Guernsey business fined £100k over major data breach - Key lessons for organisations

The Data Protection Authority in Guernsey (Authority) has imposed a £100,000 administrative fine on a business following a significant personal data breach that exposed special category data.

Background

In December 2021, a local business became aware of a cyber incident after receiving a series of suspicious emails suggesting that its e-mail server had been accessed by cyber criminals. An internal investigation later confirmed that the server had, in fact, been compromised in August 2021, through the exploitation of multiple vulnerabilities.

These vulnerabilities allowed attackers to access and steal e-mails which were stored on the server, many of which contained sensitive special category data. The stolen e-mails were subsequently used in multiple phishing campaigns targeting customers of the business over a period of several months. While the total number of compromised e-mails remains unknown, thousands of clients were potentially exposed.

The business reported the incident to the Authority in accordance with its obligations under the Data Protection (Bailiwick of Guernsey) Law, 2017 (Law), triggering a formal inquiry.

Findings of the inquiry

The Authority’s investigation found that the business had failed to take reasonable steps to ensure the security of personal data, thereby breaching the Law.

Key failings identified included:

• Failure to apply security updates: The business did not routinely install updates to its e-mail server for over 13 months, including those directly related to the vulnerabilities exploited in the breach.

• Deficient threat detection: Gaps in the configuration and monitoring of threat detection software resulted in missed opportunities to identify the unauthorised access.

• Delayed detection: There was a three-and-a-half-month delay between the initial server compromise and its detection.

• Inadequate breach investigation: The business’s internal inquiry did not identify the root cause of the server’s vulnerabilities or the failures in its threat detection processes.

Why this matters

Under the Law, organisations are required to take reasonable steps to ensure an appropriate level of security for personal data. This includes implementing technical and organisational measures to mitigate the risk of breaches, especially when handling special category data.

The Authority determined that the business failed to implement even fundamental information security measures. As a result, sensitive customer data was compromised and individuals were exposed to potential harm through phishing and other cyberattacks.

Regulatory outcome

Given the seriousness of the failings and the sensitivity of the affected data, the Authority concluded that the legal threshold for a financial penalty had been met.

The business has accordingly been fined £100,000, structured as follows:

• £75,000 payable within 60 days of this determination.

• £25,000 payable in 14 months’ time which would be waived if the business fully implements its Action Plan of remedial security measures within that period.

Lessons for organisations

The Authority emphasised that the case highlights several key lessons for all organisations handling personal data as follows:

• Timely security updates are essential. Organisations must have robust processes to ensure that software updates and patches are installed promptly. The Authority recommends following the National Cyber Security Centre’s guidance on Vulnerability Management.

• Security is an ongoing responsibility. Measures must be regularly reviewed, configured correctly and tested to ensure ongoing effectiveness.

• Effective incident response is critical. When a breach occurs, organisations must identify not only what happened but also why and how it was able to happen. Understanding the root cause is vital to preventing recurrence.

Conclusion

This enforcement action serves as a reminder that maintaining the security of personal data is a continuous process. Organisations entrusted with sensitive information, and particularly special category data, must ensure their systems and procedures are robust, current, and capable of withstanding evolving cyber threats.

How we can help

Organisations that experience or suspect a personal data breach should act swiftly to assess the situation and determine whether notification to the Authority is required. Early, informed action can significantly reduce regulatory and reputational risk. If your organisation requires guidance on identifying, assessing, or reporting a breach in accordance with the Law, we have significant experience in this area and would welcome the opportunity to assist. Please do not hesitate to contact any of the contacts listed on this page for advice and practical support in engaging with the Authority.

Our Guernsey Regulatory & Risk Advisory team has a dedicated team of regulatory experts spanning all practice areas who regularly advise on all aspects of Guernsey regulation and tax, including financial services, AML, sanctions, data protection, consumer protection, competition, tax (including Pillar Two), economic substance, FATCA and the CRS. Our team can also provide training to staff on a broad range of topics.

Ours is the largest and longest-established global group of dedicated financial regulatory lawyers of all the offshore firms and the only one to have dedicated financial regulatory lawyers located on the ground in each of our ten offices, providing joined up assistance across all time zones. We provide decades of specialist financial industry experience, having worked within financial regulators, global financial institutions and magic circle law firms.