United Kingdom

Advanced Computer Software Group, supplier of NHS 111 and other critical healthcare IT services, was fined for an August 2022 ransomware attack that disrupted NHS services and compromised personal data of 82,946 patients. The ICO found Advanced had failed to implement multi-factor authentication across its systems, had inadequate vulnerability scanning, and had not conducted a DPIA for the health systems it managed — forcing NHS 111 to revert to paper records and disrupting ambulance dispatch across England. The fine was reduced from an initial notice of £6.09 million following representations.

The London Borough of Hackney was fined for a October 2020 ransomware attack that compromised personal data of a large number of council residents and staff, including housing benefit records, social care information, and sensitive data such as racial and ethnic origin. The ICO found Hackney had failed to patch known software vulnerabilities, had inadequate security monitoring, and had insufficient network segmentation — all of which contributed to the successful attack. The council took over two years to fully restore its systems, significantly disrupting public services.

TikTok was fined for processing the personal data of an estimated 1.4 million children under 13 in the UK without appropriate parental consent between May 2018 and July 2020, and for allowing under-13s to create accounts on the platform despite claiming to prevent this. The ICO found TikTok also failed to use children's data in accordance with its own privacy policy and failed to ensure data accuracy. The investigation drew on the ICO's Age Appropriate Design Code (Children's Code), which came into force in September 2021 and sets out standards platforms must meet when processing children's data.

Interserve Group, a major UK government contractor, was fined for a 2020 phishing attack that compromised personal and special category data of up to 113,000 current and former employees, including health, financial, and immigration status information. The ICO found Interserve had failed to implement adequate anti-phishing controls, failed to follow its own security processes for flagging suspicious emails, had outdated and unpatched software across its systems, and provided insufficient staff security training. The company was also required to implement a formal remediation programme.

Easylife Group unlawfully profiled over 145,000 customers using purchase history to infer health conditions and then sold them related health products without their knowledge or consent — for example, inferring diabetes from purchases of compression socks and targeting those customers with diabetes medication products. The ICO found this constituted processing of inferred special category health data without explicit consent, as required by UK GDPR Art. 9. Easylife was simultaneously fined £130,000 by the ICO under PECR for related unlawful direct marketing calls.

The ICO fined Clearview AI for unlawfully scraping and processing facial images of UK residents to build a database of over 20 billion images used to offer facial recognition services to law enforcement and commercial clients, without lawful basis, transparency, or any mechanism for UK residents to exercise data subject rights. The ICO coordinated its investigation with Australian and other privacy regulators as part of a joint international enforcement effort. The fine was reduced from an initial enforcement notice of £17.1 million following representations.

Marriott International was fined for a data breach originating from a compromise of the Starwood Hotels reservation system that dated to 2014, remained undetected until 2018, and ultimately exposed approximately 339 million guest records worldwide including around 7 million UK residents. The ICO found Marriott failed to conduct adequate due diligence when it acquired Starwood in 2016 and failed to implement adequate security measures on the inherited systems post-acquisition. The fine was reduced from an initial notice of £99.2 million following co-operation with the investigation.

British Airways suffered a 2018 cyberattack in which attackers injected malicious JavaScript onto the BA website that harvested personal and payment card data of approximately 429,612 customers by redirecting users to a fraudulent site during the booking process. The ICO found BA's security measures were inadequate and that the attack could have been prevented with more robust controls including script integrity monitoring and multi-factor authentication. The fine was reduced from an initial notice of £183.39 million due in part to the economic impact of COVID-19 on the aviation sector.

Doorstep Dispensaree, a pharmacy delivering medication to care homes, was fined after ICO inspectors discovered approximately 500,000 documents — including patient names, addresses, dates of birth, NHS numbers, medical conditions, and prescription details — stored in unlocked caged trolleys in an external car park, exposed to the elements and accessible to anyone. The documents, some dating to 2016, had no document retention schedule or secure destruction procedures. The ICO found the pharmacy had failed to implement any of the basic physical security measures required for health records.

Virgin Media Limited left a marketing database containing personal data of approximately 900,000 customers incorrectly configured and publicly accessible online for approximately ten months between April 2019 and February 2020. The ICO found Virgin Media failed to conduct a Data Protection Impact Assessment for the database, failed to apply basic access controls, and failed to maintain procedures for regular security testing — the misconfiguration was discovered not by Virgin Media's own monitoring but by a security researcher. The exposed data included names, home addresses, email addresses, and phone numbers.

DSG Retail Limited (Currys PC World) was fined the maximum penalty under the Data Protection Act 1998 following a cyberattack between July 2017 and April 2018 in which attackers installed malware on point-of-sale terminals across hundreds of UK stores, compromising the payment card data of an estimated 14 million customers. The ICO found DSG had inadequate patch management, no vulnerability scanning programme, and failed to detect the nine-month compromise through absence of basic security monitoring. The violations predated GDPR but the fine was the maximum available under the applicable DPA 1998 regime.