Regulatory actions, fines, warnings, and enforcement decisions
€284,450 fine - Information Commissioner (ICO)
The UK DPA has imposed a fine of GBP 247,590 (EUR 284,450) on MediaLab.AI, Inc.The controller of the image-sharing and hosting platform Imgur failed to implement age verification. This resulted in the controller processing children's data without sufficient legal basis, as the consent given was not provided by the children's parents or carers.
€1,400,000 fine - Information Commissioner (ICO)
The UK DPA has imposed a fine of £ 1,228,283 (EUR 1,400,000) on LastPass UK Ltd. The controller suffered a succesfull cyber attack due to insufficient technical and organisational measures to ensure data security.
1.400.000 euro boete - Informatiecommissaris (ICO)
De Britse gegevensbeschermingsautoriteit (DPA) heeft LastPass UK Ltd. een boete van 1.228.283 pond (1.400.000 euro) opgelegd. De verantwoordelijke partij is het slachtoffer geworden van een succesvolle cyberaanval als gevolg van onvoldoende technische en organisatorische maatregelen om de gegevensbeveiliging te waarborgen.
9.180.000 euro boete - Informatiecommissaris (ICO).
De Britse gegevensbeschermingsautoriteit (DPA) heeft een boete van 8.000.000 pond (9.180.000 euro) opgelegd aan CAPITA PLC. CAPITA PLC fungeert als de verantwoordelijke voor de gegevensverwerking binnen de CAPITA-groep, die het slachtoffer is geworden van een cyberaanval. De verantwoordelijke heeft nagelaten adequate technische en organisatorische maatregelen te implementeren om de gegevensbeveiliging te waarborgen, en heeft ook niet adequaat gereageerd op het incident.
€6,880,000 fine - Information Commissioner (ICO)
The UK DPA has imposed a fine of £ 6,000,000 (EUR 6,880,000) on CAPITA PENSION SOLUTIONS LIMITED. CAPITA PENSION SOLUTIONS LIMITED acts as the data processor for the CAPITA Group, which has suffered a cyber attack. The processor failed to implement adeqaute technical and organisational measures to ensure data security and also failed to adequatly react to the incident.
€9,180,000 fine - Information Commissioner (ICO)
The UK DPA has imposed a fine of £ 8,000,000 (EUR 9,180,000) on CAPITA PLC. CAPITA PLC acts as the data controller for the CAPITA Group, which has suffered a cyber attack. The controller failed to implement adeqaute technical and organisational measures to ensure data security and also failed to adequatly react to the incident.
Een boete van 6.880.000 euro - Informatiecommissaris (ICO).
De Britse gegevensbeschermingsautoriteit (DPA) heeft een boete van 6.000.000 pond (6.880.000 euro) opgelegd aan CAPITA PENSION SOLUTIONS LIMITED. CAPITA PENSION SOLUTIONS LIMITED fungeert als de gegevensverwerker voor de CAPITA-groep, die het slachtoffer is geworden van een cyberaanval. De verwerker heeft nagelaten adequate technische en organisatorische maatregelen te implementeren om de gegevensbeveiliging te waarborgen, en heeft ook niet adequaat gereageerd op het incident.
€230 fine - Information Commissioner (ICO)
The UK DPA has imposed a fine of £ 200 (EUR 230) on a police officer. The controller forwarded sensitive and restricted personal data that he had obtained in the course of his work to his personal email address.
Een boete van 230 euro - Informatiecommissaris (ICO).
De Britse gegevensbeschermingsautoriteit (DPA) heeft een politieagent een boete van 200 pond (230 euro) opgelegd. De agent heeft gevoelige en vertrouwelijk persoonlijke gegevens, die hij had verzameld in het kader van zijn werk, doorgestuurd naar zijn persoonlijke e-mailadres.
Boete van €20.725 - Informatiecommissaris (ICO).
De Britse gegevensbeschermingsautoriteit (DPA) heeft een boete van 18.000 pond (20.725 euro) opgelegd aan Birthlink. Deze organisatie, een Schotse stichting, heeft nagelaten voldoende technische en organisatorische maatregelen te implementeren om de gegevensbeveiliging te waarborgen, wat heeft geleid tot het verlies van onvervangbare persoonlijke gegevens.
€20,725 fine - Information Commissioner (ICO)
The UK DPA has imposed a fine of £ 18,000 (EUR 20,725) on Birthlink. The controller, a scottish registered charity, failed to implement sufficient technical and organisational measures to ensure data security, resulting in the loss of irreplaceable personal records.
Een boete van 2.700.000 euro - Informatiecommissaris (ICO).
De Britse Autoriteit voor Gegevensbescherming (DPA) heeft een boete van 2.310.000 pond (2.700.000 euro) opgelegd aan 23andMe, Inc. De verantwoordelijke, een bedrijf dat DNA-tests aanbiedt aan particulieren, heeft onvoldoende technische en organisatorische maatregelen genomen om de gegevensbeveiliging te waarborgen, met name gezien de gevoeligheid van de verwerkte gegevens. Hierdoor vond een cyberaanval plaats, wat resulteerde in een datalek dat ten minste vijf maanden lang 155.592 gebruikers in het Verenigd Koninkrijk heeft getroffen. De DPA beschouwde het feit dat de verantwoordelijke de...
