You are here: Home | Blogs

THE ICO at last springs into action with intent to levy significant fines on British Airways and Marriott International Hotels for GDPR Data Breaches

Data BreachGDPRGDPR EnforcementGDPR FinesICO+-
2019AfBlgICOGDPRBAMH700-min

It’s been over a year now since GDPR took effect on May 25th 2018 - and for a while there it looked like the ICO (Information Commissioner’s Office) was going to take a particularly passive role in proceedings as to be fair - not very much happened in those first 12 months. And while there are far too many companies arbitrarily citing ’Legitimate Interests’ over and above those basic consumer rights afforded by ’Explicit Consent’ - it really looked as if this was going to be a somewhat toothless organisation there for a while.

 

With regards to British Airways - where the personal data of approximately 500,000 customers was compromised by poor security arrangements at the company, including login, payment card, and travel booking details as well name and address information. In effect British Airways was using a third party solution to take payments for excess luggage and the like - but said API had not been properly maintained for years and had long since been hacked to divert customers to a fraudulent site - which captured their details in the process. The intentional fine is a considerably high one - or £183.39 million - while right now the ICO is considering representations by BA - so the fine could still be lowered or waived depending on those final adjudications. For GDPR to be valid though it is critical that it be properly policed, and those what flout the regulations must be brought to book as such.

 

In the case of Marriott International - its breach goes back to 2014 and relates to its purchase of the Starwood Hotels Group in 2016 - where the vulnerabilities identified in 2014 were still present, and not properly followed up until 2018 - by which time the whole group had become infected/affected, and 339 million of its guests globally had been exposed, including 30 million EU residents, and 7 million from the UK. The fine for £99,200,396 is essentially for failure to cary out due diligence and rectify and shore up vulnerabilities that had been identified at Starwood way back in 2014.

 

In both instances there is a lack of care and due diligence component - sort of masquerading under the banner of gross negligence. Under the terms of GDPR - the data holder is required by law to safe-guard the storage of that data and ongoingly maintain its integrity. For Both British Airways and Marriott Hotels there was obviously a failure of care here. As promised when GDPR was first announced - these fines are exceedingly steep - but they kind of need to be to ensure compliance with the legislation as there are so many vested interests at play and so much to be gained by companies by breaking or cheating that system.

 

It will be interesting to see how much the ICO sticks to its guns here - and how much indeed those two companies are made to pay out in the end. It has to be noted that with all law enforcement - if the punishment is not meted out, then those crimes of neglect and exploitation will continue unabated. We wait with interest to witness just how all of this pans out ...

TweetFacebookLinkedInTumblrPinterestGoogle+eCard
Add New Comment
You must be logged in to comment.
82% of Browsers will soon be blocking Cookies by Default

82% of Browsers will soon be blocking Cookies by Default

GDPR impact already starting to wane

GDPR impact already starting to wane

Did you find this content useful?

Thank you for your input

Thank you for your feedback

Blog Navigation


2019 25

Related

82% of Browsers will soon be blocking Cookies by Default

The latest moves by Google and Firefox show how inevitable it will be that 3rd party cookies will be blocked as standard, leading to and end of the current web infrastructure as we know it.

Driving business at some of the world's most forward thinking companies

Rovio
Procurement Leaders
Ocean Media
Agribriefing
Gill
Drewry
Shard Media Group
PPA
AOP - Association of Publishers
The Stage
Riviera
Law Business Research
Internet Retailing
TTG

Our Chosen Charity

Humanity Direct

And delivering industry leading awards

2016 British Media Awards - Technology Provide of the Year - Silver
2014 PPA Connect Awards - Procurement Leaders awarded Event Brand of the Year
2014 PPA Digital Publishing Awards - Procurement Leaders awarded Business Media Digital Brand of the Year (Again!)
2014 PPA Awards - Procurement Leaders awarded Business Media Brand of the Year (Again!)
2014 AOP Digital Publishing Awards - Procurement Leaders awarded Best Business to Business Website
2013 PPA Awards - Procurement Leaders awarded Independent Publisher Digital Product of the Year
2013 PPA Awards - Procurement Leaders awarded Business Media Brand of the Year
2013 PPA Digital Publishing Awards - Procurement Leaders awarded Business Media Digital Brand of the Year

Meetings:
One Alfred Place
1 Alfred Place
off Tottenham Court Road
London, UK
WC1E 7EB

Registered Office:
55 Bathurst Mews
London, UK
W2 2SB

© Affino 2019

Get In Touch

Contact Us
engage@affino.com
+44 (0)20 3393 3240
Let Us Call You Back
Contact Us
Request A Demo