In April 2014, social work case files were discovered in a cabinet purchased by a member of the public from a second hand shop. The cabinet had been used by the children’s social work team at Norfolk County Council and the case files included information relating to seven children.
The Information Commissioner’s Office found that the Council did not have in place appropriate organisational measures for ensuring that such an incident would not occur and in particular did not have an adequate written procedure governing how office furniture disposal should be managed.
The Council was issued with a monetary penalty under the Data Protection Act for a serious contravention of the seventh data protection principle, and was fined £60,000.
The Information Commissioner’s Office (ICO) has fined Help Direct UK Ltd £200,000 for sending thousands of unsolicited marketing texts. This is the first time that the ICO has used its new enforcement powers under section 55A of the Data Protection Act 1998.
The lead generation company ran a marketing campaign in April 2015 which prompted 6,758 complaints in one month alone. People complained about a variety of messages offering services including the reclaim of PPI payments, bank refunds and loans.
As the ICO considers unsolicited text marketing “a matter of significant public concern” and as it is now be easier for it to issue fines for failing to comply with regulations 19 to 24 (relating to unsolicited direct marketing calls, texts and emails, automated calls, fax messages, identification of sender (when concealed) for email, and the information regulations), companies should ensure that their direct marketing activities comply fully with the Privacy Regulations 2003.
The Information Commissioner’s Office (ICO) has fined a specialist on-line travel insurer £175,000 for failing to keep customers’ personal information secure.
The ICO found that, in October 2013, the firm’s website was subject to an attack by someone exploiting a vulnerability in the firm’s IT security. The IT failings let hackers access a database containing approximately 3 million customer records. Attackers potentially had access to over 110,000 live credit card details relating to over 90,000 customers, as well as customers’ medical details.
Credit card security numbers and the number on the signature strip on the back of the cards were also accessible, despite industry rules that they should not be stored.
The attack was discovered after the firm was notified by its card acquirer of suspicious activity on customer accounts. Over 5,000 customers had their credit cards used by fraudsters after the attack. Fortunately for the customers, those losses were reimbursed by the relevant banks.
The firm had no policy or procedures in place to review and update IT security systems, and had twice failed to update database software that could have prevented this incident. This left security flaws in the firm’s system, some for as long as five years, which hackers ultimately exploited to gain access to customer information.
The ICO commented that this fine should send a clear message to other companies of the importance of proper IT security.