Last week was a very busy week for the ICO – and nothing to do with GDPR….
First came the announcement on 12th June that Yahoo! UK Services Ltd was being fined £250 000 for the massive data breach in 2014 (disclosed in 2016) affecting 500 million users globally. Specifically, the ICO’s investigation focused on the 500 000 accounts for which Yahoo! UK Services Ltd was the data controller. The investigation found that Yahoo! UK Services Ltd had failed to take appropriate technical and organisational measures to protect the data; and that it failed to ensure that its data processor, Yahoo! Inc, complied with the appropriate data protection standards.
Then, the very next day, the ICO was asked to comment on the massive Dixons Carphone data breach, announced that day. Obviously they could say very little at this stage but did point out that “…when the incident happened and when it was discovered…will inform whether it is dealt with under the 1998 or 2018 Data Protection Acts.” With the recent huge increase in the level of fines that can be imposed, following the implementation of GDPR, this is a chilling message for the company.
Finally, also on the 13th, the ICO announced a fine of £80 000 for Gloucestershire Police for revealing the identities of child-abuse victims in December 2016. In an all too common mistake, an officer sent an email to 56 victims, witnesses and lawyers with everybody’s name visible in the “To” field; thus every recipient could see all other recipients. This is yet another reminder that information security management is primarily about managing people: not technology.