Author: Admin Page 1 of 15

British Airways Anticipates 90% Discount on GDPR Fine

British Airways Anticipates 90% Discount on GDPR Fine

When the ICO announced their intention to fine British Airways £183million, it was seen as one of the landmark penalties in GDPR. It was a shot across the bow for any company handling personal data, that the ICO intended to make full use of its powers under the new data protection act. Now though, the airline says it expects to pay only 10% of the total fine. So does this mean the regulator is taking a lighter touch?

What happened at British Airways?

In July, the ICO announced that it had fined British Airways £183million after a computer hack which compromised the personal data of half a million people. At the time, the airline said it had been the victim of a ‘highly sophisticated attack’ which compromised the bank information of half a million people who had booked flights through its website.

However, the ICO took the view that information had been compromised by poor security arrangements and took action accordingly. The £183million fine represents an enormous 1.5% of the firm’s annual turnover and is also the largest fine that the ICO has handed out. Furthermore, it was the first fine it made public since the new rules came into force. Under the rules of GDPR, the ICO could have decided to levy a higher fine, amounting to 4% of the annual turnover, should they have deemed necessary.

A reduced fine?

From that perspective, BA could have been said to have got off lightly. However, they immediately announced their intention to defend their position and make any necessary appeals.

“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”

Willie Walsh, head of British Airways’ parent company (International Airlines Group) at the time

BA announced its intentions to make representations to the ICO and these appear to have had an effect. In its July 31st statement the company said it had put aside only £20 million to cover the fine. This, it said, represented their “best estimate of the amount of any penalty issued by the ICO”.


If they are correct, the final penalty would represent a 90% reduction and the news has concerned a number of privacy campaigners. Your Lawyers, a consumer action law firm that has been appointed in a Steering Committee position by the High Court of Justice against British Airways in the GDPR case, have condemned the move.

The firm’s director Aman Johal, said that the indication of a vastly reduced fine “is an affront to data protection and the GDPR.”

He went on to say:

“The ICO’s decision last year to issue a record provisional intention to fine was a landmark decision that could set the standard for organisations and act as the candid warning that is so desperately needed in today’s age of continual breaches. Such a substantial reduction could seriously undermine the purpose of GDPR, which was to act as a credible deterrent for organisations to ensure that they protect the information they store and process.”

In a statement the ICO said, “The regulatory process is ongoing, and we will not be commenting until it has concluded.” However, it is unlikely that BA’s management will have plucked this figure from thin air. The chances are, it represents their best guess based on the ongoing negotiations between the airline and the regulator.

What does it mean?

The ICO is remaining tight lipped about the proposed fine, which leaves us to speculate on their possible reasoning. It may be that BA has been highly convincing in its representations to the regulator. If they can show that there were mitigating circumstances or that they had taken measures to safeguard data, the regulator might have been persuaded to take a more lenient stance.

Equally, though, this reduced fine may also be down to the ongoing pandemic – the ICO has already announced that it would take a lighter touch on GDPR enforcement during the pandemic, and will take into account whether an organisation’s financial difficulties have stemmed from the pandemic.

BA, like other airlines, has suffered during lockdown. Passenger numbers fell by 98% in the second quarter of 2020 as lockdown devastated business in various sectors. IAG, the owner of BA, was forced to raise £2.49bn to strengthen its balance sheet after reporting record losses. Over 10,000 jobs have already been cut in an effort to lower costs.

The fine, then, comes at a time that BA’s ability to absorb such a fine would have been compromised. Time will tell on the reasoning, however, with the ICO thus far having not followed through on its intention to fine Marriot Hotels under GDPR, the episode will raise questions about how and what stance the regulator intends to take over GDPR.

Firms are Failing to Learn From AML Mistakes

Firms are Failing to Learn From AML Mistakes

Anti-money laundering (AML) fines have already surpassed the total for 2019 in the first half of the year. Are firms failing to learn from their mistakes?

Anti-money laundering fines surged to $706 million in the first half of this year, compared to $444 million for the whole of 2019. That’s the finding of the seventh annual Global Enforcement Review from Duff & Phelps.

The figure shows a reversal of the trends from previous years which showed a steady decline, ($3,297 million for 2018 and 2017 for $2,136 million). However, according to Nick Bayley, Head of Regulatory Consultancy at Duff & Phelps, this new uptick doesn’t necessarily mean firms have stopped paying attention to AML issues.

