited poor security arrangements as the reason for the severity of the fine, which British Airways is expected to appeal.

British Airways reported the incident to the ICO in September 2018, shortly after the implementation of GDPR. It is the first fine for a GDPR breach that the ICO has made public and by far the largest penalty that the authority has issued. The previous record was the fine £500,000 given to Facebook for the social network's role in the Cambridge Analytica scandal, which the ICO suggested would have been far higher had the incident occurred after the introduction of GDPR.

"There was always going to be a hefty guinea pig fine from the ICO to mean business showing that GDPR fines are not just talked about," said Jake Moore, cybersecurity specialist at security firm ESET. "Incredibly, this still isn't the maximum fine they could have been handed either.

"However, the amount of data compromised was huge and it is without doubt that it would have ended up in criminal hands so therefore it should not be taken lightly. The sort of data taken could have been used for card fraud or even identity theft and with as many as 380,000 transactions skimmed, this is an immense amount of information personally identifiable."

marriott digital design primary
Thinkstock / Marriott

Marriott - fined proposed £99m in July 2019

The ICO announced a second major penalty for a GDPR violation just a day after proposing a massive fine for BA when the regulator revealed that it intended to fine Marriott International more than £99 million.

The breach relates to a cyber attack which exposed a range of personal data contained in approximately 339 million records of hotel guests, around seven million of whom were UK residents. The suspected origin of the vulnerability was a 2014 compromise of the systems of the Starwood hotels group, which Marriott acquired in 2016.

Marriott reported the incident in November 2018, but the ICO found that Marriott had failed to undertake sufficient due diligence when it bought Starwood and didn't sufficiently secure its systems.

holding smartphone protected padlock lock keyhole security
sarayut / Getty Images

Dixons Carphone - fined £500,000 in January 2020

Dixons Carphone became 2020's first recipient of an ICO fine after a hacker gained access to 5.6 million payment card details by installing malware on 5,390 tills at the company's Currys PC World and Dixons Travel stores.

The attack affected a total of around 14 million people, exposing their full names, postcodes, email addresses and failed credit checks. Data continued to be collected for nine months before the malware was detected.

The ICO found that Dixons Carphone was responsible for a range of poor security arrangements, including inadequate software patching, the absence of a local firewall, a lack of network segregation and a failure to conduct routine security testing.

The £500,000 fine was the maximum possible for the breach, as it took place prior to the implementation of GDPR. Two years earlier, Carphone Warehouse, which is part of the same group, was fined £400,000 by the ICO for similar security vulnerabilities.

Facebook - fined £500,000 in October 2018

The ICO slapped Facebook with the maximum possible fine of £500,000 for the social network's role in the Cambridge Analytica scandal. The information of an estimated 87 million Facebook users was improperly shared with the political consultancy through a quiz that collected data from participants and their friends.

The investigation found Facebook guilty of allowing application developers access to user information without sufficient consent, failing to secure personal information by making suitable checks on the apps and developers using its platform, and taking inadequate remedial action once the misuse of data was discovered.

The £500,000 fine is a paltry sum for a company that made $13.2 billion (£10.3 billion) in revenue in the first quarter of 2018 and the figure could have been far higher if the breaches had occurred before the GDPR came into force, as Information Commissioner Elizabeth Denham explained

“We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR," she said.

"One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people's personal data. Our work is continuing. There are still bigger questions to be asked and broader conversations to be had about how technology and democracy interact and whether the legal, ethical and regulatory frameworks we have in place are adequate to protect the principles on which our society is based."

Data breach  >  open padlock allowing illicit streaming data collection
Arkadiusz Wargua / Getty Images

Bounty UK - fined £400,000 in April 2019

Pregnancy club Bounty UK was hit with a £400,000 fine for illegally sharing the personal information of more than 14 million people.

The company collects personal data from its website, mobile app, merchandise pack claim cards and new mothers at hospital bedsides, but failed to fully disclose that this information was being passed on to third parties for direct marketing purposes.

The ICO found that Bounty shared approximately 34.4 million records with 39 credit reference and marketing agencies, including Acxiom, Equifax, and Sky, without being fully clear with people about these activities. The data that was shared was from potentially vulnerable new mothers or mothers-to-be and very young children whose birth date and sex were included.

