Free Trial

GDPR Bites – What’s Behind the Record Fines for British Airways and Marriott Data Breaches?

By Colm 10th July 2019

This week it was announced that two major international companies, airline British Airways and hotel giant Marriott International, would be fined £183 million ($228 million) and £99 million ($123 million) respectively for data breaches that infringed new requirements set out by the EU’s General Data Protection Legislation (GDPR). The record penalties, issued by the UK’s Information Commissioner’s Office (ICO), are both over 200 times more than the previous highest fine imposed and serve as a stark indication of the severity of the new GDPR regime.

British Airways fined £183M ($228M) for 2018 website hack

It was first disclosed in September 2018 that British Airways had suffered a security breach in which users of the BA website and app were diverted to a fraudulent site. Through this fake site, details of approximately 500,000 customers were harvested by attackers, which according to the ICO, included names, addresses, login and travel booking details, and credit card information. The cyberattack was believed to be the work of Magecart, a financially-motivated threat group which has been active since 2015. Attacks usually involve injecting card-skimming scripts into vulnerable e-commerce domains for the purpose of stealing credit card and personal information. Other victims of the Magecart group have included Ticketmaster, Feedify and broadcaster ABS-CBN.

Following an extensive investigation into the incident, the ICO said that “poor security arrangements” at the company led to the breach and issued a notice of its intention to fine BA £183.39M for infringements of the General Data Protection Regulation (GDPR). 

“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

Elizabeth Denham, Information Commissioner

BA will now have 28 days to appeal this penalty – a fine that has broken records and illustrated just how harsh the new GDPR legislation is likely to be going forward.

Marriott International fined £99M ($123M) for Starwood data breach

Just two days after the British Airways announcement, the ICO proved that fines of this magnitude would continue under the GDPR’s new regime by issuing a £99 million ($123 million) fine to hotel giant Marriott for a data breach that exposed the personal information of up to 383 million guests. 

Marriott revealed last year that the central reservation database of Starwood hotel group (which it had acquired in 2016) had been hacked, exposing sensitive guest data including five million unencrypted passport numbers and eight million credit card records. The breach dated back to 2014 but was not discovered until November 2018 and is believed to have affected about 30 million residents of the European Union. 

In a statement, Information Commissioner Elizabeth Denham reiterated the new responsibilities and standards that must be met by organizations under the GDPR:

“The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but how it is protected.

Personal data has a real value so organizations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.” 

Like British Airways, Marriott will have the opportunity to appeal these findings and the proposed penalty – once again a record-breaking amount issued under the GDPR’s new legislation. 

Finally feeling GDPR’s impact

Officially introduced in May 2018, we are only now seeing the real impact of the EU’s GDPR. The penalty imposed on BA was the first to be made public since the new rules made it mandatory to report data security breaches to the information commissioner, with the Marriott announcement following just days after. These fines of £183.39M and £99.2M will be the largest ever issued by the ICO and are approximately 202 and 367 times as high as the previous record; £500,000 ($624,000) imposed on Facebook for its role in the Cambridge Analytica scandal, which affected as many as 87 million users. Under the Data Regulation Act 1998, this was the maximum penalty that could be issued for a data breach and it was under this law that companies such as Uber, Carphone Warehouse, Equifax, and TalkTalk have also been fined over £400,000 ($500,000) each for similar large security incidents in recent years.

However, GDPR now allows this maximum penalty to increase to 4% of annual turnover. Given that BA’s record fine only amounts to 1.5% of its worldwide turnover, this week’s developments serve as a stark indication of what could be on the horizon for companies that fail to to take measures to guarantee the security of their customers’ and employees’ personal data. 


Worried about your data security capabilities under this new regime? Corrata is GDPR-compliant by design. We provide robust, comprehensive mobile device protection and control that minimizes data collection and operates on-device only to ensure that users stay safe and secure from cyber threats, excessive costs, and GDPR concerns. To find out more, visit or email


For more industry news, insights and analysis – follow us on Twitter and LinkedIn!