“Despite the uptick in AML fine amounts in 2020 we are still seeing fewer massive fines being imposed in the United States. This is very unlikely to reflect regulators attaching any less importance to AML compliance, it may simply be that the very largest financial institutions may be beginning to get their AML compliance in order, at last.”

“Although we do see some big institutions repeatedly receiving major fines for their AML failings, the sheer size of the fines that have been imposed for these failings and the associated huge cost of remediation means many have seemingly now learned their lesson.”

Nick Bayley

Even so, he does acknowledge that the report showed multiple fines for the same offenses and that they have been cropping up time and time again.

“Interestingly, looking at the key AML failings that are identified by regulators, we see the same areas being sanctioned again and again. This is consistent for regulators across the globe and also over the past five years.”

Handling AML regulation has been one of the major challenges for most banks for quite some time now. Banks can face massive fines for breaches, up to approximately £4,5 million, or 10% of their total turnover.

USA

The USA saw a significant reduction in the value of fines. In 2018, regulators in the USA accounted for 58% of the total fines issued. This time around it was down to just 12%. However, the total number of fines remained the same, suggesting the US regulator had simply not issued some of the mega fines seen last year.

UK

Here in the UK, though, fines appear to have been down on last year to £36.6 million compared to £98.2 million for the whole of last year.

Regulatory intelligence

The ultimate support for banks and financial services firms, RegTech and regulatory intelligence has been developing at rapid speeds over recent years and has helped to moderate financial crime through various means, including process automation, real-time payments monitoring, predictive analytics, scrutinising enormous amounts of data sets and revealing patterns within them. These are just some of the areas in which regulatory intelligence assists the financial services industry, helping to ensure compliance and mitigating risk.

Waymark Tech’s software has been developed to offer all of this and more. The implementation of artificial intelligence and natural language processing (NLP) has already saved large amounts of man hours and has alleviated serious risk. Moving away from the traditional approaches within the financial services sphere has seen Waymark grow since it was founded in 2016. Preparation for regulatory compliance is crucial in the avoidance of fines. If you feel that regulatory intelligence could be valuable for your organisation, please do email us for a complimentary and no-obligation demo of our innovative software at support@waymark.tech.

Lessons not learned

The figures are certainly mixed. They are well up on 2019 but still down on 2018 and 2017. As Bayley says, it’s perfectly possible that these simply show firms are finally beginning to get the message. However, the familiar nature of the failings suggests those firms who have not, are making the same mistakes time and time again.

In a year marked by the global pandemic, in which the challenges of maintaining compliance are higher and in which fraudsters are presented with a wealth of opportunities, those firms not paying close attention are playing with fire. This was demonstrated rather clearly with the $47 million fine for Commerzbank which was found to have failed to put right problems despite repeated warnings from the regulator. (See our article on this here).

These failings occurred at a time when defending against fraudsters and money launderers was comparatively straightforward compared to the world under lockdown. Any firm carrying over the same deficiencies through this year is putting themselves at serious risk.

According to most experts, Commerzbank’s failure to address shortcomings was down to an issue of resources. So this may be one of the tools in avoiding the same fate and where Waymark’s technology comes in. Making sure compliance teams have the resources they need and that they are up to date with the latest requirements, will be crucial to break the cycle, and ensure those important lessons finally hit home.

Pension Provider Sees Compensation Claim Soar by 2,000%

Pension Provider Sees Compensation Claim Soar by 2,000%

Pension provider, James Hay, was hit with some surprise news this month as an appeal saw its payout over a pension delay soar by 2,000%. The case should serve as a reminder to any pension firm to stamp out any delays in the pension process.

What happened?

James Hay had initially been ordered to pay £2,000 in compensation to one of its customers, known as “Mr T” for this case, after the firm caused a delay in a pension transfer, causing him to miss out on what he hoped would be a valuable investment opportunity.

Mr T had been looking to transfer his small self-administered pension into a self-invested personal pension plan. As well as £220,000 in cash, he had cash and stocks with Barclays Stockbrokers (BSB) in his SSAS. However, after BSB notified him it would be closing its pension trader accounts after 30th June 2016, he emailed James Hay asking them to begin the transfer.