Steve Eckersley, the ICO's director of investigations, said the number of personal records and people affected in the case was "unprecedented" in the history of the ICO's investigations into data broking. As the activities took place between June 2017 and April 2018, they fell within the remit of the Data Protection Act 1998 rather than the potentially more punitive GDPR.

Woman looking at her phone
Getty Images

TalkTalk - fined £400,000 in October 2016

TalkTalk received a then-record fine of £400,000 after a cyber attacker used an SQL injection to access the personal data of 156,959 customers, including the bank account numbers and sort codes of 15,656 of them.

The severity of the fine was due to TalkTalk's failure to take the appropriate security measures to protect sensitive personal data from a well-known risk. It also took account of the large number of data subjects, the nature of the personal data held in the databases and the potential consequences of the breach.

Read next: Ex-Talk Talk CEO shares lessons from massive 2015 data breach

angry face emoji on mobile phone

Keurboom Communications - fined £400,000 in May 2017

Keurboom Communications matched TalkTalk's record penalty when the ICO fined it £400,000 for making 99.5 million nuisance calls over an 18 month period.

The calls related to a wide range of subjects from road accident claims to PPI compensation. Some people received repeat calls and the company hid its identity, making it hard to make complaints. Following the investigation, Keurboom Communications Ltd was placed in voluntary liquidation.

Cybersecurity  >  Skull + crossbones / abstract code / criminal hacker / attack / security threat
CHUYN / Getty Images

The Carphone Warehouse - fined £400,000 in January 2018

The Carphone Warehouse became the third company to receive a £400,000 fine for serious data protection failures that placed customer and employee data at risk.

An external cyber attack originating from an IP address in Vietnam gained access to databases containing credit card data and other personal information from more than three million people. The ICO ruled that there were multiple, distinct and significant inadequacies in the Carphone Warehouse's security measures, and noted that the attack had been ongoing for 15 days before it was detected.

Uber transport
NSW government

Uber - fined £350,000 in November 2018

Uber was hit with a £385,000 fine after the company paid off hackers who stole the personal details of around 2.7 million Uber customers in the UK without informing the victims about the incident.

The attackers accessed a cloud-based system storage system operated by Uber's parent company using "credential stuffing", a process of injecting compromised username and password pairs into websites until they find a match with an existing account.

They then downloaded full names, email addresses, phone numbers and other information from customers, as well as the records of almost 82,000 drivers, including details on the journies they'd made and the fairs they'd been paid. Uber paid the attackers $100,000 to destroy the data but didn't tell the affected customers and drivers for more than a year.

The £385,000 fine was determined based on the size of the breach, the sensitivity of the information stolen and the failure to notify the victims and regulators at the time.

Around 174,000 people in the Netherlands were also affected, leading the Dutch Data Protection Authority (DPA) to impose a separate €600,000 (£532,000) fine.

iphone call

Your Money Rights - fined £350,000 in September 2017

Your Money Rights was given a £350,000 fine after making a record 146 million illegal calls. The unsolicited calls concerned PPI claims that caused numerous recipients to complain of feeling harassed and threatened.

Companies can only make automated marketing calls to people if they receive specific consent, which Your Money Rights failed to obtain. Following the investigation, the company entered liquidation.

An unknown number calls a mobile phone amid pixelated data.
Tero Vesalainen / WhataWin / Getty Images

Miss-sold Products UK - fined £350,000 in January 2018

Miss-sold Products UK was fined £350,000 after the claims that the company made 75 million nuisance calls in a four-month period.

Like Your Money Rights, the firm made automated marketing calls about PPI claims without the consent of recipients. Miss-sold Products UK also failed to identify the organisation making the calls, and used 'added value' numbers, which cost money when people called back after a missed call. Some people complained that they were not able to opt out of the calls, while others said they had been called a number of times.

gavel justice judicial system law lawyer judge bureaucracy governance compliance
Getty Images

Crown Prosecution Service - fined £325,000 in May 2018

The Crown Prosecution Service (CPS) received a £325,000 fine after the agency lost unencrypted DVDs containing recordings of police interviews with 15 victims of child sex abuse that were to be used at trial.

