Larger fines to come from the ICO

The recent BA and Marriott proposed ICO fines weighing in at just shy of £300m. What other organisations are currently sweating over being tapped on the shoulder by the ICO?

Since June 2018, we have had a few notable data breaches worldwide. Each may have EU residents in their number and have the potential to eclipse these two fines.

The GDPR applies to the personal data of EU residents, so even if the breach was in another part of the world, if EU resident personal data is in the breach, then fines could be levied.

As an example, the recent First American Financial Corp breach (May 2019) which exposed personal details in 885 million real estate transaction related records, would have EU residents included in their numbers. There must be some EU residents who have bought property in the US, that would have seen their details exposed in this data breach.

So what is in the pipeline we already know about that could generate bigger fines than we have already seen?

Cathay Pacific Airways

The Cathay Pacific Airways breach (Oct 2018) was significantly larger than the BA breach (9.4m vs 0.5m). We can assume that there are a reasonable number of Europeans in this dataset. Given Cathay Pacific’s revenues are 4 times larger than IAGs, this gives scope for a fine that would be in excess of the BA fine at $220m.


Two large data breaches in the last year have graced Facebooks door. In Oct 2018, 29m were exposed by Facebook. Then in May 2019, 49m exposed by Instagram (via Chtrbox). Facebook may need to get a season ticket with the ICO. Sir Nick Clegg is going to be very busy indeed. At least Sir Nick has had loads of relevant experience of saying sorry. It is highly likely that European resident personal data was involved here and with Facebook revenues tipping over $55B, it is not impossible that Facebook will have to deal with something close to $1B in fines for these two breaches.

With the US senate looking to slap a $5B fine on Facebook for the Cambridge Analytica scandal, Facebook may need to get a bigger chequebook.


Firebase, a Google service, suffered a breach in Jun 2018. 100m records exposed containing everything from plain text usernames and passwords to private medical records. Over 1,000 devices apps involved, so the chance of having no European personal data in this lot looks remote to say the least.

The reason behind this breach was basically poor security controls. Firebase required the app developers to secure their data, but a lot of them simply didn’t. And Firebase didn’t check.

Alphabet’s global revenue of just over $136B, and the associated basic lack of controls, could see this fine near the 4% maximum, which works out as $5.4B. It puts into sharp focus the role of data aggregators and facilitators, because although Alphabet were a long way removed from the actual breach related activity, they may have had a data controller in common role to play here, along with the relevant app developers.

I’m sure Alphabet will argue that they were only providing a service, and that the app developers were the only data controllers in scope here. The GDPR has been waiting for a legal discussion on data controllers in common, and the scale of this looks like the first major test of data controller responsibilities under the GDPR.