Mr T requested the transfer to go through before the Brexit referendum on 23rd June 2016, however this did not happen and it wasn’t until 19th August 2016 that £250,000 in cash made its way from James Hay to Mr T’s new SSIP with Hargreaves Lansdown. A week after that, six out of seven lines of stock were transferred to the new provider with the last line being processed on 3rd October 2016.

Because of these delays, Mr T argued that he had lost the opportunity to invest in stock markets after the referendum result which could, he believes, have represented an excellent investment opportunity. Remember, this was the morning which, as one investor described it, had ‘gold in its mouth’. Mr T had hoped he would have been one of those to benefit.

James Hay argued that it had carried out its duties in a satisfactory manner, although it admitted there had been two exceptions caused by miscommunication. The Ombudsman found that while there had been maladministration on the part of James Hay, the compensation should be set at only £2,000.

In explaining this figure, the Ombudsman said that the exact level of loss claimed by Mr T was not measurable. Mr T appealed, claiming that the compensation was not enough and that the Ombudsman should have taken into consideration how much money could have been made had the transfer happened in a more timely manner.

The court sent the decision back to the ombudsman saying it should identify when the money would have arrived without maladministration from James Hay. It should then consider what Mr T would have done with the money.

In this second finding, the Ombudsman found that the money should have arrived by 23rd June 2016, just in time for the referendum, and that Mr T would have invested the full amount in the FTSE 100 Index immediately after the leave vote. As such, it concluded the losses would have been much higher than originally thought.

Although it is impossible to say for certain what he would have done with the money or which stocks he would have invested in, the Ombudsman still determined that it was possible to make a reasonable estimate.

“If £250,000 had been invested when the FTSE Index level fell to 5,788, a profit of about £43,700 would have arisen when that Index rose to 6,800 in August 2016.”

Ombudsman, Anthony Arter

He therefore added, more than £41,000 onto the compensation in recognition of this lost investment opportunity. James Hay for its part has accepted the revised ruling and says it is “in the process of arranging the settlement with the scheme.”

Lessons to be learned

The ruling might have been a shock for the firm, but as with every penalty notice issued, it provides an opportunity for firms to learn from their mistakes. It shows that, not only can they be found culpable for delays in the transaction, but the ombudsman is willing to make an estimate of the likely losses the client would have incurred. For other companies, the lesson is simple. Don’t drag your heels on transactions. The results could be more damaging than you think.

FCA on Business Interruption Insurance

FCA Tests the Water on Business Interruption Insurance

A test case brought by the FCA, seeks to clarify wording used in business interruption insurance. If successful, it could have profound implications on almost 400,000 policy holders.

The FCA is bringing the case in order to end uncertainty around how pandemic related business interruption claims should be treated by insurers, and how any resultant losses should be assessed. As part of this, they will be examining the fine print of more than 40 insurers including Hiscox, Royal Sun Alliance, QBE and Ecclesiastical (the largest insurer for churches).

The case centres on a number of key areas of dispute including:

  • Denial of access: Many business interruption policies cover against losses incurred from being denied access to premises. This will have been a serious issue for many businesses which were forced to close during the height of the pandemic. Some also cover losses incurred because premises have been closed by public authorities, due to an emergency which endangers human life.
  • Losses: In a successful claim, losses will need to be assessed against what the business would have earned if the interruption had not occurred. In this case, the uncertainty surrounds whether this includes what the business would have earned had there been no pandemic, or what it would have earned had it stayed open during the pandemic. If it’s the latter, many businesses, such as pubs, will see relatively little benefit as the pandemic would have reduced business to near zero even if they had been able to stay open.
  • Notifiable disease: A number of policies will provide businesses with cover if there has been a notifiable disease at or near their business, within a specific radius.

Business interruption insurance has been top of the regulator’s agenda during the pandemic. According to a report from McKinsey, 60% of small and medium sized businesses feel their insurers were not transparent over how COVID-19 would affect their policies.

Many who had business interruption cover will have assumed they’d have had some protection from their insurers only to discover that diseases such as COVID-19 are specifically excluded.

Confidence and trust in the sector has fallen with a third of businesses saying they will stop buying business interruption cover altogether.

It’s a difficult balancing act for the insurance sector. On the one hand, insurers were keen from the outset to make it clear that they would not be on the hook for any business interruption pay outs.

