With the advancement of modern technology, personal data breaches are affecting an increasing number of people every year. Some of these breaches have resulted in substantial data breach fines in the UK for the organisations responsible. This blog will discuss some of these fines, exploring why they were issued and how organisations breached their customers’ personal data. 

For some context, 2018 saw the introduction of data protection laws in the UK, namely the Data Protection Act 2018 and the UK General Data Protection Regulation (GDPR). These laws govern how personal information is handled and used by organisations, such as businesses, councils, and healthcare providers.

Organisations have a responsibility to comply with data protection laws. If their failure to do so results in a data breach, it can lead to investigations and fines. There are also circumstances where such failures may give rise to data breach claims.

Have you suffered from a data breach? If so, you may be able to claim data breach compensation. To find out whether you can or to learn more about the claims process, please reach out to our helpful advisors today.

 

Jump To A Section

1. The Biggest ICO Data Breach Fines In The UK In The Last 5 Years
2. British Airways Fined £20 Million After A Cyber Attack 
3. Cyber Attack On Marriott International Led To An £18.4 Million Fine
4. Interserve’s £4.4 Million Fine After Failure To Stop A Phishing Email
5. TikTok’s Failure To Protect Children’s Privacy Results In a £12.7 Million Fine
6. Clearview AI Charged £7.5 Million For Collecting Images From The Internet And Social Media Without Consent
7. Getting Data Breach Advice From UK Law
8. Learn More

The Biggest ICO Data Breach Fines In The UK In The Last 5 Years

Before diving into the biggest ICO data breach fines in the UK in the last 5 years, we’re going to provide some background information. In the following sections, we’ll define what a personal data breach is and explain the role of the Information Commissioner’s Office (ICO), the UK’s independent data protection regulator.

What Is A Personal Data Breach?

A personal data breach can be defined as a security incident that affects the availability, integrity, and confidentiality of information. According to the ICO, this may involve the unauthorised loss, destruction, alteration, disclosure, or access of personal data.

Both personal and sensitive information can be subject to a data breach. To differentiate between them:

• Personal data refers to any information that can be used to directly identify an individual, such as their full name, home address, or national insurance number. 
• Special category data applies to sensitive information that requires greater protection under the UK GDPR, including a person’s racial or ethnic origin, political opinions, and genetic data.

When an organisation fails to adhere to data protection laws, namely the DPA and the UK GDPR, it may have significant ramifications for any individual whose personal information is compromised. Moreover, those affected may be eligible to claim compensation for a data breach if they suffer psychological harm and/or financial loss. 

How Does A Personal Data Breach Happen?

A personal data breach can happen by accident, such as through human error, or result from unlawful actions by hackers or other malicious actors. Let’s take a look at human error first.

Say a genealogy business had your current details on file, but a staff member failed to check whether they had used the correct information. That results in them sending out documentation containing sensitive information about your family history and DNA to the wrong postal address. Here, the error’s impact on both your finances and mental health could be significant.

Unlawful actions can range from phishing emails and ransomware to physical theft and intentional disclosure of personal data. Of course, as we’ve mentioned, hackers are a common cause of security incidents, as this guide to data breach fines in the UK will show.

What Is the ICO? 

As touched on earlier, the Information Commissioner’s Office (ICO) is the UK’s independent regulator responsible for enforcing data protection legislation. In doing so, it provides guidance to all organisations that are required to adhere to data protection laws. 

Some of the ICO’s main responsibilities include:

• Notifying organisations or individuals of data breaches. 
• Assess risks that may jeopardise the rights and freedoms of individuals. 
• Responding to reports of data breaches by individuals or organisations.
• Completing investigations of data breach incidents.

Since the ICO is the leading data protection body in the UK, it also has enforcement powers. As such, if an organisation fails to comply with its obligations under data protection legislation, the ICO can impose monetary penalties, essentially fines.

Can I Make A Personal Data Breach Claim?

You can make a personal data breach claim if you can show that you have been negatively impacted by an organisation’s mishandling of your information. This involves meeting the following criteria:

• An organisation failed to adhere to data protection laws.
• Their failure led to a breach, which compromised your personal data.
• This directly caused you to suffer psychological harm, financial losses, or both.

If an organisation was responsible for breaching your personal data, contact our advisors to find out if you are eligible to claim compensation.

 

British Airways Fined £20 Million After A Cyber Attack

In 2020, UK airline British Airways was fined £20 million by the ICO for failing to adhere to data protection laws, resulting in a breach that affected over 400,000 customers.

The personal data breach occurred in 2018 when hackers compromised British Airways and began to harvest information from the company. They were then able to obtain login credentials, names, addresses, as well as travel booking and payment card details.

