Top-10 ICO Fines

British Airways is the biggest airline in Europe and it has become the biggest breach in the United Kingdom.

In 2018, attackers hacked into their systems, and every time someone was booking tickets, the payment information was transferred to hackers automatically. The company did not notice it for nearly two months and, thus, the information of 429,612 customers and the staff were affected, both from the website and the official mobile app. Cybercriminals obtained names, email addresses, credit card numbers, expiration dates, and the three-digit [CVV] codes.

The Information Commissioner's Office wanted to issue a fine of £183 million at first but lowered it only to £20 million in 2020. They said that too much information was leaked and that British Airways never even noticed the breach – they were informed by a third party. They did not do enough to prevent the breach or at least to detect it.

Marriott International is the largest hotel chain in the world: they have 7,642 properties in 131 countries and territories.

Their breach went unnoticed for the longest time: almost four years the hacker was mining information. They installed a "web shell" on one of the devices in the Starwood system and sent malware to it from home. It allowed them to gain access to the whole network as a privileged user. When it happened, Starwood was not a part of Marriott but it was later acquired by the company. As a result, 339 million guest records worldwide were leaked, including names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests' VIP status, and loyalty program membership number.

The company is American so why were they fined by the UK's Office? During the breach, seven million guest records of the British citizens were compromised. GDPR protects its citizens' data not only in the UK but outside of it as well. If a foreign company mistreats the data, it will have to face a fine just like any other British company would. As a result, Marriott International was forced to pay £18.4 million.

Clearview AI is an American company that developed facial recognition software. Its database includes over 10 billion images, including those from social media.

There was no breach but the company failed in other rules. They gathered information without people's consent, simply scraping images from the Internet. As regulators say, people go on social media and professional platforms and do not expect that someone will use their personal photos for the database, it is not in the Conditions that they agree to. Clearview AI did not have consent and any lawful reason to collect such information and they retained data forever which goes against GDPR.

Consequently, ICO issued a fine of £17 million and ordered the company to delete all the data concerning British citizens and never collect it again. The Office of the Australian Information Commissioner (OAIC) backed up the British Office and ordered the deletion of Australian citizen's data as well.

Ticketmaster is the biggest ticket marketplace, with its headquarters in Los Angeles. They sell and resell 500 million tickets per year.

The company faced a huge breach in 2018 because its chatbot was hacked. The cybercriminal used it to steal payment details. It was not Ticketmaster who discovered the breach but different banks. They noticed fraudulent activity on their customer accounts and tracked the issue to Ticketmaster. Even though they alerted the company right away, it took them nine weeks to take a closer look at it. Meanwhile, the hacker acquired data of 9.4 million of Ticketmaster's customers in Europe including 1.5 million British citizens. The compromised information included names, payment card numbers, expiry dates, and CVV numbers. Around 60,000 Barclays Bank customers have lost their funds and Monzo Bank had to replace 6,000 cards due to fraudulent use as well.

ICO issued a £1.25 million fine for the company's irresponsibility concerning both low-quality cybersecurity and slow response.

Equifax is an American multinational data company that collects and sells information about clients, their demographics, and credit data. It is done to monitor consumers' credit scores and protect businesses from fraud. They have files on 800 million individuals and 88 million businesses.

In 2017, their third-party tool was exploited: they used Apache Struts as a website framework. The latest update for that time was not secure and Apache patched the version and notified users that they need to install a new update immediately. Equifax failed to react to the message and did not update the system on time. Hackers used it to get into the internal servers, steal employees' credentials and get to the databases with them. They proceeded to download information for 76 days. As a result, 147.9 million Americans, 15.2 million British citizens, and 19,000 Canadians lost their data, including first and last names, Social Security numbers, birth dates, addresses, and, in some instances, driver's license numbers. It is still unknown who was behind the hack and what they did to the data. There are two main versions: they will sell it after the breach is not that fresh or the breach was orchestrated by some state to use data for espionage.