A spokesperson for Ecclesiastical said:

“Our business interruption policies were not designed to provide cover for pandemics and have specific exclusions against infectious diseases like Covid-19 within them.”

Even before the lockdown, the industry was making its stance clear. The Association of British Insurers asserted at the time that:

“Irrespective of whether or not the Government orders the closure of a business, the vast majority of firms won’t have purchased cover that will enable them to claim on their insurance to compensate for their business being closed down by the coronavirus.”

However, insurers are also keen to avoid severe reputational damage as a result of the pandemic. Ecclesiastical says it has provided some measures of support including enhanced cover and an automatic extension in cover for 30 days beyond renewal to prevent customers becoming unintentionally uninsured.

The argument boils down to definitions. While the FCA accuses insurers of ‘cherry picking’, they accuse the regulator of blurring the lines between distinct items.

Jonathan Gaisman QC, acting for Hiscox, said:

“We need to be aware that when the FCA invokes what the parties must have meant, the intention or at least the effect of that phrase is often to camouflage those points in its argument where there is nothing but their assertion.”

Court proceedings are now under way with a decision expected in September. The decision will be watched closely by businesses and the insurance sector alike.

ICO Reports on First Sandbox Projects

ICO Reports on First Sandbox Projects

The ICO has released the first two reports from its regulatory sandbox about innovation in data protection. Launched in September last year, the scheme trialed a number of innovations which sought to use personal data to deliver a variety of new services, while still maintaining data protection requirements.

Many of the projects have been delayed because of COVID-19, but these first projects include a ground breaking study in biometrics at Heathrow and a further education not-for-profit company, JISC. Both can shed light on the potential of data and the challenges involved in maintaining privacy.

Heathrow’s biometric passports

Heathrow’s experiment relied on using biometrics such as facial recognition to automate the passenger journey and ensure people can move through check-in, baggage drop, and onto the aircraft without having to constantly stop in order to show their passports.
Their study had to confront two important data issues. The first was who controlled the data. Heathrow would be considered a joint data controller for the activities and so would have to ensure complete security and transparency about what data it had.

Under GDPR rules it would also struggle to achieve compliance through the argument of a legal obligation, and so would have to seek explicit passenger consent for using the data throughout the passenger journey. This can be difficult to achieve in a system which is intended to minimimse interruption to the passenger’s journey throughout the process.

Both Heathrow and the ICO agreed that affirmative action completed by the passenger would not be a compliant means of shorting an express statement of explicit consent.

In the light of the trial then, Heathrow has decided to postpone its plans until it can come up with a GDPR compliant process for automating passenger journeys.

Student well-being

The JISC project meanwhile, aimed to protect student well-being while showing how the data about their activities could be used to improve the services on offer.

It faced issues around data protection as well as purpose compatibility. It would have to assess whether the data they intended to use would be fit for the original purposes for which it was collected.

Thanks to COVID-19 related delays, one aspect of the project could not be met, a report into the mental health analytics which both sides agreed would take place outside of the sandbox process.

Universities using data would have to demonstrate compliance through the accountability principle of GDPR which would include identifying the lawful basis for using the data and providing adequate notification notices to all students including those under the age of 18.

According to the report, both sides agreed that universities would rely on Article 6 of GDPR in which is covered public tasks or legitimate interests for the processing of certain categories of personal data.

Data potential

Both projects demonstrate the opportunities and risks associated with data. Much has been written about the use of facial recognition and data, in general, to streamline the process of fighting your way through the airport. As anyone who has endured a tough route through check-in would agree, anything that can make this easier will be welcome.

But systems have always run into the issue of data identification and consent, and this appears to be something Heathrow is yet to crack. GDPR sets the bar extremely high in achieving explicit consent as well as maintaining the necessary transparency and reassurance about how data will be used, and how and when it should be deleted.

By ironing out these issues and collaborating between regulators and innovators, sandbox initiatives such as this will be crucial in blending the potential of data with its regulatory obligations.

What is going on at the SFO?

What’s Going on at the SFO?

The Serious Fraud Office is reviewing its operations after a high-profile embarrassment in court. So what’s going on and can the biggest fraud regulator be fixed?

