ARTICLE
29 October 2025

Guernsey Business Fined £100k Over Major Data Breach - Key Lessons For Organisations

W
Walkers

Contributor

Walkers logo
Walkers is a leading international law firm which advises on the laws of Bermuda, the British Virgin Islands, the Cayman Islands, Guernsey, Ireland and Jersey. From our 10 offices, we provide legal, corporate and fiduciary services to global corporations, financial institutions, capital markets participants and investment fund managers.
Explore Firm Details
The Data Protection Authority in Guernsey (Authority) has imposed a £100,000 administrative fine on a business following a significant personal data breach that exposed special category data.
Guernsey Privacy
Jamie Bookless and Mutsa Dodzo
Your Author LinkedIn Connections
Jamie Bookless’s articles from Walkers are most popular:
  • in United Kingdom
Walkers are most popular:
  • within Criminal Law, Intellectual Property and Technology topic(s)

The Data Protection Authority in Guernsey (Authority) has imposed a £100,000 administrative fine on a business following a significant personal data breach that exposed special category data.

Background

In December 2021, a local business became aware of a cyber incident after receiving a series of suspicious emails suggesting that its e-mail server had been accessed by cyber criminals. An internal investigation later confirmed that the server had, in fact, been compromised in August 2021, through the exploitation of multiple vulnerabilities.

These vulnerabilities allowed attackers to access and steal e-mails which were stored on the server, many of which contained sensitive special category data. The stolen e-mails were subsequently used in multiple phishing campaigns targeting customers of the business over a period of several months. While the total number of compromised e-mails remains unknown, thousands of clients were potentially exposed.

The business reported the incident to the Authority in accordance with its obligations under the Data Protection (Bailiwick of Guernsey) Law, 2017 (Law), triggering a formal inquiry.

Findings of the inquiry

The Authority's investigation found that the business had failed to take reasonable steps to ensure the security of personal data, thereby breaching the Law.

Key failings identified included:

  • Failure to apply security updates: The business did not routinely install updates to its e-mail server for over 13 months, including those directly related to the vulnerabilities exploited in the breach.
  • Deficient threat detection: Gaps in the configuration and monitoring of threat detection software resulted in missed opportunities to identify the unauthorised access.
  • Delayed detection: There was a three-and-a-half-month delay between the initial server compromise and its detection.
  • Inadequate breach investigation: The business's internal inquiry did not identify the root cause of the server's vulnerabilities or the failures in its threat detection processes.

Why this matters

Under the Law, organisations are required to take reasonable steps to ensure an appropriate level of security for personal data. This includes implementing technical and organisational measures to mitigate the risk of breaches, especially when handling special category data.

The Authority determined that the business failed to implement even fundamental information security measures. As a result, sensitive customer data was compromised and inpiduals were exposed to potential harm through phishing and other cyberattacks.

Regulatory outcome

Given the seriousness of the failings and the sensitivity of the affected data, the Authority concluded that the legal threshold for a financial penalty had been met.

The business has accordingly been fined £100,000, structured as follows:

  • £75,000 payable within 60 days of this determination.
  • £25,000 payable in 14 months' time which would be waived if the business fully implements its Action Plan of remedial security measures within that period.

Lessons for organisations

The Authority emphasised that the case highlights several key lessons for all organisations handling personal data as follows:

  • Timely security updates are essential. Organisations must have robust processes to ensure that software updates and patches are installed promptly. The Authority recommends following the National Cyber Security Centre's guidance on Vulnerability Management.
  • Security is an ongoing responsibility. Measures must be regularly reviewed, configured correctly and tested to ensure ongoing effectiveness.
  • Effective incident response is critical. When a breach occurs, organisations must identify not only what happened but also why and how it was able to happen. Understanding the root cause is vital to preventing recurrence.

Conclusion

This enforcement action serves as a reminder that maintaining the security of personal data is a continuous process. Organisations entrusted with sensitive information, and particularly special category data, must ensure their systems and procedures are robust, current, and capable of withstanding evolving cyber threats.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Jamie Bookless
Jamie Bookless
Photo of Mutsa Dodzo
Mutsa Dodzo
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More