The Information Commissioner’s Office has issued two monetary penalty notices, one against the Royal Mail Group Ltd and one against Tuckers Solicitors LLP.
The Royal Mail sent out 215,000 emails to customers who had “expressed a desire to no longer receive marketing” from them and to a number of “guest” visitors to their website who had neither opted in, nor out.
The unwanted emails were the result of a manual error (they used Oracle’s Eloqua for their direct marketing emails). According to the decision. “Royal Mail appeared to accept it did not have valid consent to send those messaged”. The Commissioner considered it a “serious contravention” and fined the Royal Mail £20,000.
Tuckers Solicitors LLP, a well known criminal law firm in London, was fined £98,000 for not securing their IT systems which allowed a hacker to gain access to highly confidential information. The decision is a really interesting one for any business that stores confidential information (which must be all businesses?). There are some unexplained redactions in the decision although it looks like Tuckers used Citrix Systems and Microsoft products, neither of which had been patched by the firm, nor did the firm use multi factor authorisation (MFA). It’s a significant penalty given the open and efficient way in which the firm handled things after the intrusion came to light.