“Like a teenager who has found a new friend.” That’s how Judge Martin Beddoe described Lisa Osofsky, director of the SFO, as behaving in a high profile international bribery case. It’s the latest in a long line of negative headlines for the regulator which has seen some start to question its existence.

So, what went wrong and can anything be salvaged?

The latest case relates to the regulator’s prosecution of executives from Unaoil for offering bribes to secure lucrative contracts. The defence tried to get the case thrown out over Osofsky’s communications with David Tinsley, a former FBI agent and now private investigator working for the defence.

In a series of what were described as ‘flattering’ texts between the two sides, Tinsley appeared to be attempting to sweet talk Osofsky into going easy on his clients. She in return appeared to be trying to steer him towards persuading his clients to plead guilty.

It worked. Tinsley is said to have approached his clients behind the backs of their legal team claiming that they may receive a more lenient sentence if they agreed to plead guilty. The defence argued that these communications made it impossible for their clients to receive a fair trial.

Judge Beddoe dismissed the claim but upheld the criticism of senior figures within the SFO. The regulator has announced it will now undertake a review to see what learnings might come.

However, this is not the first time in recent memory that the SFO has been caught short. The last few years have been marked by high profile failures and long drawn out cases. There was the acquittal of former Barclays executives accused of conspiracy to commit fraud; there was the failed prosecution of former employees of Sarclad and Guralp Systems with the company reaching a deferred prosecution agreement; and the collapse of the Tesco fraud trial.

Such high profile failures prompted Compliance Week to suggest companies accused of fraud might decide to take their chances at trial rather than take the safer DPA option.

The SFO’s reputation has taken a pounding and prompts renewed calls for a fundamental overhaul of the organisation. Some have been calling for the regulator to be merged with the National Crime Agency.

Osofsky has been vocal in opposing such a move, but this latest episode doesn’t do her credibility any favours. Either way, the recently announced review needs to be much more than a box-ticking exercise. With experts warning of an increased risk of fraud in the fall out from COVID 19 the UK needs an anti-fraud regulator which is at the top of its game.

COVID-19: Opportunity Knocks for RegTech

COVID-19: Opportunity Knocks for RegTech

Every cloud has a silver lining. When COVID-19 hit, banks faced an enormous logistical challenge of shifting towards a secure, and efficient work from home environment. However, after the initial pain, they are now seeing the benefits as the pandemic helps accelerate the move towards digital.

Even before COVID-19 and all the chaos that came with it, digitisation represented the future. However, progress was slow. Even those organisations that accepted the need to evolve to keep up, were slow on the uptake. Old practices remained. Teams either failed to see the urgency or were suspicious of new technologies. COVID-19 meant that, like it or not, many had to make the leap and any concerns over security had to be resolved.

The effects have been rapid. Online banking has boomed as customers are shut out of branches. Even those who might have been reluctant before the pandemic found they had little option during it. Equally, teams have embraced remote working with video conferencing and online document editing becoming the norm.

In both cases those who had been reluctant adopters are realising the benefits. Employees who would previously have preferred to print and manage documents by hand are finding out how easy it is to quickly edit and send them online. Firms report relatively few home printers being used which not only reduces paper waste but without so many documents to potentially go missing, it improves security.

Across the board, people involved in digital transformation feel as if a dam has been broken. RegTech had already been growing… Investment doubled between 2017 and 2018 and projections foresaw rapid growth over the next five years. As with other areas of technology, progress was always stymied by a lack of urgency, fear of the new and legacy infrastructure.

Coronavirus has, in various ways, helped to dispel each of these. The most important is trust. In order to work effectively, RegTech firms have to convince banks to allow them to work with their most sensitive data. This carries significant procurement and compliance risk, but with increased use of technology and the sharing of data, it is helping banks to become more comfortable with the concept and to hone their due diligence.

At the same time, with financial and manpower issues becoming critical, the cost and resource savings from automated RegTech solutions also starts to become more appealing. As such, COVID-19 represents a moment of opportunity for the RegTech sector and many companies appear to be grasping this with both hands. Some have been offering open access throughout this pandemic, while others have been cooperating to improve the value they can offer their clients. Waymark Tech has been one of those providers offering free access to COVID-19 regulatory updates.

The result creates enormous opportunity for everyone. Banks have been forced to take the leap, while the specific nature of life during and after COVID-19 has increased the need for automation and technology. Going forward, technology will become even more important in maintaining the know-your-customer provisions, anti money laundering and fraud prevention.

