Mega fines imposed by the Information Commissioner’s Office on British Airways and Marriott

The Information Commissioner’s Office (ICO) has wielded its powers and announced the intention to impose mega fines of £183.4 million and £99.2 million respectively on British Airways (BA) and Marriott International Inc. (Marriott) for data breaches in both companies.

These are the biggest penalties imposed since Facebook was fined £500,000 for its role in the Cambridge Analytica data scandal (the maximum previously allowed under the old data protection rules).

On the 8th of July it was announced that the ICO intended to impose a £183.4 million fine on BA for its data breach that took place in 2018. The breach saw the personal details of around 500,000 people compromised. Names, addresses, login credentials, payment card details and travel booking information were accessed after hackers installed malware on BA’s website, which directed customers to a fraudulent website where their personal information was harvested. Whilst there has been no public release on any of the details of the investigative findings of the ICO, it is alleged that it was due to BA’s ineffective security protocol. The fine imposed is the largest penalty announced to date for alleged GDPR violations. The fine represents approximately 1.5% of the airline’s annual revenue.

24 hours later and Marriott was faced with a similar fine of £99.2 million. This was due to a vulnerability in the systems of the Starwood hotel group that Marriott acquired in 2016. This led to the exposure of 229 million guest records. Upon discovery of the breach in 2018, Marriott reported it to the ICO who then began their inquiry. The ICO investigations revealed that Marriott had failed to undertake sufficient due diligence when it acquired the Starwood Hotel Group.

Both BA and Marriott now have the chance to respond to the notices of intent, after which a final decision will be made by the ICO.

It has been a little over a year since the GDPR went in to effect (25 May 2018), and these fines hammer home the seriousness of data protection and the importance of conducting proper due diligence in cyber-security and Privacy matters. This is particularly relevant in M&A transactions when acquiring a company that processes significant amounts of personal data. The ICO can seek a fine of up to 4% of a company’s global annual revenue for a breach under the GDPR.

“The GDPR makes it clear that organisations must be accountable for the personal data they hold,” said Elizabeth Denham, the Information Commissioner. “This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but how it is protected.”

These large fines are reserved for the biggest breaches and multi-national businesses but smaller businesses should still pay attention to the greater focus placed on compliance and the significantly increased resources of the ICO even much smaller fines of £50,000 – £100,000 will have a large impact on smaller businesses.

All businesses should ensure regular review of their IT security (both these cases relate to poor IT security and with downturn in economy this is an area that smaller businesses can often see as potential savings) and generally their use of and handling of personal data in their businesses.  A high (but proportionate) level of protection for personal data should be seen as business as usual now.  GDPR is technology neutral so as new technologies are released the requirements on business also change.

For further information relating to data protection and privacy, please contact a member of Ashtons’ corporate and commercial team.

Disclaimer: This document is for informational purposes only and does not constitute legal advice.