€2,700,000 fine - Information Commissioner (ICO)
The UK DPA imposed a fine of £ 2,310,000 (EUR 2,700,000) on 23andMe, Inc. The controller, a company offering DNA testing to private individuals, failed to implement sufficient technical and organizational measures to ensure data security, especially in regards to the sensitivity of the processed data. As a result, a cyberattack occurred, which led to a data breach affecting 155,592 UK-based users over the course of at least five months. The DPA considered the controller's failure to identify the
€70,300 fine - Information Commissioner (ICO)
The UK DPA (ICO) has imposed a fine of £ 60,000 (EUR 70,300) on the law firm DPP Law Ltd. The controller had suffered a cyber attack during which personal data of 791 clients and expert witnesses were exfiltrated and published on the dark web. The DPA found that the controller failed to implement adequate technical and organisational measures to prevent such an attack, including the failure to regularly audit administrative accounts on its network, thereby infringing Art. 5 (1) f), 32 (1), and 3
Boete van €70.300 - Informatiecommissaris (ICO).
De Britse gegevensbeschermingsautoriteit (ICO) heeft het advocatenkantoor DPP Law Ltd. een boete van 60.000 pond (ongeveer 70.300 euro) opgelegd. Het bedrijf was het slachtoffer van een cyberaanval waarbij persoonlijke gegevens van 791 klanten en getuigen zijn gestolen en op het dark web zijn gepubliceerd. De gegevensbeschermingsautoriteit heeft geconstateerd dat het bedrijf onvoldoende technische en organisatorische maatregelen had genomen om dergelijke aanvallen te voorkomen, waaronder het niet regelmatig controleren van beheerdersaccounts op het netwerk, waarmee artikel 5 (1) f), 32 (1) en 3 van de relevante wetgeving zijn overtreden.
Een boete van 3.500.000 euro - Informatiecommissaris (ICO).
De Britse gegevensbeschermingsautoriteit (ICO) heeft Advanced Computer Software Group Ltd een boete van 3,07 miljoen pond (3,5 miljoen euro) opgelegd vanwege ontoereikende IT-beveiliging (schending van artikel 32(1) van de Britse AVG). De verantwoordelijke partij heeft nagelaten om passende technische en organisatorische maatregelen te implementeren ter bescherming van persoonsgegevens. Een ransomware-aanval in augustus 2022 stelde hackers in staat om toegang te krijgen tot de systemen van een dochteronderneming in de gezondheidszorg via een klantaccount dat geen multi-factor authenticatie had. Hierdoor waren de persoonsgegevens van 79.404 personen in gevaar.
€3,500,000 fine - Information Commissioner (ICO)
The UK DPA (ICO) has fined Advanced Computer Software Group Ltd £3.07 million (EUR 3.5 million) for insufficient IT security (infringiment of Art. 32 (1) UK GDPR). The controller failed to implement appropriate technical and organisational measures to protect personal data. A ransomware attack in August 2022 allowed hackers to access systems of a health subsidiary via a customer account that lacked multi-factor authentication. As a result, the personal data of 79,404 individuals was put at risk.
€904,000 fine - Information Commissioner (ICO)
The ICO fined the Police Service of Northern Ireland £750,000 (EUR 904,000) after accidentally publishing personal data of 9,483 police officers and staff on the internet. The breach caused significant distress for PSNI officers and staff, as their personal information, including names, ranks, roles, and location of post, was exposed. Many feared for their safety, with concerns that dissident groups could use the data to intimidate or target them, creating fear and uncertainty.
€8,700 fine - Information Commissioner (ICO)
The UK DPA (ICO) has fined the Central Young Men’s Christian Association EUR 8,700. The controller had sent an email to individuals participating in a program for individuals suffering from HIV without using the blind copy option, which made the email addresses of all recipients known to other recipients. 166 individuals could be identified or potentially identified based on their email addresses. From this it could be concluded that these people were probably living with HIV.
