Virgin Media data breach highlights the powers of the ICO

The news that Virgin Media have experienced a data breach is not so interesting as the consequences (see full story here).

On reporting the loss of a CD containing 3000 unencrypted customer records, the company has been ordered by the Information Commissioner’s Office (ICO) to encrypt all portable media that store or transmit personal data. Note that this instruction also extends to third parties processing data on their behalf.

The incident highlights the power and willingness of the ICO to impose sanctions, and also the fact that organisations are now obligated to report any data breaches that involve more than a thousand records.

Some of you might not be aware that their powers were recently strengthened following changes to the Criminal Justice and Immigration Act. You can read more about this at If anyone is left in any doubt about how much power and authority the ICO is now welding then simply review the organisations recently served with enforcement notices. The list includes government departments, large organisations, and small institutions alike. HMRC, Marks & Spencers, Carphone Warehouse, FCO, and so on. As Virgin Media have just found, it is not difficult to end up on that list.