back to article UK watchdog's punishment for Blackbaud, Easyjet, other big privacy lawbreakers was slap on the wrist in private

Blackbaud was given a private slap on the wrist by the UK's Information Commissioner's Office (ICO) after paying off criminals who stole users' financial data from the cloud CRM biz's servers. The astonishingly mild sanction was revealed in a Freedom-of-Information response after senior data protection specialist Jon Baines at …

  1. Neil Barnes Silver badge

    an implausible £18bn in damages

    But that's the problem: the damages are unknown and unknowable, particularly with future risks of, for example, identity theft.

    The restitution should not be damages except where they can be explicitly shown and proven; they should be punitive to persuade companies that, hey, guess what, it's not a cost of doing business, it's a good idea to get some better security organised.

    1. SsiethAnabuki

      Re: an implausible £18bn in damages

      Yes - this was very much the reason behind linking maximum fines to company turnover, so that they culd be effectively punitive.

    2. tiggity Silver badge

      Re: an implausible £18bn in damages

      And it was likely to be top grade ID data for travel - passport number, genuine DOB, address etc. So those damages not that far fetched - really needs a proper punishment instead of minor fines or "reprimands" (I'm assuming SMEs don't have the right contacts to know the special approaches needed to get a reprimand instead of a fine)

      Maybe I'm odd but very few sites have my full real details, especially DOB, huge difference in info a site gets from me when its a legal requirement for them to be accurate (e.g. travel out of UK), compared to what they get when accurate data is not legally mandatory.

      ... Amazing how many sites are happy with a DOB that would make me the worlds oldest person by quite a few years.

      1. AW-S

        Re: an implausible £18bn in damages

        I totally agree.

        easyJet require accurate details to then allow you to fly. Perhaps we need a system whereby the airlines use something akin to car rental (for checking driving licence details) so that they enquire directly to the passport office?

        1. MarkTriumphant

          Re: an implausible £18bn in damages

          Although that would then place the responsibility on the Home Office, and I'm not sure I trust them at all. I like just having to deal with them every ten years, rather than every journey.

          1. AW-S

            Re: an implausible £18bn in damages

            Ah, but you don't deal with the Home Office every 10 years - your data is used constantly and every time you travel into and out of the UK etc.

            The data at the passport office is also increasingly used to help confirm you identity, for example by providing your photo image to other "agencies", such a for renewing photo driving licences.

    3. jollyboyspecial

      Re: an implausible £18bn in damages

      You seem to be confusing a private law firm suing for damages with the ICO issuing a fine.

      Granted there should have been a punishment, but they're wasn't. The lawsuit is not a replacement for that.

  2. Tromos

    Further regulatory action

    Such as being sent to bed early or no pudding?

    1. Winkypop Silver badge

      Re: Further regulatory action

      No pudding?!

      That’s inhuman sir!

    2. Anonymous Coward

      Re: Further regulatory action

      Tie them in the comfy chair and poke them with the soft cushions!

      Nobody expects the Spanish Inquisition and, with the ICO, they no longer have to worry about it.

  3. Phones Sheridan Silver badge

    Prior to GDPR the ICO openly wasn't interested in pursuing companies that were involved in data leaks. When pushed excessively it's fines typically never went over a few thousand pounds, and they were rare. Then the GDPR came along and all that changed. It was power hungry, huge fines being thrown out all over the place. But then the fines (mostly) went unpaid. Now Brexit has been and gone, the ICO seems to have reverted to it's pre GDPR behaviour. It's political masters don't want to be rocking the boat when there's trade deals to be done with the very people who don't give two hoots about data protection.

  4. Chris G

    "We will publicise these if it will help promote good practice or deter non-compliance."

    This should apply particularly to all public bodies who, in theory, are or should be answerable to the public.

    Obviously fining them means the fines being paid from the public purse so the minimum ought to be to shame them publicly.

    1. jollyboyspecial

      The reason they don't publicise these wrist slappings is simple. Once other organisations know that these transgressions have gone unpunished then they will no longer fear GDPR or the ICO.

      Clearly the ICO do not publicise these non-punishments because they are embarrassed by their own weakness.

      What I would be interested to know is whether the ICO chose this track off their own bat or if they have been instructed to do so by government. I suspect the latter and if this is the case questions should be asked in the house. However with the feeble opposition we have at the moment it's unlikely that the questions will be asked and even if they are the opposition will probably accept some pretty feeble answers.