They faced a £500,000 fine from ICO for their inability to download the secure update on time and other instances that made breach easy: lack of sufficient segmentation in the network, potentially inadequate encryption, and ineffective breach detection mechanisms.

Facebook is a social media platform that was repeatedly criticized for its misuse of data. ICO fined Facebook for two reasons: the big breach and their unfair procession of information.

Facebook allowed application developers to see and process user data without the consent of the latter, even if the person was not using Facebook. It was enough to be a real-life acquaintance of a Facebook user to have your data being collected and analyzed as well.

In the 2010s, Dr. Aleksandr Kogan and his company Global Science Research developed an app called "This Is Your Digital Life". It was like a personality quiz that builds user psychological profiles. People were paid to complete the quiz and give up their data for academic purposes. Those who participated also gave data of all their Facebook friends and so 87 million users were affected. The company harvested their public profiles, pages like birthdays, the current cities, the News Feeds, timelines, and messages. However, their psychological profile was the most important finding. Aleksandr's company sold data to Cambridge Analytica and they used it for Donald Trump's presidential campaign and possibly Brexit. As it later turned out, thousands of other Facebook third-party apps were doing the same for years.

As a result, Facebook was fined £500,000 for data misuse.

The Cabinet Office is a British governmental body that supports the Prime Minister, National Security Council, and the Joint Intelligence Organization (including their cybersecurity efforts) and implements some policies.

In 2019, the Cabinet Office published a file on a governmental website with the data on 2020 New Year Honors recipients. It was a simple organizational mistake but the names and addresses of 1,000 people went public. There was data on high-profile individuals too. The Office noticed their mistake only after more than 2 hours and deleted the file. However, it was late - people with exact web addresses could still access it. Overall, the file was viewed 3,872 times which left affected individuals concerned about their safety.

They received a £500,000 fine from ICO and had to undergo investigation and significant improvements in cybersecurity and policies concerning personal data.

Leads Works Ltd is a private lead generation company for direct selling. Valca Vehicle is a lead generation company for financial products. They were fined since they were sending unsolicited messages and emails.

Basically, companies did not ask for consent before sending individuals marketing materials and it is prohibited by security guidelines. Leads Works sent more than 2,6 million messages and, moreover, they were hiding their identity – they sent messages on behalf of Avon but Avon confirmed that they never sent them and they never worked with Leads Works. As a result, the company got a £240,000 fine. The company did not stop sending spam messages during the investigation or after the verdict though. Valca Vehicle was appealing to individuals who were financially down because of the pandemic and offered them credits as a "part of governmental support". They sent 95,000 messages and had to pay £80,000 in fines.

ICO also fined a range of other companies over unsolicited marketing messages and emails, namely such brands as We Buy Any Car, Saga Services Ltd and Saga Personal Finance, and Sports Direct.

Making it Easy is a company that focuses on boiler replacement services. They are operating in Clydebank, Scotland. They were fined due to similar reasons, namely for unsolicited marketing calls.

Ironically, the company called Telephone Preference Service registered users. It is a database of people who do not want to be disturbed by any marketing calls and make complaints. It is unlawful to call them since they specifically do not consent and all marketing firms should check this database before calling phone numbers. Making it Easy said that they purchased the database from a third party and did not check with the TPS database. Moreover, they also were introducing themselves as other companies to the users which are prohibited as well.

As a result, they had to pay a £160,000 fine for their unlawful activities.

DialADeal Scotland Ltd is a direct marketing company based in Glasgow.

They were also making marketing phone calls to the users registered on Telephone Preference Service. However, they went a little further. They were offering boiler and window replacement, loft insulation, and home improvement grants as a part of Green Deal, a set of policies to make the EU carbon neutral. They also masked their numbers and were introducing themselves as popular brands.

For such marketing activity with clear user dissent, they got a £150,000 fine. The company is liquidated now.

Companies have to be aware of their data processing on all levels: they should learn how to collect and store it securely, how to ask for explicit user consent, and what data they are not allowed to use, and for which aims. Even if the company is not from the UK, they may still face ICO fines if the data of British citizens are involved.