A summary of the recent fines issued by the ICO

The ICO has been cracking down over the last few weeks and some quite substantial fines have been issued.

With news like this its clear that now is a good time to look at your own compliance and make sure your business is secure and protected. Recent fines from the ICO include:

Ticket master

– Imposed £1.25 million fine.
– Data breach affecting 9.4 million EU data subjects
– 66 thousands bank accounts were compromised (60,000 belonging to Barclays and 6,000 belonging to Monzo)
– Between April and June 2018 Monzo bank, Commonwealth Bank of Australia and Barclays reported that there were fraudulent transactions of which used Ticket master.
– They were notified by a Twitter user (May 2018) that their chat bot (online chat service) contained a malicious code within the chat bot. Ticket master kept ignoring the Twitter user even after they tried numerous times to alert Ticket master to the – security flaw. The malicious code was sending data to the UAE.
– Ticket master’s Information Security team were aware of the malicious code as it was picked up by the anti-virus products.
– ICO found that Ticket master failed to protect data against unauthorised or unlawful processing of personal data.

British Airways

– Imposed fine of £20 million.
– Failed to protect personal and financial details of more than 400,000 customers.
– Attacker gained access to an internal BA system through the use of compromised credentials for a Citrix remote access gateway. The attacker managed to edit a section of the BA website (too techy for me to understand how and explain here) and direct people to a third party site where it would collect card payment data.
– ICO found that BA failed to ensure appropriate security of the data.

Marriott International

– Imposed fine of £18.4 million
– 339 million guest’s records worldwide were affected by cyber-attack
– An attacker installed a bad code into the system meaning they could access and control the system remotely as a privileged user. The attacker managed to gain access to cardholder data environment within the Starwood network (Marriott acquired Starwood). The attacker went unnoticed for years.
– ICO found that Marriott failed to ensure appropriate security of the data.
– The majority of these issues could have been highlighted with with the proper care and due diligence. We are able to examine your business and find any potential weakness in your Data Processes. Get in touch with a member of our team today.

[email protected]
+44 845 519 8705