The times they have a-changed since the ICO could only slap fines worth a fraction of the current amounts
British Airways and Marriott Starwood are facing massive fines in the United Kingdom for cyber-incidents that compromised the personal data of their customers.
Yesterday, the UK’s Information Commissioner’s Office (ICO) unveiled its intention to slap a fine of £183.4 million (roughly US$230 million) on the air carrier for a breach last year that compromised the personal data of half a million of its customers.
And today, the data watchdog revealed a similar plan for the hotel chain – a fine worth £99.2 million (around US$123 million) in response to a breach that exposed 383 million guest records.
Both penalties are for alleged violations of the European Union’s General Data Protection Regulation (GDPR). The penalty for British Airways is the first that the ICO intends to impose under the new legal regime and by far the highest that the data protection regulator has ever levied.
No. 1
As we also reported in September 2018, hundreds of thousands of the air carrier’s customers had their credit card details stolen last summer. As the full scope of the damage became clear, the range of compromised data grew to include more data, “including log in, payment card, and travel booking details as well name and address information”. The victim tally was also revised upwards to 500,000 people.
“This incident in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers,” said the ICO after an extensive investigation, blaming the breach on the company’s “poor security arrangements”.
Said Information Commissioner Elizabeth Denham: “People’s personal data is just that – personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
British Airways has already announced that it intends to “take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals”.
No. 2
Another day, another penalty, this time for an incident that hit one of the world’s largest hotel chains, exposing various personal data contained in hundreds of millions of guest records globally. The ICO, which put the number of exposed records at 339 million, said that some 30 million of them related to residents of 31 countries in the European Economic Area (EEA).
In this breach, disclosed in November 2018, an unauthorized party had accessed the reservations database since as far back as 2014. The compromised data included some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (SPG) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For a subset of the victims, passport numbers, payment card numbers and payment card expiration dates were also pilfered.
Marriot Starwood has also already announced plans to appeal the ICO’s move.
Past vs. present
Either of the fines puts any penalty ever handed out by the ICO before to shame. Last July, for example, the ICO fined Facebook £500,000 (then equivalent to US$663,000) over the Cambridge Analytica scandal that saw the personal data of millions of users harvested without their knowledge. Still, it was the maximum allowed before GDPR came into force.
Meanwhile, fines imposed under GDPR can be as high as €20 million (US$22.4 million) or 4 percent of a company’s total worldwide annual turnover in the preceding financial year, whichever is greater. According to The Guardian, the proposed penalty for British Airways is equivalent to around 1.5 percent of the company’s global turnover last year. For Marriott, the fine would represent some 3 percent of the company’s global revenue in 2018, wrote TechCrunch.