Hackers Have the Financial Sector in their Sights

Hackers Have the Financial Sector in Their Sights

A number of hack-for-hire firms are using the COVID-19 pandemic to infiltrate financial services firms. Defences are not always good enough though.

Two reports this month highlight the problem of a rapidly growing hack-for-hire market which is targeting corporations, government institutions and not-for-profits around the world. It’s a yet another addition in the cyber war powered by highly professional and well-funded criminal organisations – and given the perfect environment by Coronavirus to step up their efforts.

First came a report from Google which identified numerous hack for hire firms, spoofing the World Health Organisation to target business leaders and companies in the US and UK. The report found hundreds of examples of Coronavirus-themed attacks which use WHO branding and encourage individuals to sign up for direct notifications for important announcements. The emails contain a link to an attacker-hosted website that closely mirrors the official WHO site featuring fake login pages, all prompting users to hand over their personal details.

In a blog, Google said:

“Generally, 2020 has been dominated by COVID-19. The pandemic has taken centre stage in people’s everyday lives, in the international news media, and in the world of government-backed hacking.”

Meanwhile, a second report from Citizen Labs highlighted a shadowy hack-for-hire organisation which it termed “Dark Basin” linked to an Indian tech firm, BellTroX InfoTech Services. As well as financial institutions, this group had been targeting rights groups and not-for-profits including Greenpeace, The Rockefeller Family Fund, and the Union of Concerned Scientists as well as a number of organisations involved in the ExxonKnows campaign which asserts that Exxon knowingly hid information about climate change.

Their investigation kicked off in 2017 when a journalist noticed a phishing attack and asked them to investigate. Their study linked the attempts to a network of URL shorteners operated by the group that they came to call Dark Basin. They identified nearly 28,000 additional URLs containing the email addresses of targets around the world. This helped researchers build up a map of who they were targeting and warn some of them.

The evidence linking this group to BellTrox was not hard to find. Employees of BellTrox were found uploading screenshots and taking credit for the attacks on social media. A number of individuals claiming to work for BellTrox could be found on LinkedIn listing services such as email penetration, exploitation and corporate espionage.

Hacking is also becoming an increasingly common occurrence in corporate disputes. The recent case between the Ras Al Khaimah Investment Authority and Farhad Azima included allegations in which Azima claimed RAKIA used the services of hackers to access his emails and leak documents online.

The reports shed light on a world in which hacking is a growth industry backed by well funded and highly professional companies. The underhanded nature of this world makes it extremely difficult to trace responsibility and the current situation makes all companies uniquely vulnerable.

All the sophisticated cyber security technology in the world can be rendered useless by a convincing email. In an environment of high uncertainty in which companies are relying on guidance from trusted organisations such as the WHO, phishing emails can become more effective than ever. All it takes is one click on a malicious link and the hackers are through the defences.

Financial institutions, as always, find themselves in the firing line. If they are breached, they face financial and reputational losses as well as compliance risks.

To counter the attackers, therefore, companies need to get their defences in order, ensure everyone in the organisation is aware of the latest attacks, and that robust measures have been put in place.

The hackers are coming and they have better infrastructure and resources than ever.

Building effective defences will be one of the key challenges of the COVID-19 crisis.

DSG Retail Fine - Lessons to Learn

DSG Retail Fine: Lessons to Learn

The ICO’s decision to issue DSG Retail Ltd with the maximum penalty possible highlights how seriously they take data security and what factors influence their decisions.

The ICO’s decision to issue a £500,000 penalty notice against DSG Retail Ltd, under the old data protection act should serve as a warning shot across the bows of the industry. DSG, meanwhile, should be heaving a sigh of relief that the breach happened just before GDPR came into force.

What happened?

The scale of the fine comes thanks to a litany of errors which on their own could have constituted a breach, but taken together amounted to a serious and multifaceted breach of the data protection act.

It started in May 2017 when an assessment of DSG’s point of sale payment terminals across their stores in Curry’s PC World and Dixons Travel found that they were not compliant with PCI DSS standards. Even so, DSG were slow to make changes.

Almost a year later, they discovered that the payment terminals had been compromised. Over the course of night months, a cyber attacker had taken control of a number of domain administrator accounts and installed malware onto the POS system. This accessed payment card details of around 5.6 million customers, although an investigation later found that only a total of 85 cards had been potentially used fraudulently.

