The news that garnered significant attention in the past couple of days is that International Commissioner’s Office (ICO), the UK data privacy regulator, intends to fine two world-famous companies for millions of euros for violating Article 32 of the EU General Data Protection Regulation (GDPR) that foresees the security of the processing of personal data.
On July 9, the ICO issued a notice of intention to fine the hotel chain Marriott International for over EUR 100,000,000.00. This news came just a day after it was announced that British Airways faces a record-breaking EUR 204,000,000.00 fine under the GDPR for the alleged data breach. This fine would be the largest fine that the ICO has issued so far under the new GDPR legislation. However, these fines are not final, since the companies have the right to appeal to these decisions.
Under the GDPR, Data protection authorities, including the ICO, can fine companies for violations of the GDPR up to 4% of their worldwide annual revenue of the prior financial year, or up to 20 million euros, whichever is higher. GDPR requires companies to make sure that the way they collect, process and share personal data is safe.
MARRIOTT INTERNATIONAL DATA BREACH
Namely, in November 2018, Marriott issued an announcement about the incident which led to the data breach of their guests that dates back to 2014. Marriot acknowledged that the database of the Starwood reservation database had been compromised by the cyberattack and that the personal data of its guests have leaked. Marriot acquired the Starwood Hotels & Resorts Worldwide in 2016. However, the exposure of the guests’ personal data continued until 2018, when this long-running breach was discovered.
After the investigation was conducted, the ICO stated that approximately 339 million guests’ records are affected by this incident globally. Among them, around 30 million present the records related to the residents of 31 countries that are members of the European Economic Area and around 7 million are related to the UK residents. The famous hotel chain has exposed its guests’ sensitive personal data that include their names, e-mail addresses, credit card details, details of birth, gender, arrival and departure information.
The ICO’s investigation of the data breach has found that Marriot failed to undertake sufficient due diligence when it bought Starwood and should have done more to secure its systems.
The Information Commissioner, Elizabeth Denham, emphasized in her statement that “The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition and putting in place proper accountability measures to assess not only what personal data has been acquired but how it is protected”.
Marriott intends to appeal the decision.
BRITISH AIRWAYS DATA BREACH
In the case of British Airways’ data breach, ICO has issued a notice of its intentions to fine this company in the amount of over EUR 204,000,000.00, which is about 1.5% of the company’s annual revenue. This fine is proposed in relation to infringement of the General Data Protection Regulation which is believed to have begun in June 2018 and continued until September 5 and was officially disclosed by British Airways in September 2018.
Shortly, cyberattacks performed by a hacker group last year affected approximately half of million British Airways’ customers who made bookings over the period. This incident involved the diversion of user traffic from the British Airways website being diverted to a fraudulent site designed to look like the company’s official site. Through this false site, customer details were collected by hackers. Personal and payment details such as login, payment card, and travel booking details as well name and address information have been compromised. However, travel and passport details haven’t been stolen.
ICO stated that this incident is a consequence of “poor security arrangements” at British Airways that led to the data breach. Thus, ICO has taken a stand that British Airways is responsible for the violation of GDPR. British Airways have the right to appeal the decision, therefore we will have to wait for the ICO’s final decision.
We can surely draw lessons from these cases to be diligent when handling personal data since data protection authorities have clearly demonstrated their resolve to strictly apply GDPR.