GDPR Breach Notifications: 3 Case Studies

When a data breach occurs under GDPR, organizations have just 72 hours to notify authorities. Delays or mishandling can lead to fines of up to €10 million or 2% of global revenue. This article examines three cases to uncover where businesses succeeded or failed in meeting these requirements:

• Case 1: Phishing Attack (South Staffordshire Water, 2022)
  A malware attack exposed sensitive data of 633,887 individuals. A delayed response and poor system monitoring led to a fine of £963,900 in May 2026.
• Case 2: Accidental Disclosure (Southend-on-Sea Council, 2023)
  A spreadsheet error exposed personal data of 2,130 people. The council reported the breach promptly and revised its processes, showing the importance of quick action.
• Case 3: Systemic Failures (Capita, Free Mobile, Intesa Sanpaolo)
  Weak access controls and ignored warnings led to breaches affecting millions. Fines ranged from €27 million to €31.8 million, with regulators emphasizing the need to address risks before breaches occur.

Key Lessons:

1. Act Fast: Notify authorities within 72 hours, even if full details aren’t available.
2. Preventative Measures: Regularly test systems, enforce access controls, and review data retention policies.
3. Documentation: Keep detailed records of breach decisions to demonstrate compliance.

Businesses must ensure they’re prepared to handle breaches effectively to avoid regulatory penalties and reputational damage.

Case Study 1: Phishing Attack Leading to Employee Data Breach

Incident Overview

In May 2022, South Staffordshire Water fell victim to a well-orchestrated cyberattack that started with an employee unknowingly opening a malicious email attachment. This action activated malware that remained undetected for an astounding 20 months, eventually granting hackers domain administrator privileges.

Between August and November 2022, the attackers published 4.1 terabytes of sensitive data on the dark web. This breach exposed the personal details of 633,887 individuals, including 2,791 current employees and 2,298 former employees. The compromised information included names, addresses, National Insurance numbers, and even bank details.

Response and Notification Process

A critical issue in this case was the delayed detection of the breach. At the time, South Staffordshire Water actively monitored only 5% of its IT environment, allowing the malware to operate undetected for nearly two years.

For comparison, another incident involving a broadcasting firm showed that their automated system flagged a phishing attack within just 17 minutes. However, IT personnel mistakenly reactivated the flagged account, demonstrating that detection alone isn't enough. Without clear and effective response protocols, even early warnings can fail to prevent damage.

This lack of swift action and preparedness at South Staffordshire Water contributed to the severity of the breach and paved the way for regulatory consequences.

Regulatory Outcome and Lessons Learned

In May 2026, the ICO imposed a fine of £963,900 on South Staffordshire Water. The ICO emphasized the importance of proactive security measures:

"Waiting for performance issues or a ransom note to discover a breach is not acceptable. Proactive security is a legal requirement, not an optional extra." - Ian Hulme, ICO Interim Executive Director for Regulatory Supervision

A similar case involving Argon Medical Devices, which faced delays in response, resulted in a fine of NOK 2,500,000. These examples highlight that the consequences of a breach extend beyond the attack itself - regulators focus heavily on how quickly and transparently organizations act after an incident.

This case underscores the GDPR's broader requirement for prompt and effective breach responses, a standard that applies across all scenarios discussed in this article.

sbb-itb-5f36581

Case Study 2: Accidental Public Disclosure of Personal Data

Incident Overview

Administrative errors can lead to data breaches just as easily as cyberattacks.

In November 2023, Southend-on-Sea City Council in the UK responded to a Freedom of Information (FOI) request by uploading a spreadsheet online. They believed the file had been anonymized, but it wasn't. The spreadsheet exposed sensitive data belonging to 2,130 individuals, including 1,854 current staff members, 276 former employees, and several councillors. The leaked information included names, addresses, National Insurance numbers, salary details, pension information, and equal opportunities data.

The issue? Anyone with basic spreadsheet skills could access the concealed data. The council admitted:

"The personal details would have been available to anyone who knew how spreadsheets worked." - Southend-on-Sea City Council

This mistake triggered internal reviews and led to changes in their processes.

Response and Notification Process

When the breach was discovered, Southend-on-Sea City Council reported the incident to the Information Commissioner's Office (ICO) and stopped using spreadsheets for FOI responses.

A similar lapse occurred in March 2023 at Public Digital, a digital consultancy. A staff member accidentally sent a single DocuSign consent form to eight research participants at once, exposing the names of three individuals who had already signed. The team quickly revoked access and used the ICO's self-assessment tool, which determined the breach posed a low risk to the individuals involved. They reached out to the three affected participants to apologize and offered them the option to withdraw from the study. All three chose to continue.

