ICO issues notices of intention to fine BA and Marriott
17/07/2019

Following an extensive investigation, the Information Commissioner’s Office (ICO) has announced that it has issued a notice of its intention to fine British Airways (BA) £183.39 million for infringements of the General Data Protection Regulation (GDPR). If imposed, the fine will be a record amount in the UK for breach of data protection laws. The infringements relate to an incident in summer 2018 when cyber attackers gained access to the personal data of around 500,000 BA customers, due to poor security measures. User traffic to the BA website was diverted to a fraudulent site, where customer details were harvested by the cyber attackers. A variety of information was compromised by the poor security arrangements, including log in, payment card and travel booking details, as well as name and address information. BA will have the opportunity to make representations to the ICO before it makes its final decision. The ICO noted in its announcement that BA has cooperated with its investigation and has made improvements to its security arrangements following the breach.

The ICO has also announced that it has issued a notice of intention to fine Marriott International, Inc. (Marriott) £99,200,396 for infringements of the GDPR in connection with a cyber incident affecting approximately 339 million guest records held globally in Starwood hotels' guest reservation database. The vulnerability apparently began when the systems of the Starwood hotels group were compromised in 2014. Marriott acquired Starwood in 2016, but the exposure of customer information was only discovered in 2018 and Marriott then notified the ICO. The ICO found that Marriott had failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems. Marriott has again cooperated with the ICO's investigation and has made improvements to its security arrangements following the breach. Marriott will now have the opportunity to make representations to the ICO as to the proposed findings and sanction.

The ICO is dealing with both cases as the lead supervisory authority on behalf of other EU member state data protection authorities. Under the GDPR, the data protection authorities in other EU member states whose nationals have been affected by the two breaches will also have the chance to comment on the ICO's findings.


 

Blog

Latest News

What you can do with your pension pot
13/08/2019 - More...
Pension Wise is a free government

When you can claim back VAT on purchase of a car
13/08/2019 - More...
There are complex VAT rules that

Child Benefit charge if income exceeds £50,000
13/08/2019 - More...
The High Income Child Benefit charge

Newsletter

With our newsletter, you automatically receive our latest news per e-mail and get access to the archive including advanced search options!

» Sign up for the newsletter
» Login 

Ask a Question



Invalid Input
Your name

Please type your full name.
Your email address

Invalid email address.
Enter the text to submit your question
Enter the text to submit your question

Invalid Input



Contact Information

Banbury Office:

+44 (0) 1295 688 287
This email address is being protected from spambots. You need JavaScript enabled to view it. This email address is being protected from spambots. You need JavaScript enabled to view it.


Birmingham Office:

+44 (0) 121 784 5818
This email address is being protected from spambots. You need JavaScript enabled to view it. This email address is being protected from spambots. You need JavaScript enabled to view it.


Cirencester Office:

+44 (0) 1285 655 955
This email address is being protected from spambots. You need JavaScript enabled to view it. This email address is being protected from spambots. You need JavaScript enabled to view it.


Leamington Spa Office:

+44 (0) 1926 431 143
This email address is being protected from spambots. You need JavaScript enabled to view it. This email address is being protected from spambots. You need JavaScript enabled to view it.


We are registered under ICAEW and have PI Insurance.