The UK Information Commissioner's Office ("ICO") will impose significant fines against British Airways and Marriott for violating data security rules under the European Union's General Data Protection Regulation ("GDPR").
According to a statement of "intention," the ICO will impose a "record fine" on British Airways of $230 million. In September 2018, the ICO received notification that a cyber incident at British Airways compromised an estimated 500,000 customers' personal data. The ICO stated that its investigation found that user traffic to the British Airways website was redirected to a fraudulent website, where hackers obtained customers' information, including login credentials, names, email addresses, and credit card information.
The ICO said that it is also planning to fine Marriott £99,200,396 (U.S. $123 million) for a breach that exposed the data of about 339 million customers globally. According to the ICO, the unauthorized access of the company's Starwood guest reservation database started in 2014, and the breach was discovered and reported in November 2018.
The ICO is the lead supervisory authority on behalf of EU Member State data protection authorities. Under the GDPR "one stop shop" provisions, the data protection authorities in the European Union whose residents have been affected will also have the chance to comment on the ICO's findings.
The General Data Protection Regulation came into force last year, and represents a significant tightening of data privacy laws in the EU. Those rules make it mandatory to report data security breaches to the Office of the Information Commissioner. To put this amount into perspective, until now, the biggest penalty by the UK regulator was £500,000, imposed on Facebook for its role in the Cambridge Analytica data scandal. That was the maximum allowed under the old data protection rules that applied before GDPR.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.