£42m in Data Breach Fines Issued to Businesses in 2020
The Information Commissioner’s Office (ICO) hit UK businesses with £42m in data breach fines last year.
Fines were given out as a result of breaches of the Privacy and Electronic Communications Regulations (PECR) and the Data Protection Act (DPA)
The largest fine was handed to British Airways with just over half of the £42.41m total being paid by the airline, following a 2018 cyber attack which saw over half a million of its customers’ details stolen by cyber criminals.
While the £20m BA fine was reduced from an initial fine of £183m due to the impact of the COVID-19 pandemic, an investigation finding that the DPA had been breached. The ICO said that BA was processing “a significant amount of personal data without adequate security measures in place”, which led to the large fine.
Millions of pounds worth of fines were also issued to Marriott International Inc (£18.4m) and Ticketmaster LTD (£1.25m), but the rest of the 14 fines were handed out to smaller businesses. Industries hit the most were the marketing and transport and leisure sectors.
Data security must be a priority
The news highlights the need for businesses to improve their data management policies and secure the data they hold correctly. With the COVID-19 pandemic, many companies might have prioritised other areas of their business, forgetting about improvements to their cyber security measures.
The result, unfortunately, for some, has seen fines of thousands hitting them, alongside the problems caused by the pandemic. Neuways advises implementing a multi-layered Business Continuity & Disaster Recovery plan to ensure that data protection and GDPR guidelines are adhered to.
Microsoft 365 security isn’t enough
While many Microsoft 365 users might assume that their Microsoft apps ensure their data is protected and backed up safely, that’s not always the case. In fact, Microsoft themselves suggest businesses should consider using a dedicated backup specialist to ensure their data is fully protected and retrievable. If not, businesses run the risk of losing their data due to a devastating cyber attack.
To make matters worse, the ICO handed out three court orders for winding-up petitions last year, which shows the impact these types of fines can have on businesses who haven’t got their Business Continuity & Disaster Recovery plan in place.