"Public Digital advocates a no blame culture which prioritises fixing the problem over pinning responsibility on individuals." - Matt Harrington, Director, Public Digital

This approach highlights the importance of encouraging staff to report errors promptly. A blame-free environment improves compliance with GDPR's 72-hour notification requirement.

Regulatory Outcome and Lessons Learned

The Southend-on-Sea case underscores how accidental disclosures often result from weak procedures rather than malicious intent. The solution was simple: stop using spreadsheets for FOI responses, as they carry too much risk of hidden data.

The broader takeaway is the importance of proactive safeguards in routine workflows. A few straightforward steps can help prevent administrative errors:

• FOI responses: Use formats that eliminate the risk of hidden tabs or embedded data.
• DSARs (Data Subject Access Requests): Always manually review automated document searches. For example, in 2026, an unnamed law firm inadvertently disclosed 3,300 documents, many of which were legally privileged and unrelated to the request.
• Encrypted file sharing: Always send the password through a separate channel, like a phone call or SMS, instead of emailing it to the same recipient.

Another case, involving Santander Bank Polska, highlights the consequences of inadequate safeguards. In February 2021, the bank reported a breach to Poland's data protection authority (UODO) after a former employee used still-active credentials to access the ZUS PUE platform five times over eight months, exposing the personal and health data of 10,500 people. The UODO fined the bank EUR 120,000 and required them to notify all affected individuals. The regulator also criticized the bank's lack of cooperation during the investigation, which influenced the penalty.

What ties these cases together? Administrative breaches are avoidable - but only if organizations treat data handling with the same rigor as cybersecurity. These incidents highlight the need for strong protocols, providing valuable lessons for businesses moving forward.

How to Handle a Data Breach - GDPR Procedures | Privacy & Data Protection | CT Academy

Case Study 3: Systemic Data Protection Failures

Incident Overview

Some data breaches aren’t the result of external hacking but rather deep-rooted internal flaws.

Take, for example, the case of Intesa Sanpaolo. In March 2026, Italy's Data Protection Authority (DPA) revealed that one employee exploited a "full circularity" access model to view client data 6,637 times from February 2022 to April 2024. This wasn’t a cyberattack - it was a system design issue. The access model allowed employees to query the entire client database without restrictions or prior approvals.

A similar oversight occurred in the UK. In October 2025, the Information Commissioner's Office (ICO) fined Capita plc and its subsidiary Capita Pension Solutions Limited a total of £14,000,000. This penalty followed a March 2023 breach where attackers gained access to one terabyte of data, affecting 6.6 million individuals. The breach exploited privilege escalation vulnerabilities that had already been flagged in three separate penetration tests.

In France, Free Mobile faced a €27,000,000 fine from the CNIL in January 2026. This followed an October 2024 breach that exposed 24 million subscriber contracts. Among the exposed data were records for 15 million terminated contracts, some of which had been retained for over a decade.

These cases underscore how systemic lapses can lead to massive data exposures, forcing organizations to implement immediate corrective actions.

Response and Mitigation Measures

Each company responded with tailored measures to address their systemic failures.

Intesa Sanpaolo introduced enhanced monitoring systems, automated escalations for unusual queries, and dynamic data masking. However, these fixes came after two years of undetected unauthorized access.

Capita addressed the vulnerabilities flagged in its penetration tests by implementing Privileged Access Management (PAM). The ICO, however, made it clear that these improvements didn’t excuse earlier inaction:

"Post-incident improvements do not remove earlier failures, especially where basic preventative steps were missing." - Information Commissioner's Office (ICO)

Free Mobile was ordered to finalize a system for purging outdated data, ensuring that it could differentiate between active and canceled subscriptions. This was a direct response to their excessive data retention practices.

Regulatory Outcome and Lessons Learned

Regulators made it clear that ignoring systemic risks can result in severe penalties. In these cases, the fines were aggravated by the fact that warnings had been overlooked. The table below summarizes the penalties and the critical failures involved:

The Italian DPA summed it up succinctly:

"The central issue was not the breach itself, but the systemic design of access controls that failed to detect suspicious behavior for more than two years." - Garante (Italian DPA)

The takeaway is simple: failing to address known risks isn’t just poor planning - it’s negligence in the eyes of regulators. Whether it’s outdated data retention, unresolved security vulnerabilities, or overly permissive access controls, the time to act is before a breach, not after.

