GDPR penalties and fines

GDPR penalties and fines.

The maximum fine under the GDPR is up to 4% of annual global turnover or €20 million – whichever is greater.

High Profile GDPR fines

Dixons Carphone – £500,000 in January 2020

A hacker gained access to approximately 5.6 Million payment card details by installing malware on 5,390 Currys PC World and Dixons Travel stores tills. The ICO investigation found that the malware was active between July 2017 – April 2018 before it was discovered.

The ICO investigation found systemic failures which included;

  • Absence of firewalls
  • Lack of network segregation
  • Inadequate software patching
  • No routine security testing

Marriott – Proposed fine of £99M in July 2019

ICO revealed that it intended to fine Marriott international more that £99 million for the cyber-attack that exposed over 338 million hotel guests personal data. The suspected origin of the vulnerability was in the systems of Starwood hotel groups which Marriott had acquired in 2016.

The breach dated back to 2014 but was not discovered until November 2018. The Information Commissioner’s Office (ICO) investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.

Equifax – £500,000 fine in September 2018

Hackers stole credit details on 147 million Americans. The data also included British and Canadian citizens. Equifax were fined by the ICO for failing to protect personal information of up to 15million UK citizens.

As part of the settlement, which includes fines impose by US federal authorities, Equifax will pay up to $700 million in fines. Federal government stated that Equifax “failed to take reasonable steps to secure its network”.

Other fines issued by The Information Commissioner’s Office (ICO) ;

Expect more GDPR fines in 2020…

Contact Us

Don’t get caught out

Contact us today to see how we can help protect your organisation and reduce the risk of a fine
Contact Us