  5. Howard Sway Silver badge

    "The ICO did not impose a penalty, nor did it impose any requirements for further action"

    Whilst the effectiveness and appropriate size of fines is a reasonable matter for debate, the fact that there was no requirement to toughen up their security after the incident is appalling. It only leaves the suspicion that the government has turned the ICO into a paper tiger that lets companies get away with stuff, due to some blind ideology about regulation being "bad for business".

    What's really bad for business is sending the message that UK companies are allowed to have poor security in the name of not "burdening" them with the cost of implementing it. Why do business with them if they're allowed to play fast and loose with your data?

    1. Anonymous Coward
      Anonymous Coward

      Re: "The ICO did not impose a penalty, nor did it impose any requirements for further action"

      We have a previous MI6 employee yesterday telling us that all forms of cyber espionage, and hacking is a serious threat, and then the government ignoring the basics of information security.

      Then the debacle of NHS data being sold off too.

      It is obvious that the government are really not bothered about protecting its citizens.

      1. hoola Silver badge

        Re: "The ICO did not impose a penalty, nor did it impose any requirements for further action"

        I think this is caused by a number of different issues:

        Ignorance - many in Government STILL have little comprehension of IT & Data Security

        Vested interests - simply, follow the money, they will always think about themselves first and as we have seen with all the "second" jobs MPs have, they only care about themselves.

        Timescales - Government (any) is incapable of thinking about anything much beyond the current term or Parliament.

        They don't care - this is a general malaise in the population as a whole. There are too many people who through lack of understanding and apathy, simply don't care.

  6. Dave White

    Not that GCPR seems to matter to Easyjet

    I have twice send emails to them over the last year asking them to delete my data from their databases as per my "right to be forgotten". The first one came back with an automatic reply saying they were busy and would get back to me soon.

    Fast forward a year and I still have no reply.

    1. DreamEater

      Re: Not that GCPR seems to matter to Easyjet

      I wonder if there is a way to force them...

      A bit like when companies/people ignore courts instructions to pay fines etc and only seem to react when some rather large people turn up look for expensive equipment to take...

  7. Graham Cobb Silver badge

    Reprimands inappropriate for big business

    Reprimands should be limited to 2 cases only:

    1) Public bodies, where a fine is irrelevant (moving money around government, and no impact on the organisation). In that case the breach should always be publicised so that the appropriate oversight (civil service, parliament, and the public) can make sure the problem is not just fixed but lessons are learnt.

    2) Small companies, where the ICO decides that the company, and the public, are best served by the company mending its ways, and a fine is not the way to force them.

    Reprimands should never be used for large commercial companies who have made a clear breach. Those companies can afford to take advice and do audits and must be incentivised to beef up their internal systems and processes to make sure they not just take external advice but act on it.

    If the company took advice but decided to go against it then there should be legal action against the directors personally.

  8. DomDF


    I wonder a) how many of these companies made donations to the Tories in exchange for the wrist slap, and b) employ Tory MPs as "consultants" to ensure they only get their wrists slap.

    I guess its 100%

  9. Cynical Pie

    The ICO doesn't issue fines and it never has done. It issues Monetary Penalty Notices, essentially the same thing but legally different as there is no set banding of fines levels among other things

    Its a pedantic thing not helped by the outgoing IC being fond of the term fine during her myriad of public appearances but now she has gone back to Canada hopefully the new incumbent will at least use the right language and be less fond of a public appearance

  10. Anonymous Coward
    Anonymous Coward

    ICO are a complete waste of space

    Just received the final response from ICO on a case I raised about 6 months ago.

    Once again whilst the ICO indicate that they agree the government agency did not comply with GDPR and PECR the case is now closed with their usual waffle along the lines of them telling the agency to ensure staff attend mandatory training annually and that the agency's policies and procedures must be updated to reflect GDPR.

    This for a complaint that was specifically regarding the agency's Data Protection Officer failing to adequately perform their duties (as defined in GDPR) and of their DPO failing to get actively involved in my original direct complaint to the agency (at the time the agency's DPO simply passed my complaint on the "relevant team" and did not even acknowledge receipt of my complaint).

    For the various cases I've raised with ICO over the past couple of years the ICO has yet to take *any* significant action as a result of any of the complaints, even when they agree, for the majority of these cases,that GDPR/PECR has been broken.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like