Data Protection - Naming and shaming
02 - 09 - 2019
Data Protection and Privacy
There have been a few larger fines laid out recently, things are certainly starting to ramp up. It’s not just the big brands getting fined either, the ICO are doing their best to go after nuisance calls as well (which we appreciate a lot) and here’s our snapshot of the fines passed out over the last few months:
British Airways – ICO intend to fine them £183 million.
Hackers redirected traffic to a spoof site and collected bank/card details (including security CVC codes) from around 500,000 customers. The ICO has blamed British Airways “poor security arrangements” for the breach, hence the fine!
ICO statement of intent to Marriott International for £99,200,396
The ICO has issued Marriott International with a statement of intent that intends to fine them £99,200,396 for breaches of GDPR. This was for a cyber incident which affected over 330 million records of guests. After self-referral to the ICO, the ICO found that Marriott International had failed to carry out due diligence when it had made an acquisition of Starwood Hotels Group in 2016. Starwood’ systems were apparently compromised earlier in 2014, eventually creating a much larger breach once it merged systems with Marriott. Marriott had, it seems, not sufficiently checked the security and integrity of the systems it had purchased.
EE Limited – fined £100,000 for PECR breach
EE sent out millions of texts to its customers who had largely previously opted out from receiving marketing. EE knew and were reckless about sending marketing messages out when they knew some customers had previously opted out. Under the Privacy and Electronic Communications Directive – otherwise known as PECR – EE had relied upon the old “soft opt-in but hadn’t put in place systems to properly record opt-outs.
Making it Easy Ltd – (having a hard time apparently – fined £160k)
A boiler replacement company made over 850,000 calls to numbers registered with the Telephone Preference Service.
MisterTango UAB (a Lithuanian financial services company) fined ~€61,000
The first fine levied by the Lithuanian Data Protection Agency – the State Data Protection Inspectorate. Having carried out the investigation, the Inspectorate has determined that the company breached the requirements of the GDPR as it:
- improperly processed personal data in screenshots (SS),
- made personal data publicly available and
- failed to report the personal data breach to the personal data protection supervisory authority as well as capturing FAR TOO MUCH other personal data.