ICO issues Enforcement Notice in response to Office data security breach

ICO issues Enforcement Notice in response to Office data security breach


Author: Aisling Duffy

Shoe retailer, Office, has become the latest retailer to have its knuckles wrapped by the Information Commissioner's Office (ICO) following a data protection breach which resulted in more than one million customer records being exposed.


On 29 May 2014, the ICO was informed that a member of the public had hacked into an unencrypted historic database owned by Office. The database involved was in the process of being de-commissioned and was being held on a legacy server outside the core infrastructure of its current website.

Whilst certain technical measures were in place in order to minimise the risk of a data security breach taking place, these measures were not adequate and, as a result, a hacker was able to gain access to personal data relating to more than one million customers including their contact details and website passwords. No financial information was accessed.

The reason why Office had chosen to retain this historic information (some of which had become inaccurate) was to mitigate the risks associated with migration to its new system. However, in hindsight they consider that this approach may have been overly cautious and that it was not strictly necessary to retain this information.

What the Data ProtectionAct 1998 (Act) requires?

Principles 5 and 7 of the Act require that organisations processing personal data:

  • Do not store it for longer than necessary; and
  • Put in place appropriate technical and organisational measures to protect it

It was these two Principles which Office failed to satisfy. In particular, the ICO determined that Office had retained customer information held on the legacy database for longer than necessary and had failed to implement adequate security measures to protect it. It also noted that Office did not provide any formal data protection training to its staff and didn't have a data retention policy in place.

What action did the ICO take?

The ICO exercised its powers under Section 40 of the Act and issued an Enforcement Notice to the Office. In which, it ordered Office to enter into an Undertaking to ensure that personal data is processed in line with the fifth and seventh Data Protection Principles. In particular by:-

  • Ensuring that all its websites and servers are subject to regular penetration testing
  • Implementing new data protection policy documents within 3 months and ensuring that these include policies on the retention and disposal of customer data
  • Providing formal training to all its employees along with refresher training at regular intervals; and
  • Implementing such other security measures as are appropriate to ensure that personal data is protected

What can you do?

If you are concerned about whether or not your organisation is complying with the requirements of the Act or are unsure about what exactly the Act requires, please contact Aisling Duffy on 03700865089 or [email protected]


This document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given.