Breaking news

What Are The Largest Data Breach Settlements In The UK?

Personal data breaches are security incidents that affect either the confidentiality, integrity or availability of personal data. In this post, we examine some of the largest data breach settlements ever reached in the UK.

We have also covered some high-profile US and global-based data protection breaches. While not strictly relevant to the UK due to regulatory differences, we wanted to show just how high these fines can go. As you will see, fines for data protection violations can range in the millions, if not billions, of dollars.

If, while reading this guide, you have any questions about what constitutes a personal data breach or have been affected by such an incident, please get in touch with our team today. You can reach an advisor at any time using the contact information given here:

  • Call us on 020 8050 3051
  • You can also contact us online by completing this form
  • Or, you can open the live chat window on your screen now.

A man in a suit using a virtual screen looking at a data breach window to illustrate the largest data breach settlements

Browse Our Guide

  1. What Are The Largest Data Breach Settlements In The UK?
  2. What Are The Biggest Data Breach Settlements Outside The UK?
  3. Read More About Data Breaches

What Are The Largest Data Breach Settlements In The UK?

The Information Commissioner’s Office (ICO), the UK’s public body for upholding information rights, has powers to investigate, reprimand and fine offending organisations for failure to adhere to data protection legislation; the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018. We have provided an overview to some of the largest data breach settlements in the UK here.

British Airways

British Airways was fined £20 million for a data breach that affected over 400,000 customers. This is the largest fine ever handed down by the ICO, although the final sum was much less than the £183 million they had originally intended to issue.

A massive cyber attack modified BA’s systems in 2018 to gain unauthorised access and steal the details of customers as they entered their personal and financial data. This included names and addresses, travel information and payment card details. This went on for a period of 2 months before BA became aware and notified the ICO.

It was found that BA had failed to implement sufficient security measures to prevent such incidents from occurring. You can read more about this in the ICO’s 2020-2021 annual report.

Source: https://www.bbc.co.uk/news/technology-54568784

Equifax

The ICO fined the consumer credit reporting agency Equifax £500,000 following a data breach in 2017 by sending a monetary penalty notice to Equifax.  This major data breach impacted up to 15 million UK citizens. This was on top of the almost $700 million (£561 million) Equifax agreed to pay US regulators after hackers exposed data in a huge incident, affecting 147 million people.

Equifax were warned that one of their databases were critically vulnerable to cyber attacks due to Equifax not providing suitable protections on their consumer credit check service. The vulnerability had been detected, and orders from Equifax security to patch the code. However, no follow-up checks were carried out, and the software remained unpatched. To make matters worse, much of the personal data was unencrypted. 

As well as the huge fines to both UK and US regulators, Equifax have been ordered to carry out annual audits and be subject to external security assessments every two years.

Source: https://www.bbc.co.uk/news/technology-49070596

Dixons Carphone

Dixons Carphone (DSG Retail Limited), trading as Carphone Warehouse and Currys PC World, was hit with a £500,000 fine following a cyber attack that affected at least 14 million people. Malicious software had been installed on over 5000 tills across the country and went undetected for 9 months between July 2017 and April 2018.

The attackers were able to harvest enormous volumes of personal data. Names and contact information, addresses and details of failed credit checks were all exposed. The ICO found that poor security arrangements as well as inadequate steps to protect customer data, were in clear violation of the Data Protection Act 1998. 

To find out if you can make a data breach claim for your own circumstances you can call our advisors. You can read about the £500,000 fine issued by the ICO here.

Source: https://news.sky.com/story/dixons-carphone-fined-after-hackers-targeted-14-million-customers-11904695

TalkTalk

The theft of the details of some 157,000 TalkTalk customers in October 2015 resulted in TalkTalk being fined the sum of £400,000. It was found that TalkTalk had both failed to update software from their takeover of Tiscali in 2009 and failed to take remedial action on vulnerabilities, which led to cyber attacks in 2015. 

The vulnerability allowed hackers to bypass the access restrictions. Failures within TalkTalk meant the problem went unresolved. The personal data of approximately 157,000 customers was stolen, including financial data such as bank account details of some 16,000 of those customers.

