British Airways (‘BA’) may be hit with what will be the highest-ever penalty which the Information Commissioner’s Office (‘ICO’), the UK’s data protection supervisory authority, has handed out.
This all came as a result of what the BA have described as a “sophisticated, malicious criminal attack” on their website which resulted in customers being redirected onto a fraudulent website. These manoeuvres resulted in a leak of an estimated 500,000 customers’ personal data being obtained by the attackers.
BA first disclosed the incident on the 6th September 2018, at which point it was estimated that the data breach had affected approximately 380,000 transactions, although the data breach did not include any travel or passport details. The ICO, however, believe that the incident started 3 months prior, i.e. during June 2018.
According to the ICO, the data breach comprised of a variety of personal data including names, email addresses, credit card information (including the 3 digit cvv code) amongst others. This massive leak of information was attributed to the lack of adequate security measures in place. The ICO did, however, note that improvements have been made and new security measures have been added by the British Airways.
With just over a year since the GDPR came into force, this will surely be one of the largest fines dished out for data breaches. Under the new regulation, fines can go up to 4% of the entity’s global turnover, with the proposed fine equating to approximately 1.5% of the airline’s turnover, significantly lower than the maximum allowed.
This approach should send a clear message to all data controllers and processors both in the UK and across Europe that personal data should be treated with the utmost care and all necessary measures must be taken to ensure that such data is not breached or leaked.
In the same week, the ICO has also stated its intention to fine Marriott International Inc. (‘Marriott’) £99,200,396 for a data breach which led to the exposure of 339 million guest records. Such records contained various types of personal data relating to residents of 31 of the countries of the European Economic Area (‘EEA’). Investigations led the ICO to believe that the breach was caused by the system of the Starwood Hotels Group being compromised back in 2014, before Marriott had even acquired the said Group. The exposure of the customer data was only discovered in 2018. The ICO found that Marriott did not carry out sufficient due diligence when it acquired the Starwood Hotels Group and should have implemented better security to protect its systems.
Information Commissioner, Elizabeth Dunham, stated that “Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
As is the case with BA, Marriott now has the chance to make representations to the ICO in relation to the proposed findings and sanctions in order to attempt to get the ICO to revoke or at least reduce the proposed fine. The ICO will then have to consider such representations before taking its final decision in this regard.
It is crucial to understand that, in both these cases, the ICO was investigating on behalf of other EU Member States’ data protection authorities, as per the ‘one stop shop’ provisions of the GDPR. This means that this procedure may render controllers and processors based in any Member State liable to fines imposed by supervisory authorities in other Member States.
If issued, these fines can prove to be the catalyst to push for greater recognition of the importance of GDPR compliance by all entities who control or process personal data. This should be a wake-up call to all the players to invest more time and resources in ensuring personal data is treated with the utmost care and diligence.
For any queries regarding data protection & privacy contact us on [email protected]