Despite the scale of the hack, it took British Airways 2 months to become aware of the incident (when a security researcher informed them). They subsequently reported the breach to the ICO and said they notified customers as soon as they became aware of it.

The ICO investigated the security incident and concluded that:

• At the time of the breach, there were weak security measures, including a lack of multi-factor authentication (MFA).
• The company failed to comply with data protection laws and safeguard itself from a preventable cyberattack.
• The hack had not been detected until hundreds of thousands of customers had already been affected.

Consequently, the ICO imposed a £20 million fine on British Airways. This was the first major fine levied by the ICO under the UK GDPR, and the largest penalty issued by the regulator at that point. 

Source: https://www.bbc.co.uk/news/technology-54568784

If an airline company or travel agency breached your personal data, contact our advisors today to find out if you can claim data breach compensation. 

Cyber Attack On Marriott International Led To An £18.4 Million Fine

In 2020, a cyberattack on the Marriott International hotel chain resulted in a £18.4 million fine by the ICO. This fine arose due to a breach which may have impacted the personal data of up to 339 million customers, including 7 million guests in the UK alone. 

In 2014, the Starwood Hotels group was subject to a cyberattack that provided the hacker(s) with unrestricted access to its systems. Unaware of these security issues, Marriott International acquired the group in 2016. However, personal data continued to be accessed by the attacker through the compromised systems, including:

• Names
• E-mail addresses
• Passport numbers
• Phone numbers
• Information on arrivals and departures
• Loyalty programme numbers

Once the breach was noticed in 2018, the incident was reported to the ICO. Following an investigation into the breach, the ICO concluded that Marriott International had failed to comply with data protection laws.

Although Starwood Hotels’ data platforms were already subject to a serious breach, Marriott International failed to conduct adequate security checks before acquiring the company or to implement appropriate safeguards. The ICO acknowledged that Marriott had acted quickly once it detected the flaw and had made improvements. Nevertheless, the ICO imposed a £18.4 million fine against Marriott International for failing to adhere to data protection laws. 

Source: https://www.bbc.co.uk/news/technology-54748843

Our panel of data protection solicitors have seen firsthand just how impactful a hotel cyberattack can be on the financial and psychological well-being of those affected. If you have experienced one, please get in touch with our advisors for a free and confidential case assessment.

Interserve’s £4.4 Million Fine After Failure To Stop A Phishing Email

The construction group Interserve was fined £4.4 million in 2020 for failing to stop a phishing email that enabled hackers to compromise employees’ personal data. Phishing emails are designed to appear legitimate to get individuals to open them so that hackers can gain access to their information. 

In this case, an employee of the company was responsible for opening the phishing email that affected Interserve. They downloaded the contents of the email, which installed malware onto the work system. This gave the hacker unauthorised access to the personal information of up to 113,000 Interserve employees, including:

• Names
• Bank details
• National insurance numbers
• Religious beliefs
• Sexual orientations 
• Ethnic origins 

The phishing email compromised 283 systems and 16 accounts, and encrypted the information of both current and former employees. It even uninstalled the company’s anti-virus system.

Following the breach, the ICO conducted an investigation that found Interserve had failed to institute appropriate measures to prevent the phishing attack. Its findings also highlighted that the company was using outdated cybersecurity systems, lacked adequate risk assessments, and had not provided staff with sufficient training.

The ICO determined that Interserve had failed to comply with data protection laws. Subsequently, Interserve was issued a £4.4 million fine by the ICO. 

Source: https://www.theguardian.com/business/2022/oct/24/outsourcer-interserve-fined-4-point-4m-cyber-attack-failings-data-breach-personal-information

If your data was breached by a phishing email, get in touch with our advisors to find out if you are eligible to start a data breach claim. They understand that such attacks can have far-reaching consequences and are here to provide guidance tailored to your specific circumstances.

TikTok’s Failure To Protect Children’s Privacy Results In a £12.7 Million Fine

In 2023, the owners of the social media platform TikTok were fined £12.7 million for a failure to protect children’s privacy. This fine resulted from the company processing the personal data of up to 1.4 million users under the age of 13 without first obtaining the explicit consent of their parents or carers.

As part of its terms and conditions, TikTok banned anyone under 13 from accessing the platform. However, between May 2018 and July 2020, the ICO found that TikTok had very limited mechanisms in place to enforce those age restrictions. Instead, TikTok only required a box to be clicked to certify that a user was over 13, without any checks and balances to verify the self-certification.

Consequently, TikTok was able to collect and use the personal data of individuals who should not have been on the platform. After completing its investigations into the matter, the ICO found that:

• TikTok had provided access to users under 13 and processed their personal data without the consent or authorisation of their parents or caregivers.
• TikTok failed to clearly state how personal data would be collected, stored, and used in a way that was easy for people to understand.
• TikTok did not ensure that personal data was processed ‘lawfully, fairly and in a transparent manner.’