According to TalkTalk this attack cost them £42m and over 100,000 customers who left in the wake of their failings. You can read here how the ICO investigation into the TalkTalk cyber attack unfolded.

Source: https://www.bbc.co.uk/news/business-37565367

Interserve

Interserve is an outsourcing firm that was designated a “strategic supplier” to the UK government. Their clients included the Ministry of Defence. 

113,00 employees had their personal information stolen due to failures to put in place appropriate measures to prevent such cyber attacks from occurring. It was found that internal security systems failed to block a phishing email containing a virus that an employee inadvertently downloaded. Various personal information, including highly sensitive special category data regarding employees’ religious beliefs, ethnic origins and sexual orientation, was compromised.

An antivirus alert was not investigated, and multiple company accounts and systems were compromised. The attack also uninstalled the antivirus software and encrypted all current and former employees’ information. The ICO found that outdated software and protocols, combined with inadequate staff training, contributed to this major incident. 

Interserve Group Limited were fined a total of £4.4 million for their failings, with their application for a reduction denied after mitigating arguments presented were not deemed sufficient. A data breach of this kind could give rise to a claim for a data breach at work.

These 5 security incidents are some of the 5 biggest data breaches in the history of the UK. They show how when big organisations fail to implement sufficient security measures, unauthorised persons can gain access to huge amounts of user data.

a cyber criminal downloading customer files after hackers gained access to company data records

What Are The Biggest Data Breach Settlements Outside The UK?

The biggest data breach fines issued in the US and around the world at first glance dwarf those issued in the UK. A contributing factor to this is the fact these numbers can be overall totals. They contain regulatory fines issued by the US Federal Trade Commission (FTC) or other foreign agencies, and the sums paid out in damages.

A US national or global operator will have considerably more customers than a firm operating nationally in the UK. This means significantly more people could be affected by the largest data breaches. We have provided this brief list of some of the largest data breach fines from outside the UK over the last decade.

Highest Data Breach Settlements Outside The UK

Facebook

Facebook were hit with a colossal $5 billion fine, making this the largest ever penalty issued by the FTC. Facebook’s mishandling of user information in the Cambridge Analytica scandal constituted a massive data breach. This brought about global outcry in 2019 and very public scrutiny. The case was eventually settled in court for $725 million.

Source: https://www.theguardian.com/news/2018/mar/17/cambridge-analytica-facebook-influence-us-election

Source: https://www.bbc.co.uk/news/technology-64075067

Didi Global

The Chinese government issued vehicle hire and taxi platform Didi Global with a fine of 8 billion Yuan ($1.2 billion) after they were found to be engaging in repeat violations of data security and personal information protection laws. 

https://www.bbc.co.uk/news/business-62248513

Amazon

The Luxembourg National Commission handed down a fine of €746 million ($886 million) for violations of the EU’s GDPR.

Source: https://www.bbc.co.uk/news/business-58024116

Equifax

We discussed this in the above section, but it’s coming back for our global top 5. The $700 million fine brought against Equifax by the FTC for failing to protect the personal data of 147 million customers remains the 4th highest data breach fine ever issued in the USA.

Epic Games

The Fortnite creator agreed to pay a total of $520 million to settle fines issued by the FTC for violations of the Children’s Online Privacy Protection Act (COPPA) and for compensation for affected customers.

Source: https://www.bbc.co.uk/news/business-64030272

These are extreme examples of breaches of data protection and the penalties that can be imposed on organisations. They represent some of the largest data breaches in history, impacting millions of individuals. For more data breach examples, please see the resources below.

Contact Us

You can read our guide to the data breach claims process for more information or contact us. Our advisors are available to answer your questions at any time. They can potentially connect you to a No Win No Fee solicitor from our panel to help you with a claim. You can use the following details:

  • Call us on 020 8050 3051
  • You can also contact us online by completing this form
  • Or, you can open the live chat window on your screen now.

Read More About Data Breaches

You can learn more about data breaches by browsing our website:

We have also provided these external resources for additional information:

We’d like to thank you for reading this guide to the largest data breach settlements around the world.