Is the ICO starting to show they will not tolerate data breaches?
Marriott to be fined over £99m for GDPR breach
Yesterday we reported the ICO intend to fine BA £183m for a data breach that saw half a million of their customers’ personal and credit card details stolen. Less than 24 hours later the ICO has announced they now plan to fine international hotel group Marriott £99.2m after hackers stole the records of 339 million guests of their Starwood subsidiary.
Although the hacking started before Marriott acquired the Starwood group in 2016, the ICO said the reason for fining Marriott is that they failed to undertake sufficient due diligence when it bought Starwood and the ICO believes Marriott could and should have done more to secure its IT systems.
Marriott have said they will appeal against the fine.
Is British Airways about to receive a £183m fine for breaching GDPR?
According to an announcement from the Information Commissioner’s Office (ICO), the ICO is intending to fine British Airways £183m for a breach of its security systems in 2018.
It’s no surprise that the airline’s owner IAG say they are “surprised and disappointed” by the size of the fine for falling victim to what they’ve described as a “sophisticated, malicious criminal attack” a fine that would not only be by far the largest handed out by the ICO but also the first to be made for infringements of the GDPR.
The fine is intended to be imposed after it was discovered hackers had diverted customers from the British Airways’ website to a fake site allowing the hackers to steal the personal information of an estimated 500,000 BA customers, details that included names, email addresses, and credit card numbers, expiry dates and 3 digit CVV codes.
Information Commissioner Elizabeth Denham was unapologetic:
“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience … the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
It’s believed the incident started in June 2018 but BA didn’t disclose the theft until 6th September by which time an estimated 380,000 transactions had been compromised. British Airways’ chairman and CEO has said all of the customers involved will be “100% compensated” and that the airline has co-operated fully with the resultant investigation. However, the ICO is more concerned by the poor security arrangements the company had in place which made the hack possible.
British Airways will now have opportunity to make representations to the ICO as to the proposed findings and sanction before the ICO makes its final decision.
To put the proposed fine into context, under the previous regime (governed by the Data Protection Act 1998) the biggest fine imposed had been the £500,000 Facebook were charged for their role in the Cambridge Analytica scandal.
That was the maximum allowed at the time, but the BA fine would be the first to take advantage of the new GDPR rules which state a company can be fined up to €20m or 4% of their turnover (whichever is higher) depending on the seriousness of the breach. If BA are required to pay £183m that would represent 1.5% of their last reported annual turnover and would therefore be a serious statement of intent from the ICO.
If you would like to make sure your company is fully GDPR compliant or would like to discuss any issues around your approach to protecting your both customer and employee personal data please call Carys Everitt on 0114 252 1485 or email Carys at email@example.com.