Home About Books Contact Log in

Coronavirus - Covid19 notice

For everyone's safety, from 17th March until further notice, we will be working from home offices only.

Please contact us directly if you have any questions, issues or concerns.

We wish you all the best, in these globally difficult times.

Contact us...

+44 (0) 208 133 0242

Data Protection News

Information Security and Data Protection news, hot off the press.

Catch up on the latest industry news with DataGRC.

Want to know about other news stories, fines, breaches?

Want to know more about these stories?

Want to recieve regular updates about industry shenanigans?

Contact us today!


4/3/20 Cathay Pacific airway fined £0.5m (pre-GDPR maximum) after a server connected to the internet was hacked and malware installed in early 2018.
9.4m customers' details were accessed, including over 100k UK customers. Data included names, passport and identity details, dates of birth, postal and email addresses, phone numbers and historical travel information. The ICO highlighted several basic information security control failures including back-up files that were not password protected; unpatched internet-facing servers; use of operating systems that were no longer supported by the developer and inadequate anti-virus protection.


2/3/20 CRDNN Limited fined £0.5m for making 193 million automated nuisance calls from June 2018 to September 2018. The automated (computerised) calls were made without consent, from "spoofed" numbers that didn't identify who the caller was. The ICO recieved more than 3,000 complaints.


20/1/20 Regus accused of exposing performance data of 900 sales employees, as Trello task-management website page was set to public.


20/1/20 Unnamed betting companies accused of using the Skills Funding Agency's Learning Records Service for targeting children as young as 14 in marketing campaigns. The database contains around 28m records.


17/1/20 EUR 11.5m fine for EGL in Italy, for conducting marketing activities with inadequate data protection controls (EUR 8.5m) and for creating unsolitied contracts and fraudulently cancelling contracts with other electricity and gas suppliers (EUR 3m).


17/1/20 Threatened ICO fines for BA (GBP 183m) and Marriott (GBP 99m) are still being pondered, with a 31/3/20 extention agreed between the parties. The ICO had an annual GDP 2m budget for legal aid, which may prove to be a little light...


09/01/20 GBP 500k ICO fine (the maximum pre-GDPR) for DSG Retail (Currys; PC World; Dixons), after crooks installed malware on more than 5k POS devices, between July 2017 and April 2018, providing crooks with access to 5.6m payment card details and personal data of 14m people (name, postcode, email, failed credit checks). The ICO was first notified on 8/6/18. Potentially "massive" GDPR fines were not applied in this case because the contravention happened just before "GDPR Day" (25th May 2018).


30/12/19 Travelex hit by cyber attack. Current gossip (17/1/19) includes ransomware encrypting a wide range of key systems and "a ransomware gang called Sodinokibi" asking for GBP 4.6m ransom. Criminal groups suggest they have 5GB personal data, while other suggestions are that the case hasn't been reported as a breaching data confidentiality. In addition to the company's systems being fully online for more than a couple of weeks, banks who are supplied by Travelex are also having forex currency issues. The CEO went public on 17/1/19 stating systems used in-store were operational again, which suggests other parts of their wide network are still down.


20/12/19 GBP 275k ICO fine issued to Doorstep Dispensaree Ltd for failing to ensure the security of special category data. c500,000 documents were left in unlocked containers at the back of its premises. The documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people.


17/12/19 EUR 15k fine issued by Belgian SA for website (c35k visitors a month) with unlawful Cookie management (lacking transparency and consent). The SA appears to have taken the action without recieving a complaint.


11/12/19 EUR 9.6m fine issued by German Belgian SA for 1and1 web hosting company (1&1 Telecom) for allowing people to access to extensive personal information just by providing a name and date of birth. The company has said that it intends to take legal action against the regulator. .


17/09/19 GDPR 15k ICO fine to Superior Style Home Improvements Ltd, for calling prospects over an 11 month period whose numbers were registered on the Telephone Preference Service (TPS) and where consent had not been provided.


25/05/19 45m suggested cost to Norsk Hydro's business after a ransomware attack disabled 22k computers across 170 sites in 40 different countries.


Want to know more? Send us a message

+44 (0) 208 133 0242