That’s how much companies in the UK have been fined over the past 12 months for data breaches and contraventions of data protection law.
Sounds like a lot – or maybe it doesn’t, given how frequently data breaches are in the news. There’s a reason for that. Of the £21.5m, 76% is one fine. Not from the ICO, from the FCA. To Tesco, yesterday, for having poor cyber-security that resulted in a breach. You might remember that I pointed out how much the FCA can fine people it regulates, and that it’s interested in cyber-security as an issue.
The remaining £5m is made up of 34 different fines from the ICO. All of which were levied on offences committed back when the maximum fine the ICO could set was £500,000. It’s only ever used the maximum once. Yes, Equifax (see above). But there are lots of cases pending from after GDPR. Including BA. Possible maximum fine? £920m. Now who’s the big dog, eh, FCA?
Here’s the full list, for those who care. You can look up the details of each case on the ICO’s website (apart from Tesco, which is on the FCA’s site).
| Who | When | Why | How much | From |
| Tesco | 01/10/2018 | Cyber-breach | £ 16,400,000 | FCA |
| Bupa | 28/09/2018 | Employee breach | £ 175,000 | ICO |
| Oaklands Assist | 01/10/2018 | PECR | £ 150,000 | ICO |
| Equifax | 20/09/2018 | Cyber-breach | £ 500,000 | ICO |
| Lifecycle Marketing | 05/09/2018 | Data misuse | £ 140,000 | ICO |
| AMS Marketing | 01/08/2018 | PECR | £ 100,000 | ICO |
| IICSA | 18/07/2018 | Negligent breach | £ 200,000 | ICO |
| Our Vault | 28/06/2018 | PECR | £ 70,000 | ICO |
| BT | 20/06/2018 | PECR | £ 77,000 | ICO |
| Gloucestershire Police | 11/06/2018 | Negligent breach | £ 80,000 | ICO |
| Bible Society | 07/06/2018 | Cyber-breach | £ 100,000 | ICO |
| Bayswater Medical Centre | 23/05/2018 | Negligent breach | £ 35,000 | ICO |
| University of Greenwich | 21/05/2018 | Cyber-breach | £ 120,000 | ICO |
| Yahoo! | 21/05/2018 | Cyber-breach | £ 250,000 | ICO |
| CPS | 16/05/2018 | Negligent breach | £ 325,000 | ICO |
| Costelloe & Kelly | 01/05/2018 | PECR | £ 19,000 | ICO |
| IAG Nationwide | 01/05/2018 | PECR | £ 100,000 | ICO |
| Approved Green Energy Solutions | 18/04/2018 | PECR | £ 150,000 | ICO |
| The Energy Saving Centre | 18/04/2018 | PECR | £ 250,000 | ICO |
| RBKC | 16/04/2018 | Data misuse | £ 120,000 | ICO |
| Royal Mail | 06/04/2018 | PECR | £ 12,000 | ICO |
| Humberside Police | 05/04/2018 | Negligent breach | £ 130,000 | ICO |
| Holmes Financial Solutions | 31/01/2018 | PECR | £ 300,000 | ICO |
| SSE | 18/01/2018 | Negligent breach | £ 1,000 | ICO |
| Miss-sold Products UK | 17/01/2018 | PECR | £ 350,000 | ICO |
| Goody Market UK | 11/01/2018 | PECR | £ 40,000 | ICO |
| Barrington Claims | 11/01/2018 | PECR | £ 250,000 | ICO |
| TFLI | 11/01/2018 | PECR | £ 80,000 | ICO |
| Newday | 11/01/2018 | PECR | £ 230,000 | ICO |
| Carphone Warehouse | 10/01/2018 | Cyber-breach | £ 400,000 | ICO |
| Hamilton Digital Solutions | 24/11/2017 | PECR | £ 45,000 | ICO |
| Verso Group (UK) | 01/11/2017 | Transparency | £ 80,000 | ICO |
| The Lead Experts | 13/10/2017 | PECR | £ 70,000 | ICO |
| Vanquis Bank | 09/10/2017 | PECR | £ 75,000 | ICO |
| Xerpla | 09/10/2017 | PECR | £ 50,000 | ICO |
ps – of course the FCA hasn’t ruled on Equifax yet. Let’s see if they put their marker down first…
A bigger picture 
One thought on “£21,474,000.00”