Menu
undefined undefined
My dashboard
My Content
My products (0) My insights (0) My events (0) My contacts (0)

Recent ICO penalties for cyber-security failings

Recent penalties imposed by ICO under Data Protection Act 1998 suggest cyber-security failings by large organisations will attract the highest fines under GDPR.

06 July 2018

Publication

Recent penalties imposed on the Carphone Warehouse, the Bible Society and Yahoo! under the Data Protection Act 1998 (DPA) point to a clear message in ICO enforcement: large organisations that fail to keep their customers’ personal data secure can expect the highest financial penalties available. The larger the organisation, the higher the expectation of cyber-security sophistication and the less forgiving the ICO has been of rudimentary cyber-security failings.

Breaches and fines imposed

In each case, the ICO found that there had been a serious breach of Principle 7 (requiring organisations to put in place appropriate technical and organisational measures to protect personal data from unlawful processing):

Scroll horizontally to browse
Company Fine Reasons for breach
Bible Society £100,000
  • Supporter personal data was stored on an insufficiently secured internal network.
  • The network granted inappropriate remote access rights and was accessible via an easy-to-guess password
Carphone Warehouse £400,000
  • Out of date software enabled intruder access to customer personal data.
  • Failure to carry out routine security testing.
Yahoo! £250,000
  • General failure of UK subsidiary to comply with data protection standards.
  • Failure to ensure appropriate monitoring was in place to protect credentials of employees with access to customer personal data.

Analysis

Breach of the DPA carried a maximum fine of £500,000, by reference to which the fines received by Carphone Warehouse and Yahoo! are notably high (the Carphone Warehouse fine being a record-equalling fine under the DPA). In determining the level of these fines, the ICO placed particular emphasis on the size and resources of the companies, the level of sophistication (or otherwise) of the cyber-attacks and whether the cyber-security failings related to rudimentary or commonplace measures. By contrast, the means and resources of the Bible Society were considered to be mitigating factors in setting the level of fine.

Still, these fines remain low compared to those available under the GDPR. Had these breaches occurred on or after 25 May 2018, the respective fines imposed on Yahoo! and Carphone Warehouse could theoretically have been as high as £200m and £420m respectively (being 4% of the latest recorded revenues of each company).

More recently, Dixons Carphone, the parent company of Carphone Warehouse, announced a further breach that exposed the payment details of nearly 6m customers. As this breach occurred pre-GDPR, Dixons Carphone will not face the exorbitant penalty regime available under the GDPR. Still, as a repeat offender, it may be in line for yet another record penalty from the ICO applying the DPA.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.

Related insights

This website uses cookies and other similar technologies to ensure you get the best experience on our website. Please review our cookie policy and our data protection privacy notice for more information on how the data that is collected is used.