Bounty UK, a pregnancy and parenting club, has been hit with the equivalent of a $524,000 fine for illegally sharing personal information belonging to more than 14 million people with credit reference and marketing agencies, Britain’s data protection authority announced Friday.
The U.K. Information Commissioner’s Office fined Bounty UK £400,000 for collecting personal information “directly from new mothers at hospital bedsides,” through merchandise claim cards, its website and mobile app. The company collected information from new mothers, mothers-to-be, as well as the birth dates and genders of young children, according to the ICO.
Bounty UK then would supply that data, some 34.4 million records, to 39 third party services including Equifax and other data brokers that in the past have failed to protect customer information. The fine was enforced for violations of the U.K.’s Data Protection Act, which requires firm to be transparent in their data collection practices, and involves activity from 2017 and 2018, before the General Data Protection Regulation (GDPR) took effect.
“Bounty’s actions appear to have been motivated by financial gain, given that data sharing was an integral part of their business model at the time,” Steve Eckersley, the ICO’s director of investigations, said in a statement.
“Such careless data sharing is likely to have caused distress to many people, since they did not know that their personal information was being shared multiple times with so many organisations, including information about their pregnancy status and their children.”
Bounty advertises itself as a parenting company that welcomes new mothers “into an online community where they can share problems, worries, tips and achievements with a support network of mums who are going through the same thing.”
One of Bounty’s clients was Acxiom, a database marketing firm which offers an ad targeting tool that allows clients to target customers based on their demographics. Corporate partners include Facebook, Cisco, IBM, Outbrain and MongoDB, according to Acxiom’s website.
Recent security incidents have increased awareness about the potential issues that come with sharing sensitive information without the proper protocols. Researchers discovered in February that an e-ticketing system used by eight airlines, including Southwest, was inadvertently exposing customers’ flight information, CyberScoop reported. Companies throughout the private sector now are experimenting with various ways of assessing their partners’ security risks both because of regulatory scrutiny and the apparent likelihood hackers will steal their information.