ICO flexes its muscles and issues two maximum fines

4 mins

Posted on 05 Mar 2020

The ICO recently issued two companies with the maximum available penalty for breaching data privacy laws.

It fined CRDNN Limited for making unlawful automated marketing calls and Cathay Pacific Airways Limited for failing to adequately safeguard customers’ personal data.

Both penalties (of £500,000) were issued under the Data Protection Act 1998 (due to the dates of the breaches), so avoided the higher penalties available under the GDPR.

CRDNN Limited

CRDNN conducted automated direct marketing calls on various topics (including window scrappage, debt management and window, conservatory and boiler sales). If the call recipient indicated they were interested in a further call, this generated a “lead,” which CRDNN then sold on to businesses.

The ICO received over 3,000 complaints from individuals who received unsolicited calls. It raided CRDNN’s premises in March 2018 and seized their IT equipment and documents.

The ICO’s investigations revealed CRDNN had made nearly 1.6 million calls a day between 1 June and 1 October 2018. The calls originated from ‘spoofed’ numbers (meaning people could not identify who had made the calls).  It also found that CRDNN had continued to unlawfully conduct automated direct marketing calls during their investigations (around 193 million in the 5 months after the ICO’s search warrant).

The ICO concluded CRDNN had failed to obtain consent from the phone owners to make the calls and had not provided a valid opt out, in breach of the Privacy and Electronic Communication Regulations (“Privacy Regulations”).

Based on the volume of calls, and deliberate nature of the breaches, the ICO issued the maximum available fine (£500,000). It also issued CRDNN with an enforcement notice requiring it to comply with the Privacy Regulations within 35 days - in particular, to cease direct marketing through automated calling systems without prior consent and to ensure it identifies itself as having instigated the calls.

Cathay Pacific

International airline, Cathay Pacific, were subjected to a brute force attack on their database in March 2018 (where numerous passwords or phrases are submitted with the hope of eventually guessing correctly). They employed a cybersecurity firm to investigate.

The investigations revealed customers’ personal data was exposed through the data hack (111,578 UK customers and 9.4 million more worldwide). Personal data affected included names, passport and identity details, dates of birth, postal and email addresses, phone numbers and historical travel information.

Cathay Pacific self-reported to the ICO once the security vulnerabilities were revealed.

The ICO found that between October 2014 and May 2018, Cathay Pacific did not have appropriate security measures. In particular, it found:

  • Back-up files were not password protected (contrary to its own policy)
  • There were unpatched internet-facing servers
  • Operating systems no longer supported by the developer were used
  • There was inadequate anti-virus protection.

The ICO concluded Cathay Pacific had failed to adequately protect their customers’ personal data and to adhere to their internal policies.

Despite promptly seeking expert assistance from a leading cyber security firm, issuing appropriate information to affected individuals and co-operating with the ICO’s investigation, the ICO still issued the maximum available fine (£500,000) due to the extent of the breach and shortcomings uncovered.


The background to these two penalties contrasts greatly - one was a security breach and the other a deliberate unlawful misuse of data. However, they produced the same result. In both examples the ICO felt the severity of the breaches justified the maximum fine.

With the ICO now taking more actions under the GDPR (we await the finalised penalties, if any, to be issued to British Airways and Marriott, after huge intent to fine figures), organisations need to ensure their ongoing data security compliance.

The ICO is making clear it is not only deliberate breaches that merit the maximum available fine. 

The articles published on this website, current at the date of publication, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your own circumstances should always be sought separately before taking any action.

Back to top