The fraudsters had also accessed non financial data belonging to about 14 million customers including credit checks, contact details and failed credit checks. The company was inundated with nearly 3,300 customer complaints about the breach and the regulator received 158 complaints.

  • The ICO’s investigations listed numerous systemic failures including
  • Lack of firewall on the POS terminals
  • Inadequate patching of software
  • A poor response system
  • Insufficient network segregation
  • Mismanagement of the application white listing


These amounted to multiple breaches of the Data Protection Act, but a number of aggravating factors made this even worse. The firm were already aware of the vulnerabilities but failed to take action quickly enough. They took a whole nine months to identify the breach and that Carphone Warehouse which belongs to the same group as DSG had previously been fined £400,000 for the same breach.

The regulator also took into account the volume of the data and the resources that the retailer should have had at their disposal. The scale of the operation and the nature of the breach had the potential to cause significant distress to customers.

Moreover as a major retailer, handling large quantities of sensitive customer data, DSG, should have been able to lead by example. They had plenty of resources at their disposal and should have been able to offer better protection to their customers.

The only mitigating factor is that DSG had taken steps to notify its customers and cooperated with investigators. Even so the regulator deemed the maximum penalty appropriate.

Lessons to be learned

The scale of this fine, should serve as a warning about how serious the ICO is taking data security. Had the breach occurred under GDPR the fine could have potentially been in the millions. It shows the factors the regulator takes into account when deciding including the volume of the data exposed, the nature of the breach, resources of the firm and how the company responded to known breaches.

It’s a reminder for businesses to maintain and proactively monitor their security systems and any deficiencies should be fixed as soon as possible. Cyber crime is becoming so widespread that if a company does identify a weakness, there’s a very good chance an attack will come sooner or later. While firms might be reluctant to spend the time and money fixing issues, if they don’t they run a high risk of finding themselves before the ISO and, with GDPR in full swing, the consequences could be catastrophic.

What Can We Expect From the New Head of the FCA?

What Can we Expect From the New Head of the FCA?

Chancellor Rishi Sunak overlooks Chris Woolard and chooses Nikhil Rathi to take the FCA forward into the post COVID-19 world.

There’s a new face at the FCA, but it’s not the man most expected. After a relatively positive stint as interim Chief Executive, Chris Woolard had been favourite to take the role on permanently. However, the decision to shun him in favour of Nikhil Rathi, boss of the London Stock Exchange, could have a number of implications for the future direction of the regulatory watchdog.

Woolard shunned

Woolard had been busy during his time as interim boss. He took on insurers who attempted to shirk responsibility for business interruption cover, he brought in his own QCs and hired law firm Herbert Smith Freehills to help the regulator deal with legal complexities and launched an inquiry into sub-prime lender, Amigo.

However, there is a sense that the FCA needs to be shaken up after the Woodford savings crisis, its failure to pre-empt the London Capital & Finance mini bonds scandal and the slowness of its response to malpractice in the investment sector.

Rathi, by contrast, is an outsider to the FCA and may bring a much needed freshness to the role while his track record of working in the Treasury may also have played a role in Sunak’s decision. Certainly his time at the Treasury may well help him to handle some of the upcoming challenges such as Brexit, although others may fear it makes him a little too close to Government.

The coming years will bring a number of challenges which could create friction between the FCA and Government. Rathi will do well to ensure he is seen to keep his employers at arm’s length and avoid any implication of political influence.

What to expect

As he takes his role, Rathi arrives at a pivotal time. The COVID-19 crisis has placed an enormous pressure on the FCA in maintaining its operations. It has already had to reset its priorities to ensure it can maintain the right focus despite the restrictions of the pandemic.

The financial world faces winds of change in the shape of new technology, climate change and a desire for greater accountability and better conduct. Each of these issues were front and centre of his attention as he set out his goals for the future.

The regulator also is fighting for its reputation. It has faced considerable criticism over the past few years and, like other regulatory watchdogs around the world, is under pressure to improve oversight and accelerate the conduct of cases. Rathi will need to hit the ground running and show that he can steer the regulator through the choppy waters which are on the way.

Page 1 of 15

Powered by WordPress & Theme by Anders Norén