€400,000 fine - Information Commissioner (ICO)
The UK DPA has fined the Ministry of Defense EUR 400,000 for disclosing personal data of individuals who were to be relocated to the UK after the Taliban took control of Afghanistan in 2021. The Ministry of Defense had sent an email to a distribution list of Afghan nationals who were eligible for evacuation without hiding the e-mail adresses and thus revealing the personal e-mail addresses and personal data of the recipients to the other e-mail recipients. The ICO stated that if the data had fal
€14,500,000 fine - Information Commissioner (ICO)
The UK DPA (ICO) has fined TikTok EUR 14.5 million. The ICO had found that more than one million British children under the age of 13 were using TikTok without the consent of their parents. The ICO criticized TikTok for failing to implement adequate controls to identify and remove underage children from its platform. Further, the ICO found that TikTok did not provide users of the platform with sufficient and easily understandable information about the collection, use and disclosure of their data
€5,033,000 fine - Information Commissioner (ICO)
The British DPA has fined the construction group Interserve Group Limited EUR 5,033,000. The controller had notified the DPA of a data breach pursuant to Art. 33 GDPR. Interserve had suffered a cyber attack in which the attackers sent a phishing mail to the mailbox of Interserve's accounting team. The mail was opened by an employee who also downloaded and opened an attached zip file. This allowed the attackers to install malware and siphon off personal data from 113,000 employees. The siphoned d
€1,547,000 fine - Information Commissioner (ICO)
The UK DPA has imposed a fine of EUR 1,547,000 on Easylife Ltd. Easylife is a retailer that sells household items as well as services and products under its health, motor, supercard and garden clubs. When purchasing certain products, the company made assumptions about the customer's health condition, whereupon the customer was then offered further products for purchase by phone or SMS that were related to their health condition. Of the 122 products in Easylife's Health Club catalog, 80 items wer
€91,000 fine - Information Commissioner (ICO)
The UK DPA (ICO) has fined the Tavistock and Portman NHS Foundation Trust EUR 91,000. The Tavistock and Portman NHS Foundation Trust is a mental health specialist trust located in London. In early September 2019, the trust wanted to run a contest asking patients at the adult gender identity clinic to provide artwork to decorate a renovated clinic building. For this, two emails were inadvertently sent with an open distribution list (one to 912 recipients and the second to 869 recipients). It was
€9,000,000 fine - Information Commissioner (ICO)
The UK DPA has fined Clearview AI Inc. EUR 9 million. The company holds a database of more than 20 billion facial images (including those of UK residents and nationals) from around the world. The data is collected online from publicly accessible platforms such as social networks. The company offers a search service that allows individuals be identified based on the biometric data extracted from the images. Individuals' profiles can be enriched with information associated with those images, such
€115,000 fine - Information Commissioner (ICO)
The UK DPA (ICO) has fined law firm Tuckers Solicitors LLP EUR 115,000. Tuckers suffered a ransomware attack on its systems, which resulted in a personal data breach. As part of its investigation, the DPA determined that Tuckers had failed to take appropriate technical and organizational measures to protect personal data. This failure left its systems vulnerable to malicious attacks. The attackers managed to encrypt 972,191 individual files of which 24,712 were related to court proceedings and t
€585,000 fine - Information Commissioner (ICO)
The UK DPA (ICO) has fined the Cabinet Office EUR 585,000. On December 27, 2019, the Cabinet Office published a file on GOV.UK containing the names and uncensored addresses of more than 1,000 individuals who had received New Year's honors. Individuals from a wide range of professions across the United Kingdom were affected, including individuals with a high public profile. After learning of the data breach, the Cabinet Office removed the web link to the file. However, the file was still in the c
€11,800 fine - Information Commissioner (ICO)
The British DPA (ICO) has imposed a fine of EUR 11,800 on the non-profit organization HIV Scotland. The controller had sent an e-mail to 105 people, with e-mail addresses on the mailing list visible to all recipients. In the case of 65 of the e-mail addresses, persons could be identified by name. It was possible to draw conclusions about the individuals' HIV status or risk based on the personal data provided.The DPA found that the organization had failed to implement appropriate technical and or
€29,000 fine - Information Commissioner (ICO)
The ICO has fined transgender charity Mermaids EUR 29,000 for failing to protect the personal data of its users, in breach of Art. 5 (1) f) UK GPDR and Art. 32 (1), (2) UK GDPR. The ICO conducted an investigation after it received a report of a data breach relating to an internal email group. During the investigation, the ICO found that the group was created with insufficiently secure settings, resulting in approximately 780 pages of confidential emails being viewable online for nearly three yea
€1,405,000 fine - Information Commissioner (ICO)
Ticketmaster UK Limited has been fined GBP 1.25 million (approximately EUR 1.405 million) for failing to protect the personal data of its customers with adequate security measures. Potentially 9.4 million European customers could have been affected by a cyber attack between February 2018 and June 23, 2018 due to the use of an insufficiently secured chat bot hosted by a third party in its online payment site which allowed an attacker to gain access to customers' financial information. According t
€20,450,000 fine - Information Commissioner (ICO)
Original Summary: The ICO issued a notice of its intention to fine Marriott International Inc due to a cyber incident which was notified to the ICO by Marriott in November 2018. A variety of personal data contained in approximately 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). Seven million related to UK residents. It is believed the vulnerability began when the systems of the
€22,046,000 fine - Information Commissioner (ICO)
In July 2019, the ICO issued a notice of its intention to fine British Airways £183.39M for GDPR infringements which likely involve a breach of Art. 32 GDPR. The proposed fine relates to a cyber incident notified to the ICO by British Airways in September 2018. This incident in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers we
€320,000 fine - Information Commissioner (ICO)
The company had stored some 500,000 documents containing names, addresses, dates of birth, NHS numbers and medical information and prescriptions in unsealed containers at the back of the building and failed to protect these documents from the elements, resulting in water damage to the documents.