British Airways and Marriott Fined for Data Breaches

This article looks at how significant GDPR rules and data breaches can affect global organisations.

British Airways

The ICO has fined British Airways £20m for a lack of adequate security measures. BA failed to protect the personal and financial details of more than 400,000 of its customers and only discovered that its systems had been attacked two months after the data breach.

Whilst the ICO acknowledged that BA acted quickly once they discovered the data breach, it could have been prevented if BA had appropriate security measures into place. These facts led to the decision on the amount of the penalty issued.

Information Commissioner Elizabeth Denham said: “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure.”

“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.”

Marriott International

Marriott International Inc has been fined £18.4million for failing to keep millions of customers’ personal data secure.

It is estimated that over 300 million guest records worldwide were affected following a cyber-attack in 2014 on Starwood Hotels and Resorts Worldwide Inc. This involved gaining unauthorised access to one of its reservation systems, which included personal details, passport numbers, credit card details and guest VIP status. The attack (whose source is unknown) remained undetected until September 2018, by which time the company had been acquired by Marriott. The delay in detection was partly due to the fact that the Starwood reservation system continued to be used and was only migrated a few years later.

The GDPR sets out six basic principles organisations must comply with in processing personal data. These are: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; security; and accountability. The penalties in both cases were issued as a result of failures regarding security.

Rina Sond, Commercial Partner at Longmores said “these cases and the levels of fine issued really highlight the importance of businesses taking data protection seriously. They must ensure that their privacy policies and systems are robust, by putting appropriate technological and security measures in place. Whilst BA and Marriott are global organisations, the GDPR rules apply to all businesses, whatever size they may be, and so it is crucial that organisations think carefully about their data processing activities and the security around their data. The Marriott case also highlights the importance of carrying out due diligence on any potential acquisitions to ensure that you are suitably protected against historic data breaches to the extent possible.”

Here to help

Longmores’ Commercial team are highly experienced. To discuss how we can help, please get in touch with our Company Commercial team.

Please note the contents of this blog are given for information only and must not be relied upon. Legal advice should always be sought in relation to specific circumstances.