The DVDs contained sensitive details about both the victims and the personal data and further identifying information about other parties. The DVDs went missing after they were left in reception in following a tracked delivery sent between two CPS offices. It is not known what happened to the DVDs after they were lost.

Doctor with mobile device

Brighton and Sussex University Hospitals NHS FT - fined £325,000 in June 2012

Brighton and Sussex University Hospitals NHS Foundation Trust was hit with a £325,000 fine (PDF) in 2012, which at the time was the largest penalty imposed by the ICO. The breach occurred when a contractor sold Trust hard drives on eBay that he had been hired to destroy. The drives contained sensitive personal data about patients and staff, including details of people being treated for HIV.

The Trust attempted to reach a settlement that recognised errors were made but no harm arose from them, but the ICO rejected their efforts. The Trust then elected to pay the monetary penalty early in order to receive a 20 percent discount on the fine, which brought it down to £250,000.

frustrated waiting for the phone to ring 137888054

Holmes Financial Solutions - fined £300,000 in January 2018

Holmes Financial Solutions was fined £300,000 for making 8.8 million marketing calls without receiving consent.

The contraventions were similar to those made by Your Money Rights. Holmes Financial Solutions made automated calls promoting PPI claims, which lacked consent, failed to identify the company making the calls, and used 'added value' numbers, which generate revenue when people call back.

fail frustration laptop user head desk

Road Accident Consult trading as Media Tactics - fined £270,000 in March 2017

Road Accident Consult was slapped with a £270,000 fine for making 22 million nuisance calls containing recorded messages about a range of subjects including PPI, personal injury claims and debt management.

The ICO began its investigation after receiving 182 complaints through the ICO's online reporting tool. Road Accident Consult said it had bought data from other firms and believed the people had agreed to be contacted, but the ICO found these permissions had been granted through generic and unspecific privacy notices that were an inadequate basis for consent.

A man looks displeased/stressed/frustrated and pinches his brow while using a computer at work.
PeopleImages / Getty Images

Easyleads Limited - fined £260,000 in September 2017

Easyleads Limited was fined £260,000 for making 16.7 million automated marketing calls about boiler grants without receiving consent. The ICO investigation found that the company had deliberately misled people by referring to a government scheme and the offer of a free boiler.

The penalty was announced days after the ICO dished out a £350,000 fine to Your Money Rights, bringing the penalties handed to companies behind sending illegal recorded messages to £610,000 in just one week.


Yahoo - fined £260,000 in September 2017

Yahoo was hit with a £250,000 fine after around 500 million Yahoo user accounts were compromised following a sophisticated and persistent attack on servers located in the United States that the ICO claim was supported by the Russian Federal Security Service.

The ICO found that Yahoo failed to take the appropriate measures to protect the personal data of customers against exfiltration by unauthorised persons.

iphone silent
Ryan Whitwam/IDG

Barrington Claims - fined £250,000 in September 2017

Barrington Claims was fined £250,000 for failing to ensure that automated marketing calls were sent to individuals who had consented to receive them.

The company made more than 15 million calls between 22 February and 23 May 2016, which contained recorded messages offering PPI refunds plus compensation. Recipients of the calls complained about the rate and frequency of the calls and the persuasive nature of the wording.

incoming emails / DNS security / locked server / parked domain
Thinkstock / Imaginima / Getty Images

Newday Limited - fined £230,000 in January 2018

Newday Limited received a £230,000 fine for instigating the transmission of more than 48 million unsolicited marketing emails promoting its financial products.

The company relied on consents obtained by third party affiliate marketers, but this was deemed invalid as the affiliates did not provide sufficient fair processing information to indicate that subscribers would receive direct marketing emails from Newday Limited.

studying + taking notes amidst abstract formulas / binary code
Deagreez / Monsitj / Getty Images

The Independent Inquiry into Child Sexual Abuse - fined £200,000 in July 2018

The Independent Inquiry into Child Sexual Abuse (IICSA) was fined £200,000 for sending a bulk email that identified possible victims of abuse.

The breach occurred when an IICSA staff member sent a blind carbon copy email to 90 inquiry participants telling them about a public hearing. This allowed the recipients to see each other's email addresses, identifying them as possible abuse victims.

Copyright © 2020 IDG Communications, Inc.