Live National Cyber Helpline · 0300 123 2040
Assured Cyber Protection Cyber & insurance briefing

Threats, Incidents and Claims

GDPR Breach Examples: Real UK Cases and What They Cost

By the Assured Cyber Protection team · Updated 2026 · Reviewed

The clearest way to understand what UK data protection law actually punishes is to look at real GDPR breach examples and the fines they attracted. Headlines talk about “millions”, but the useful detail is in what each organisation got wrong: an unpatched server, a phishing email that was clicked, children’s data collected without consent. Most of these failures are things a small business can also do, just on a smaller scale. This page walks through the biggest UK cases, what each one cost, and the plain lesson underneath the number.

The largest ICO fines, and why they happened

The Information Commissioner’s Office (ICO) is the UK regulator that enforces data protection law and issues fines. A handful of cases set the ceiling.

British Airways: £20 million (2020). A 2018 cyber attack skimmed the personal and payment details of more than 400,000 customers after attackers exploited weaknesses in the airline’s website. The ICO’s original intention was a £183 million penalty; it was cut to £20 million partly because of the pandemic’s impact on the aviation industry. The lesson is not glamorous: the attackers got in through security gaps that monitoring should have caught.

Marriott International: £18.4 million (2020). When Marriott acquired Starwood Hotels it also inherited a breach that had been running undetected since 2014, exposing an estimated 339 million guest records worldwide. The ICO faulted Marriott for insufficient due diligence and monitoring. If you buy a company, or even a customer list, you inherit its data risk.

Capita: around £14 million (proposed 2025). A 2023 cyber attack on the outsourcing giant exposed personal data, including pension scheme members’ details. The case is a reminder that when you hand data to a supplier, their breach becomes your customers’ problem, and increasingly a contractual one for you.

TikTok: £12.7 million (2023). This one was not a hack at all. The ICO found TikTok had allowed up to 1.4 million UK children under 13 to use the platform and processed their data without proper parental consent. Breaches are not only about attackers getting in; collecting or using data you were never entitled to is just as much a violation.

Mid-sized fines that hit ordinary failures

The smaller cases are more relevant to most businesses, because the causes are mundane.

Interserve: £4.4 million (2022). A phishing email was forwarded and opened, malware was installed, and the personal data of roughly 113,000 employees was compromised, including bank details and special category data. The ICO’s finding was blunt: outdated systems, missing staff training, and an alert that was not properly investigated. Almost every element here is preventable on an SME budget.

Advanced Computer Software Group: around £3 million (2025). A 2022 LockBit ransomware attack hit a supplier to the NHS, exposing personal data and disrupting services such as NHS 111. The ICO pointed to gaps in basic controls, including incomplete multi-factor authentication. For the modern equivalent of the controls insurers now expect, see our guide to the security controls cyber insurers demand.

Across these cases the same handful of root causes repeat: unpatched or outdated systems, a phishing email that was clicked, missing multi-factor authentication, poor supplier oversight, and alerts nobody acted on.

What GDPR breaches cost beyond the fine

The ICO penalty is only part of the bill. A serious breach also brings incident response and forensic costs, legal fees, notifying affected individuals, potential compensation claims from those individuals, and the harder-to-measure damage to reputation and customer trust. For a small business, the response and recovery costs often dwarf any regulatory fine, which is a large part of why cyber insurance exists. Our page on what cyber insurance actually covers breaks down which of these costs a policy picks up.

It is also worth knowing that not every breach ends in a fine. The ICO can issue reprimands, enforcement notices, or simply require changes, and it has publicly moved toward supporting smaller organisations rather than punishing them, provided they report promptly and act in good faith.

The lessons a small business should actually take

You do not need a British Airways budget to avoid a British Airways mistake. The recurring themes point to a short, practical list:

  • Patch systems promptly and retire software that no longer receives updates.
  • Turn on multi-factor authentication everywhere, especially email and remote access.
  • Train staff to spot phishing, because a forwarded email started the Interserve breach.
  • Vet your suppliers and put data protection terms in contracts, since their breach becomes yours.
  • Only collect data you are entitled to and have a lawful basis for, as the TikTok case shows.
  • Have a plan to detect, investigate and report incidents quickly.

If a breach does happen, UK law requires you to assess it and, where there is a risk to people, notify the ICO within 72 hours. Our guide to data breach reporting and the ICO 72-hour rule covers exactly what to do. The best starting point for prevention is the government-backed Cyber Essentials scheme, which targets the same basic controls that these fined organisations failed to maintain, and our do I need cyber insurance page helps you weigh the financial risk.

For the official register of enforcement actions, the ICO’s action taken page lists every fine and reprimand as it is published.

Frequently asked questions

What are the biggest GDPR breach examples in the UK? The largest ICO fines to date include British Airways at £20 million and Marriott at £18.4 million, both in 2020, followed by TikTok at £12.7 million in 2023 and a proposed penalty of around £14 million against Capita over its 2023 breach. Each stemmed from a different failure, from website security gaps to processing children’s data without consent.

What is the biggest GDPR fine ever issued in the UK? British Airways holds the record for a UK data breach fine at £20 million, issued in 2020 over a 2018 cyber attack. The ICO had originally intended to fine the airline £183 million before applying mitigating factors.

Do small businesses get fined under GDPR? They can, but large fines are usually reserved for serious failings by big organisations. The ICO increasingly favours reprimands and support for smaller businesses that report breaches promptly and act in good faith. The bigger financial risk for an SME is usually the cost of responding to and recovering from a breach, not the fine.

What causes most GDPR breaches? The recurring causes in real cases are unpatched or outdated systems, phishing emails that staff click, missing multi-factor authentication, weak supplier oversight, and security alerts that are not investigated. Most are preventable with basic controls.

How much can you be fined for a GDPR breach? UK GDPR allows fines of up to £17.5 million or 4% of global annual turnover, whichever is higher, for the most serious breaches. In practice, actual fines are usually far below the maximum and reflect the severity of the failure and any mitigating factors.

Do you have to report a GDPR data breach? If a personal data breach poses a risk to people’s rights, you must report it to the ICO within 72 hours of becoming aware of it. You may also need to tell the affected individuals if the risk to them is high.

The Threat Brief

A calm, plain-English security update. Once a week.

New scams, breach lessons, and cyber insurance changes that affect UK businesses, explained without the jargon. No alarmism, no vendor spin.

Unsubscribe anytime. We never share your address.