A summary of the recent fines issued by the ICO

By Myles Dacres

The ICO has been cracking down over the last few weeks and some quite substantial fines have been issued. With news like this its clear that now is a good time to look at your own compliance and make sure your business is secure and protected. Recent fines from the ICO include:

Ticket master

  • Imposed £1.25 million fine.
  • Data breach affecting 9.4 million EU data subjects
  • 66 thousands bank accounts were compromised (60,000 belonging to Barclays and 6,000 belonging to Monzo)
  • Between April and June 2018 Monzo bank, Commonwealth Bank of Australia and Barclays reported that there were fraudulent transactions of which used Ticket master.
  • They were notified by a Twitter user (May 2018) that their chat bot (online chat service) contained a malicious code within the chat bot. Ticket master kept ignoring the Twitter user even after they tried numerous times to alert Ticket master to the security flaw. The malicious code was sending data to the UAE.
  • Ticket master’s Information Security team were aware of the malicious code as it was picked up by the anti-virus products.
  • ICO found that Ticket master failed to protect data against unauthorised or unlawful processing of personal data.

British Airways

  • Imposed fine of £20 million.
  • Failed to protect personal and financial details of more than 400,000 customers.
  • Attacker gained access to an internal BA system through the use of compromised credentials for a Citrix remote access gateway. The attacker managed to edit a section of the BA website (too techy for me to understand how and explain here) and direct people to a third party site where it would collect card payment data.
  • ICO found that BA failed to ensure appropriate security of the data.

Marriott International  

  • Imposed fine of £18.4 million
  • 339 million guest’s records worldwide were affected by cyber-attack
  • An attacker installed a bad code into the system meaning they could access and control the system remotely as a privileged user. The attacker managed to gain access to cardholder data environment within the Starwood network (Marriott acquired Starwood). The attacker went unnoticed for years.
  • ICO found that Marriott failed to ensure appropriate security of the data.

The majority of these issues could have been highlighted with with the proper care and due diligence. We are able to examine your business and find any potential weakness in your Data Processes. Get in touch with a member of our team today.

[email protected]
+44 845 519 8705

Contact Us

Send us a Message

    We would like to use your contact information to send you marketing and promotional materials and special offers by email from time to time. We may only send information to you in this way with your consent. Please indicate whether you consent to us contacting you in this way for those purposes. You may withdraw your consent at any time by clicking the unsubscribe link in our emails.

    We are always happy to make contact with you by either phone, email or a face to face meeting at our office or yours. We work standard UK office hours – every week day 0830 to 1730.


    We have been receiving complaints over the last few weeks from people who have received unsolicited direct marketing calls from a company called The Protection People.  We should like to point out that we are Data Protection People and have nothing to do with those calls.

    We have been advising those people who have contacted us that they should make a complaint to the Information Commissioner’s Office (ICO) using this link https://ico.org.uk/make-a-complaint/nuisance-calls-and-messages/spam-texts-and-nuisance-calls/.  It would be helpful to the ICO if you knew the number that called you, the date and time of the call and what the call seemed to be about.

    You might also want to register your phone number with the telephone preference service (TPS), a national suppression service which should cut down calls of this nature as it is not lawful to make unsolicited direct marketing calls to numbers registered on the TPS.  You can register your number here https://www.tpsonline.org.uk/register.

    We know that these kind of calls can be distressing and intrusive and you have our sympathy.  Please do not hesitate to contact us if you would like to discuss it with us otherwise we’d encourage you to report it to the ICO as notifying them of this kind of practice enables them to investigate and take enforcement action where necessary.  You can see the action that has been taken by the ICO here https://ico.org.uk/action-weve-taken/enforcement/.

    Data Protection People Limited – March 2021