The UK’s data watchdog has fined pregnancy and parenting club Bounty £400,000 for illegally selling personal details of more than 14 million parents to credit reference and marketing agencies.
The Information Commissioner’s Office (ICO) said that Bounty collected personal information, such as the gender and birth date of a new-born child, for its membership registration.
Data was collected via its website and mobile app, as well as physically through cards filled out by new mothers in their hospital beds for merchandise packs.
Bounty then shared this personal data with 39 organisations between June 2017 and April 2018 without making it clear to the individual how their data would be used.
In total, Bounty shared around 34.4 million records with credit reference and marketing agencies, including Equifax, Acxiom, Indicia and Sky.
The ICO said it was an “unprecedented” case for it in terms of the volume of people affected and as such has hit Bounty with a near-maximum fine.
Because the offence took place before the EU’s stricter General Data Protection Regulation came into force, the breach was dealt with under the Data Protection Act 1998, which has a maximum fine of £500,000.
Bounty fined: “We were not robust enough”
Steve Eckersley, ICO’s director of investigations, said: “The number of personal records and people affected in this case is unprecedented in the history of the ICO’s investigations into data broking industry and organisations linked to this.
“Bounty were not open or transparent to the millions of people that their personal data may be passed on to such large number of organisations. Any consent given by these people was clearly not informed.
“Bounty’s actions appear to have been motivated by financial gain, given that data sharing was an integral part of their business model at the time.”
In a statement, Bounty managing director Jim Kelleher said:
“We acknowledge the ICO’s findings – in the past we did not take a broad enough view of our responsibilities and as a result our data-sharing processes, specifically with regards to transparency, were not robust enough. This was not of the standard expected of us. However, the ICO has recognised that these are historical issues. Our priority is to continue to provide a valuable service for new parents that is both helpful and trusted.”
He added that Bounty now reduces the number of personal records it keeps and for how long. It has also ended relationships with the data brokerage companies it worked with, implemented GDPR training for its staff and appointed an independent data expert to monitor Bounty’s progress.
Bounty fined, but Equifax continues to haunt
The most alarming implication for Bounty’s illegal data sharing is that criminals could now be in possession of the personal details of babies.
Between May and July 2017, Equifax suffered a gigantic data breach in which criminals stole sensitive personal data of 143 million people, in what is arguably the biggest data security scandal of the decade. Around 15 million of those were UK citizens.
Bounty shared data with Equifax between June 2017 and April 2018. This means there is a one month overlap where Equifax held data illegally acquired from Bounty and when cybercriminals were stealing personal data held by Equifax.
Although there is no way of knowing whether Bounty customer data was stolen, it creates a situation in which parents gave their personal details to a company that then sold it to a data broker – without their knowledge – for that data to then be potentially stolen by cybercriminals.
Cybercriminals need only a few breadcrumbs of personal data to commit fraud. If any babies had their data stolen in the data breach, criminals can start piecing together their identity before they’ve even learnt to walk.
“Such careless data sharing is likely to have caused distress to many people, since they did not know that their personal information was being shared multiple times with so many organisations, including information about their pregnancy status and their children,” said Eckersley.