Data Breach Fines for BA and Marriott

Businesses have been given a stark reminder about how seriously they need to take any data breach which exposes sensitive customer data following two record breaking fines totally nearly £300m for British Airways and Marriott.

On 8th July British Airways (BA) received a record fine, totaling £183 million, after suffering a cyberattack in September 2018. The U.K. Information Commissioner’s Office (ICO) confirmed it was the largest penalty it had ever issued and the first to be made public following the implementation of the EU’s new General Data Protection Regulation (GDPR).

Since coming into place in May 2018, the GDPR stipulates that any business must report a breach within 72 hours. When BA suffered the attack, it took the airline took just one day to inform its customers that personal details from approx. 380,000 booking transactions had been stolen which including bank card numbers, expiry dates and crucially, CCV codes.

Less than a week after the announcement of BA’s fine, Marriott was issued a £99m fine by the ICO under GDPR, taking both BA and Marriott significantly over the previous maximum fine of £500,000 which was issued to Facebook in 2018 following the highly publicised Cambridge Analytica data scandal. Marriott’s fine was the result of a data breach that lasted over four years – between 2014 when it began and then discovered in 2018 – and exposed in the region of 339 million guest records globally.

To highlight the risks are not exclusive to malicious acts by cyber criminals and hacking, the online bank Monzo, has urged 500,000 customers on 3rd August 2019 (one fifth of its 2.6 million customer base), to change their PINs following a data security breach. In this case, the security glitch was flagged when it was discovered that customer PINs were being copied on to log files which could be accessed by up to 110 unauthorised engineers – despite being encrypted. The bank has made a statement which it claims has taken swift action to delete all the improperly stored information after discovering the issue and that no fraud has been discovered in accounts that are affected. Monzo also claim that no one outside the organisation had access to the customer pins. At the time of publishing this article (7th August 2019), no statement has been made by the ICO.

GDPR allows the ICO to impose a fine of 4% of annual revenues on any business, irrespective of its size. In BA’s case, its fine represented just 1.5% of its turnover in 2017 while Marriott’s represented about 3% of the hotel company’s $3.6bn revenue from 2018.

The ICO commissioner Elizabeth Denham said

”when organisations fail to protect data from loss, damage or theft, it is far more than an inconvenience. The law is clear – when you are entrusted with personal data, you must look after it.” She added, “those businesses and organisations that don’t adhere to the law will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights”.

Carl Edwards, Partner & Group Director at Griffiths & Armour said

“our risk management and insurance broker teams continue to work proactively with all of our clients to ensure they not only have the appropriate levels of insurance cover in place in the event of a Cyber attack but also receive support and risk guidance to help them review and implement robust cyber security measures into their businesses and organisations”. He added, “in addition to our 24/7 online risk management platform ‘RMworks’ which all clients can access, I would encourage any of our clients who would like to discuss their cyber security strategy to get in touch with their main contact at Griffiths & Armour who will be happy to assist them.”