GDPR penalties and fines.
The maximum fine under the GDPR is up to 4% of annual global turnover or €20 million – whichever is greater.
High Profile GDPR fines
Dixons Carphone – £500,000 in January 2020
A hacker gained access to approximately 5.6 Million payment card details by installing malware on 5,390 Currys PC World and Dixons Travel stores tills. The ICO investigation found that the malware was active between July 2017 – April 2018 before it was discovered.
The ICO investigation found systemic failures which included;
- Absence of firewalls
- Lack of network segregation
- Inadequate software patching
- No routine security testing
Marriott – Proposed fine of £99M in July 2019
ICO revealed that it intended to fine Marriott international more that £99 million for the cyber-attack that exposed over 338 million hotel guests personal data. The suspected origin of the vulnerability was in the systems of Starwood hotel groups which Marriott had acquired in 2016.
The breach dated back to 2014 but was not discovered until November 2018. The Information Commissioner’s Office (ICO) investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.
Equifax – £500,000 fine in September 2018
Hackers stole credit details on 147 million Americans. The data also included British and Canadian citizens. Equifax were fined by the ICO for failing to protect personal information of up to 15million UK citizens.
As part of the settlement, which includes fines impose by US federal authorities, Equifax will pay up to $700 million in fines. Federal government stated that Equifax “failed to take reasonable steps to secure its network”.
Other fines issued by The Information Commissioner’s Office (ICO) ;
- Life at Parliament View Estate Agent, fined £80,000 for failing to keep tenants’ data safe.
- Yahoo! UK Services Ltd were fined £250,000 for an attack that took place in 2014 exposing the contact information and passwords of 500 million Yahoo! Users.
- Bupa Insurance Services Limited (Bupa) fined £175,000 for failing to have effective security measures in place to protect customers’ personal information.
- Other ICO enforcements