10 Jul 2019

Double GDPR fines will total nearly £283 million

British Airways and Marriott incur GDPR wrath as ICO commissioner says UK watchdog warns of "strong action.”

The UK Information Commissioner (ICO) office has announced its intention to fine British Airways and Marriott, as commissioner stresses ICO “will not hesitate to take strong action.”

British Airways

The BA fine will be a record £183.39 million, and relates to a data breach reported in September 2018. The breach is thought to have commenced in June 2018, when traffic to the British Airways site was diverted to a fraudulent website to harvest personal data such as names, addresses and credit card details. British Airways described the incident as a “sophisticated, malicious criminal attack” on its systems. British Airways has cooperated fully with the investigation, and improved its security and practices, but the ICO found that at the relevant time British Airways' cyber security was poor, allowing some 500,000 customers to be affected by the cyber-attack.This is only the preliminary view of the Information Commissioner's Office, setting out its intentions in relation to the breach. British Airways will be given the opportunity to comment on the proposed sanction, as will the data protection regulators from other European countries where individuals have been affected, before the decision is made final. If the fine stands, it will be the largest fine imposed by the ICO and the first using its new powers under the GDPR.

Marriot breach

Marriott has disclosed in a filing with the SEC that the ICO intends to fine it roughly £99 million (U.S. $124 million) for infringements of the GDPR. The breach involved 339 million hotel guest records being exposed in a security incident. In November 2018, the Marriott hotel group revealed it had been the victim of a four-year campaign by hackers to steal customer data from its reservations system. Hackers breached the security systems of Starwood Hotels in 2014. Marriott bought Starwood in 2016, but didn't discover and then patch the breach until 2018. Marriott ceo Arne Sorenson said in a statement that he was “deeply disappointed” by the ICO decision and that he would contest it. Mr Sorenson said, “Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.”

Taking strong action

The Information Commissioner Elizabeth Denham said, “People’s personal data is just that -personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.” Ms Denham said, “Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn't happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”