The biggest data loss fines in UK history

Even before GDPR, failing to secure user data could cost your business dearly

Nowadays the maximum fine for an unreported data loss is a stomach-turning £17.5m or 4% of your company turnover, whichever is more. However in the days before GDPR (remember that?) the rules on data protection were enforced by the Information Commissioner’s Office, a public body reporting to parliament, via the data protection act. Even when the act was introduced in 1998, data loss was serious business, and the ICO handed some very tough penalties for failing to safeguard customer information. Today, a serious breach can impact millions of people, with dire consequences. Even before the advent of GDPR, the UK was one of the most heavily-fined countries in the EU for data breach culpability. There are plenty of reasons to take steps to secure your company’s data- including when disposing of old hardware, including the fines that can be handed down, now not just by the ICO (and their updated Data Protection Act 2018) but also from the EU via GDPR. Here are some of the heaviest fines ever issued- make sure you learn from others’ mistakes!

  1. Equifax, September 2018 – £500,000.

This was actually over a data breach in the US, and although the fine was issued after the GDPR implementation date, it came about regarding a 2017 data loss- thus was handled by the ICO. Up to 15 million UK users’ data were poorly safeguarded on American systems, thereby allowing hackers to steal vast quantities of private information from customers. It may be scant consolation to Equifax, but if the data breach had come one year later, after GDPR, their hefty fine (the largest the ICO could issue under the DPA 1998) could have been significantly larger.


  1. Brighton and Sussex University Hospitals NHS Trust, June 2012 – £260,000

A case study in the fate we help our customers avoid. The NHS Trust failed to safely destroy at least 252 hard drives containing patient data, which an employee sold online. Initially facing a fine of £325,000, the trust appealed, yet was still landed with a bill for over a quarter of a million pounds.


  1. TalkTalk, October 2016 and August 2017 – £400,000 and £100,000

Multiple data security failures hit the telecoms giant, with giant fines issues by the ICO. The first came following the acquisition of Italian telecoms firm Tiscali, one of whose databases was hacked via unsecure webpages. The personal data of 157,000 customers was stolen by hackers in that breach. A second fine was issued the following year after 21,000 customers’ data was found to be poorly safeguarded. When customers began receiving unwanted nuisance calls quoting TalkTalk account numbers and other private details, the ICO began investigating. In their ruling, the government body was scathing:


“TalkTalk may consider themselves to be the victims here. But the real victims are the 21,000 people whose information was open to abuse by the malicious actions of a small number of people.”


“TalkTalk should have known better and they should have put their customers first.” –ICO


  1. Sony, January 2013 – £250,000

One of the biggest data breaches in history, in 2011 hackers stole personal data of over £77 million customers. In a move that no doubt went on to form the basis for certain key parts of GDPR, the company initially tried to hide the massive data loss, eventually caving in and being forced to turn off the entire network for 23 days. The incident led to official enquiries by the US Senate and UK government, and resulted in a fine of £250,000, as well as a worldwide discussion on the nature of online data security. In its statement, the ICO was unequivocal about Sony’s failings:

 “There’s no disguising that this is a business that should have known better. It is a company that trades on its technical expertise, and there’s no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe.” –ICO


  1. Carphone Warehouse, January 2018 – £400,000

A 2015 cyber-attack put the personal data of over three million customers and staff at Carphone Warehouse at risk, the ICO found earlier this year. These included contact details, personal details and almost 20,000 customers’ credit card details. The ICO concluded that out of date wordpress software was used by hackers to access the information. In some cases, the security had not been updated for six years.


  1. Facebook, July 2018 – £500,000

Failing the meet the standards for either security or transparency landed the social media giant with the largest fine the ICO can issue, following the Cambridge Analytica scandal. Following a 16 month probe the body concluded that Facebook had fallen well short of the expected standards in allowed external bodies to harvest user data and use it to target marketing and political campaigns.


Your data security policy should be in place for the entire life of your devices, from their first day to the day you dispose of them. However, how you dispose of them could have serious data protection implications. AssetCare provides a single, secure, self-contained service encompassing a state of the art hard drive wipe, secure physical destruction of your hard drives and the remarketing or recycling of your remaining, cleaned hardware. Contact our team for more information on our services and how we could help you navigate GDPR.