Key Takeaways for Businesses

These insights, drawn from real-world examples, highlight the importance of prompt and well-documented responses to data breaches.

Common Breach Notification Pitfalls

Looking at the case studies, certain recurring mistakes in breach notification practices stand out. Delays and poor documentation often worsen the impact of breaches. For instance, some organizations postpone notifications while waiting to complete a full risk assessment, which violates GDPR guidelines. The European Data Protection Board (EDPB) clarifies this point:

"The notification does not need to be postponed until the risk and impact surrounding the breach has been fully assessed, since the full risk assessment can happen in parallel to notification." - European Data Protection Board (EDPB)

Another frequent issue is the failure to document decisions not to report breaches. Without written justification, organizations lack evidence to support their actions during audits.

Additionally, sending out too many notifications for minor, low-risk incidents can lead to "alert fatigue", where people start ignoring all notifications - even the critical ones.

Best Practices for GDPR Compliance

Regulators have found that weak technical controls are often the root cause of data breaches. To align with GDPR expectations, businesses should prioritize the following measures:

• Privileged Access Management (PAM) and Active Directory Tiering: These controls help limit lateral movement in the event of compromised credentials.
• Regular Penetration Testing: Conduct tests frequently and share findings across all departments to address vulnerabilities.
• Encryption of Sensitive Data: Protect highly sensitive information, such as health records or passport scans, with encryption.
• Detailed Incident Logs: Maintain thorough records of every incident, including the reasoning behind decisions.

The Marriott case illustrates the risks of insufficient due diligence. When Marriott acquired Starwood in 2016, it inherited a breach that had been active since 2014. This breach exposed 339 million guest records worldwide and resulted in an £18.4 million fine. Comprehensive data protection audits during mergers and acquisitions are critical to avoid taking on such liabilities.

Building a Breach Response Plan

To avoid these pitfalls, organizations need strong technical safeguards and a clear, actionable breach response strategy.

An effective response plan must be rigorously tested and supported by a well-trained team. In the Capita case, for example, a high-priority alert was triggered just 10 minutes after a malicious JavaScript download. However, the Security Operations Center (SOC) failed to act for nearly two and a half days, allowing attackers to extract nearly one terabyte of data, impacting 6.6 million individuals.

A solid response plan should include:

• A defined internal notification process and escalation path for urgent alerts.
• Clear roles for drafting and submitting notifications to supervisory authorities.
• Comprehensive staff training to help employees identify phishing attempts and report incidents correctly.

While post-incident improvements can reduce penalties, they cannot erase prior failings. The best time to implement these systems is before a breach happens.

Conclusion

The three case studies in this article highlight a recurring theme: preventable mistakes made worse by delayed action. Whether it was a phishing attack compromising employee information, an accidental public exposure of sensitive data, or ongoing negligence that left data unsecured, the real damage was often a result of what organizations failed to do - both before and immediately after the breach.

As GDPR points out:

"A breach isn't only when a hacker gets in - it can be when you fail to look after data properly, fail to be transparent, fail to secure it, or fail to act when you know something is wrong."

In other words, breaches aren't just about external threats - they're also about internal lapses in protecting data and responding effectively. This broader view shifts the responsibility from just IT departments to the entire organization.

The 72-hour notification rule is a clear test of readiness. Meeting this deadline requires more than good intentions - it demands documented procedures, trained staff, and a well-rehearsed response plan. While improvements made after an incident can help mitigate penalties, they don't erase the root causes of the failure.

Take the time to assess and refine your breach response strategies now - before you're forced to act under pressure.

FAQs

What qualifies as a GDPR “personal data breach”?

A GDPR "personal data breach" happens when a security issue leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data. Essentially, it covers any situation that jeopardizes the confidentiality, integrity, or availability of someone's personal information.

What should we report if we don’t have all the breach details within 72 hours?

If you can’t gather all the breach details within 72 hours, notify the relevant authority with whatever information is available at that time. When you submit the full report later, make sure to explain the reason for the delay. Sending timely updates shows both compliance and a commitment to transparency, even if the initial report lacks some details.

Do we need to notify affected individuals as well as the regulator?

Yes, if a breach presents a high risk to the rights and freedoms of individuals, you are required to notify both the affected individuals and the relevant regulator. This is a fundamental obligation under GDPR, aimed at ensuring transparency and safeguarding those impacted.

Related Blog Posts

• GDPR Breach Notification Letter Templates
• GDPR Breach Records: What to Include
• GDPR Breach Notification vs. Reporting
• GDPR Breach Notification Checklist for SaaS