Record Fines for British Airways and Marriott Data Breaches

This week two major international companies, airline British Airways and hotel giant Marriott International made headlines for suffering data breaches.

The companies face £183 million ($228 million) and £99 million ($123 million) fines respectively for data breaches that infringed new requirements set out by the EU’s General Data Protection Legislation (GDPR). Both penalties, issued by the UK’s Information Commissioner’s Office, are over 200 times more than the previous highest fine imposed. These incidents serve as a stark indication of the severity of the new GDPR regime.

British Airways fined £183M ($228M) for 2018 website hack

It was first disclosed in September 2018 that British Airways had suffered a security breach in which users of the BA website and app were diverted to a fraudulent site. Through this fake site, attackers harvested the details of over 500,000 customers. According to the ICO, obtained information included names, addresses, login and travel booking details, and credit card details. The cyberattack was believed to be the work of Magecart, a threat group which has been active since 2015. Attacks usually involve injecting card-skimming scripts into vulnerable e-commerce domains for the purpose of stealing credit card and personal information. Other victims of the Magecart group have included Ticketmaster, Feedify and broadcaster ABS-CBN.

Following an extensive investigation into the incident, the ICO said that “poor security arrangements” at the company led to the breach and issued a notice of its intention to fine BA £183.39M for infringements of the General Data Protection Regulation (GDPR). 

“People’s personal data is just that – personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny…to check they have taken appropriate steps to protect fundamental privacy rights.”

– Elizabeth Denham, Information Commissioner

BA will now have 28 days to appeal this penalty. This fine has broken records and illustrates just how harsh the new GDPR legislation is likely to be going forward.

Marriott International fined £99M ($123M) for Starwood data breach

Just two days after the British Airways announcement, the ICO proved that fines of this magnitude would continue under the GDPR’s new regime by issuing a £99 million ($123 million) fine to hotel giant Marriott for a data breach that exposed the personal information of up to 383 million guests. 

Marriott revealed last year that the central reservation database of Starwood hotel group (which it had acquired in 2016) had been hacked, exposing sensitive guest data including five million unencrypted passport numbers and eight million credit card records. The breach dated back to 2014 but authorities only discovered it in November 2018. 

In a statement, Information Commissioner Elizabeth Denham addressed the new standards that must be met by organizations under the GDPR:

“The GDPR makes it clear that organizations must be accountable for the personal data they hold…Personal data has a real value so organizations have a legal duty to ensure its security, just like they would do with any other asset…we will not hesitate to take strong action when necessary to protect the rights of the public.” 

Like British Airways, Marriott will have the chance to appeal these findings and the proposed penalty – once again a record-breaking amount issued under the GDPR’s new legislation. 

Finally feeling GDPR’s impact

Officially introduced in May 2018, we are only now seeing the real impact of the EU’s GDPR. The BA penalty was the first to go public since new rules made it mandatory to report data security breaches. The Marriott announcement following just days after. These fines of £183.39M and £99.2M will be the largest ever issued by the ICO. These penalties are 202 and 367 times as high as the previous record; £500,000 ($624,000) imposed on Facebook for its role in the Cambridge Analytica scandal. The Facebook incident affected as many as 87 million users.

Uber, Carphone Warehouse, Equifax, and TalkTalk have also had to pay over £400,000 ($500,000) each for similar incidents in recent years. However, GDPR now allows this maximum penalty to increase to 4% of annual turnover. Given that BA’s record fine only amounts to 1.5% of its worldwide turnover. These developments highlight the severity for companies who fail to take proper security measures around customer’s personal data. 

Worried about your data security under this new regime? Corrata is GDPR-compliant by design. To find out more, visit corrata.com or email info@corrata.com.

 For more industry news, insights and analysis – follow us on Twitter and LinkedIn!