Recent Significant UK Data Breaches Round-Up

Posted on 05/10/2018

Data in tiles

Another week, another data breach. The loss or theft of people’s personal data from company databases has become a staple of news reporting. Here’s our round-up of recent breaches that have affected UK citizens.

British Airways

For two weeks at the end of August and the beginning of September, BA customers that made bookings on the website or via mobile app had their personal and financial details compromised. The UK’s regulatory body, the Information Commissioner’s Office, are remaining tight-lipped about their investigation of the incident, only confirming that they are “...making enquiries.” As this breach has occurred firmly after the introduction of GDPR on May 25th, British Airways executives will be waiting anxiously to see if the regulator unleashes the full power of the legislation. Companies can face fines of up to 20 million euros or 4% of global turnover.


The UK arm of Equifax – the international credit reference agency – has been fined £500,000 by the ICO after its US-based parent company admitted the theft of personal information relating to 15 million customers. The data theft took place in 2017, so the fine was issued under the Data Protection Act 1998. Under GDPR – the fine could have been significantly larger. Equifax had a turnover of $3.1 billion in 2016. If the maximum fine of 4% had been available to the ICO, they could have fined Equifax $124 million.


The popular Facebook plug-in that allows users to share historical posts “experienced a network intrusion” back in July of this year. Data stolen included the names, email addresses, dates of birth, gender and phone numbers of some 21 million users. 2.9 million of these fell under the jurisdiction of GDPR (i.e. the data belonged to EU citizens). We’ll keep you posted on how the Information Commissioner’s Office investigation proceeds in this case. 

Since the introduction of the GDPR, companies are demonstrating more transparency following a data breach, presumably in the hope of appeasing regulators. In the words of the ICO

“Those who self-report, who engage with us to resolve issues and who can demonstrate effective accountability arrangements can expect this to be taken into account when we consider any regulatory action.”

At Priviness, we offer courses tailored to meet the international data law compliance needs of your organisation. For more information about our privacy law compliance training, call us on 0203 2878 243 or email

Join the conversation about privacy law and data breaches on Facebook and Twitter.

Back To all catagories
Contact Us

For more information about any of our data protection and privacy consultancy services, please don’t hesitate to get in touch.

Email or call 0203 2878 243

Before giving us your personal data, please do read our privacy charter

Privacy Charter