This week, two British companies are facing fines due to data breaches in the past. On Monday, the UK’s Information Commissioner’s Office (ICO) announced that British Airways will be fined record £183 million after last year’s hack involving personal data of half a million of the airline’s customers. That would be ICO’s first GDPR fine. The next day, the spotlights turned on the international hotel giant Marriott, which is expected to receive a £99.2 million fine by the ICO, for a 2014 breach involving 339 million guest details.
British Airways is facing some turbulence. The ICO has is planning to issue the largest GDPR penalty to date to the airline company, due to a 2018 cyber attack on its website, half a year after the GDPR came into force on May 25, 2018. The British Airways would beat the previous record of £500,000 issued to Facebook over the Cambridge Analytica scandal.
The GDPR states that data breaches involving EU citizens should be reported within 72 hours of discovery. British Airways reported the data breach to the ICO one day after it was discovered. Yet, the airline was fined due to serious security failures that led to hackers gaining access, not the breach itself.
Information Commissioner Elizabeth Denham commented by saying:
“People’s data is just that — personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it.”
In a global hack, the personal records of 339 million Marriott International hotel guests were stolen, including credit card details, passport numbers, and birth dates. 30 million of the records related to residents of 31 countries in the European Economic Area (EEA).
The customer data theft occurred when the Starwood security system was breached in 2014, two years before Marriott acquired the hotel group Starwood in 2016. The theft of customer information was not discovered until 2018, however. ICO said Marriott had failed to undertake sufficient due diligence when it acquired Starwood. The hacked database was located in the US, proving that companies do not have to be in the EU/EEA to be subject to the GDPR.
The ICO’s actions serve as fresh guidance to companies that the core responsibility for data protection lies at their feet, regardless of whether direct responsibility for the breach can be attributed to them.
British Airways and Marriott are planning on appealing the respective fines. British Airways’ chief executive Alex Cruz said that the company was “surprised and disappointed” by the ICO’s decision, adding that the airline has found no evidence of fraudulent activity linked to the breach. The ICO noted that the company cooperated with its investigation, and has made security improvements since the breach was discovered.
More fines are likely to be issued as data protection offices are beginning to flex the powers bestowed upon them under the GDPR. Events of this week should serve as a reminder to companies dealing with sensitive data that data security is non-trivial, and that management of data security risks should be a clear organizational priority.
We would like to hear more about your best practices around data security and to share our learnings, so don’t hesitate to get in touch at www.statice.ai.
Contact us and get feedback instantly.