In July 2019, the Information Commissioners Office (the “ICO”) issued notices that it intends to fine Marriot International £99.2 million and British Airways £183.4 million for infringements under the General Data Protection Regulation (“GDPR”).
The fines, which represent 1.5% of British Airways' turnover in 2017 and approximately 3% of Marriot International’s 2018 revenue, fall well within the remit of the monetary powers imposable by the ICO under the GDPR; suggesting that the independent regulatory body is taking a more active approach to its enforcement. The ICO is acting as lead Supervisory Authority leading on behalf of the other European data protection authorities. Each of the companies being fined is able to make representations to the ICO in respect of the proposals.
British Airways
On 8 July 2019, the ICO announced that it was intending to fine the second-largest airline in the United Kingdom, British Airways (“BA”), £183.4 million resulting from a data protection breach that the ICO found to have occurred in June 2018.
In September 2018, BA reported a cyber-incident to the ICO, whereby the personal data (forming names, addresses and payment card data) of approximately 500,000 of its customers were harvested by cyber attackers. Customers were redirected from the BA website to a false website. The failure to take appropriate technical measures is thought to stem from poor security measures having been adopted.
Marriott International
The ICO announced subsequently a fine on multinational hospitality company, Marriott International, for a sum totalling £99.2 million.
Marriott International notified the ICO in November 2018, of a cyber-incident concerning the records of 339 million hotel guests. Some 10% of these records related to residents within the EEA. It was understood that the records, which formed part of a ‘guest reservation database’ owned by Starwood Hotels Group (“Starwood) was compromised in 2014.
Whilst Starwood was not acquired by Marriott International until 2016, the ICO suggested that the due diligence steps taken by Marriott International during the acquisition process and its security arrangements used in discovering the breach were not adequate.
Next steps
Both BA and Marriott International will now be able to respond to the ICO’s announcements and make their own representations.
Regardless of the outcome of either party’s responses, however, the ICO has sent a clear message to UK organisations as to the stance it wishes to take towards information security and companies who have yet to put in place adequate measures to protect their customers’ data.
Beverley Flynn