As a result, the owners of TikTok were fined £12.7 million for misusing children’s data and failing to adhere to data protection laws. Since this breach, the ICO has introduced guidance and resources for children to protect them and their data on social media platforms. 

Source: https://www.theguardian.com/technology/2023/apr/04/tiktok-fined-uk-data-protection-law-breaches

If you or your child’s personal details have been compromised on a social media platform, please contact our advisors today. They’re here to listen and can help determine whether there might be grounds to claim compensation. 

Clearview AI Charged £7.5 Million For Collecting Images From The Internet And Social Media Without Consent

In 2022, the technology company Clearview AI was fined £7.5 million for collecting 20 billion images of people from the internet and social media without their consent.

Clearview AI is a facial recognition company used by many organisations internationally, including law enforcement. Customers can search for individuals through Clearview AI’s database, which uses an algorithm to match faces to images that the business has obtained online. Many police forces worldwide have reportedly used Clearview AI’s services, including the Metropolitan Police, to support their investigations. 

However, in 2021, the ICO launched a joint investigation into the company with the Australian Communications and Media Authority (ACMA). The investigation found that Clearview AI had unlawfully collected millions of images of UK citizens without their consent. As part of its findings, the ICO highlighted several failings, including:

• A failure to have a lawful reason to collect personal information.
• A failure to have mechanisms in place to ensure that personal data was not held indefinitely.
• A failure to use the images and personal details of UK citizens in a transparent and fair manner.
• A failure to ensure that sensitive information, like biometrics, was given the extra protections required by the UK GDPR for special category data.

As such, the ICO imposed a £7.5 million fine on Clearview AI. The ICO also instructed the company to cease collecting personal data belonging to UK citizens. Additionally, the ICO informed Clearview AI that it must delete any personal data it had already obtained from UK citizens.

If a company has breached your personal data, contact our advisors today to share your experience. They will walk you through your options and assess whether you might have a case to claim compensation.

Source: https://www.dailymail.co.uk/news/article-10845123/Orwellian-facial-recognition-company-used-UK-police-forces-fined-7-5M.html

Source: https://www.bbc.co.uk/news/technology-61550776

Getting Data Breach Advice From UK Law

Here at UK Law, you can get data breach advice from the moment you reach out to our advisory team. Whether you’ve been wondering ‘Who should I contact?’ or ‘What should I do next?’, you can get the answers you need from our advisors.

No matter how your personal data has been compromised, our advisors are here to listen and provide free, no-obligation guidance on your options. They will carefully review the details of your situation to determine whether you are eligible to start a claim. 

If you do have an eligible case, you could be put in touch with one of the specialist data breach solicitors from our panel. They offer their services on a No Win No Fee basis through a Conditional Fee Agreement (CFA). It ensures you won’t face the added stress of worrying about spiralling solicitor fees.

Instead, there will be no expectation for you to pay any upfront or ongoing solicitor fees for your representative’s work. You also won’t pay these service fees if your case is lost.

If your claim wins, your solicitor will be paid a success fee as a small, capped percentage of your compensation. It’s pre-agreed, so you can have peace of mind that there will be no surprises if you are successful.

Why Choose UK Law To Make A Personal Data Breach Claim?

By choosing UK Law to make a personal data breach claim, you will benefit from the client-focused, expert service offered by our panel of solicitors. They have used their extensive experience to help clients across the country by providing:

• Expert advice that emphasises confidentiality and transparency.
• Access to specialist mental health services to aid the rehabilitation process.
• Straightforward explanations of any unfamiliar terms that may be encountered during a claim.
• Regular updates and prompt answers to any case-related questions.
• Expert representation at every stage of the claim and throughout negotiations to secure the best possible settlement.

At UK Law, both our advisors and our panel of solicitors recognise the value of excellent customer service. As such, you can rest assured that they will dedicate their time to helping you claim the compensation you deserve. 

Contact Us 

If you would like to start your own claim or want to learn more about data breach fines in the UK, please reach out to our helpful advisors by:

• Visiting our ‘contact us’ page
• Calling 020 3870 4868
• Messaging our live chat 

Our lines are open 24 hours a day. Therefore, you can contact our advisors to discuss your data breach at your convenience.

Learn More

If you would like to read more about data breach claims, please see the informative guides linked below: 

• Find answers to our data breach FAQs 
• Learn how to use a data breach compensation calculator 
• Advice on how long you have to report a data breach

References:

• Here is some guidance for data breaches, GOV.UK 
• Information about your individual rights, ICO.UK 
• Access mental health services, NHS.UK 

We appreciate you taking the time to read through our look at some of the biggest data breach fines in the UK.