Cybersecurity specialists report that the UK government fined American Express Services Europe with $127,000 USD after the company illegally sent around 4 million emails for marketing purposes to customers not subscribed to its newsletter service. For its part, American Express states that these messages were not for advertising purposes, but were intended to communicate the company’s regular activities, which is permitted under UK privacy law.
However, the UK Information Commissioner’s Office ordered an investigation that revealed that of the 50 million “service” emails sent by the company at least 4.9 million messages contained advertising targeted to some users.
The ICO says this was a completely deliberate action that the company planned to make a profit with, as well as adding that American Express continued this practice even after receiving multiple customer complaints.
As many will know, the Privacy and Electronic Communications Regulations (PECR) are a series of guidelines that give UK service users complete control over the type of messages they wish to receive to their email addresses, as well as give the ICO the ability to fine infringing companies.
In a later update, ICO Research Director Andy Curry mentioned, “We began to look into the incident after receiving multiple complaints from some users who were constantly receiving advertising via email despite having denied permission for this action.” Curry asked American Express and other companies to refrain from sending advertising to users who do not wish to receive such messages.
While this seems like a hefty fine, many experts believe that companies will not abandon this kind of practices. Cybersecurity researcher John Bambenek thinks that the fines in such cases are too low and won’t stop companies looking for greater incomes: “Current legislation is really ineffective, so a more proactive approach is needed and companies are really considering leaving this unethical practice behind.”
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.