The news that garnered significant attention in the past couple of days is that the International Commissioner’s Office (ICO), the UK data privacy regulator, intends to fine two world-famous companies millions of euros for violating Article 32 of the EU General Data Protection Regulation (GDPR) that foresees the security of the processing of personal data.
On July 9, the ICO issued a notice of intention to fine the hotel chain Marriott International for over EUR 100,000,000.00. This news came just a day after it was announced that British Airways faces a record-breaking EUR 204,000,000.00 fine under the GDPR for the alleged data breach. This fine would be the largest fine that the ICO has issued so far under the new GDPR legislation. However, these fines are not final, since the companies have the right to appeal to these decisions.
Under the GDPR, Data protection authorities, including the ICO, can fine companies for violations of the GDPR up to 4% of their worldwide annual revenue of the prior financial year, or up to 20 million euros, whichever is higher. GDPR requires companies to make sure that the way they collect, process and share personal data is safe.
Marriott International Data Breach
Namely, in November 2018, Marriott issued an announcement about the incident, which led to the data breach of their guests that dates back to 2014. Marriott acknowledged that the database of the Starwood reservation database had been compromised by the cyberattack and that the personal data of its guests had been leaked. Marriott acquired Starwood Hotels & Resorts Worldwide in 2016. However, the exposure of the guests’ personal data continued until 2018, when this long-running breach was discovered.
After the investigation was conducted, the ICO stated that approximately 339 million guests’ records are affected by this incident globally. Among them, around 30 million present the records related to the residents of 31 countries that are members of the European Economic Area and around 7 million are related to the UK residents. The famous hotel chain has exposed its guests’ sensitive personal data that include their names, e-mail addresses, credit card details, details of birth, gender, arrival and departure information.
The ICO’s investigation of the data breach has found that Marriot failed to undertake sufficient due diligence when it bought Starwood and should have done more to secure its systems.
The Information Commissioner, Elizabeth Denham, emphasized in her statement that “The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition and putting in place proper accountability measures to assess not only what personal data has been acquired but how it is protected”.
Marriott intends to appeal the decision.
British Airways Data Breach
In the case of British Airways’ data breach, the ICO has issued a notice of its intention to fine this company in the amount of over EUR 204,000,000.00, which is about 1.5% of the company’s annual revenue. This fine is proposed in relation to infringement of the General Data Protection Regulation, which is believed to have begun in June 2018 and continued until September 5, and was officially disclosed by British Airways in September 2018.
Shortly, cyberattacks performed by a hacker group last year affected approximately half of million British Airways’ customers who made bookings over the period. This incident involved the diversion of user traffic from the British Airways website to a fraudulent site designed to look like the company’s official site. Through this false site, customer details were collected by hackers. Personal and payment details such as login, payment card, and travel booking details, as well as name and address information, have been compromised. However, travel and passport details haven’t been stolen.
ICO stated that this incident is a consequence of “poor security arrangements” at British Airways that led to the data breach. Thus, ICO has taken a stand that British Airways is responsible for the violation of GDPR. British Airways has the right to appeal the decision; therefore, we will have to wait for the ICO’s final decision.
We can surely draw lessons from these cases to be diligent when handling personal data, since data protection authorities have clearly demonstrated their resolve to strictly apply GDPR.
