British Airways and Marriott Face Record-Breaking GDPR Fines for Data Breaches

Jingcong Zhao News

Hyperproof recently reported the rise of General Data Protection Regulation (GDPR) fines. Just last month, multiple legal experts predicted greater fines for GDPR violations heading into the second half of 2019. This week, we saw their warnings coming true.


British Airways Contends With a $230M Fine from the ICO

Earlier this week, the U.K Information Commissioner’s Office (ICO) said it has “issued a notice of its intention” to levy a $230 million fine to British Airways (BA) over a 2018 security breach that compromised the personal data of approximately 500,000 customers.

“The GDPR makes it clear that organisations must be accountable for the personal data they hold,” said Information Commissioner Elizabeth Denham in a statement. “Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”

According to an ICO statement, the authority said it believes the BA data breach started in June 2018 (several months before it was finally reported) and was a result of “poor security arrangements.” A fraudulent third party website that redirected BA traffic reportedly collected personal data such as login credentials, payment card details, names, addresses, and travel booking details.

The $230 million fine represents approximately $1.5% of BA’s 2017 income, which is considerably less than the 4% of annual revenue that fines can go up to. That said, the BA fine is still by far the largest to result from GDPR, which went into effect last May.


ICO says Marriott’s Data Breach Deserves a $124M Fine


Meanwhile, the ICO also announced this week it intends to fine Marriott hotel group $124 million over a security breach the company had reported in November 2018. Last year, Marriott hotel group stated it had been the victim of a four-year campaign by hackers to steal customer data from its reservation system.

The breach’s source was the reservation system of Starwood Hotels in 2014—which Mariott purchased in 2016. However, Mariott didn’t notice or patch the breach until 2018 and as a result, exposed the personal data of 339 million guests. These breached records included those of 30 million EU citizens and 7 million UK citizens.


“Companies Need to Shift Their Focus to Accountability”

While understanding and complying with GDPR has been difficult, companies now have no choice but to invest more in data security and data protection to get compliant with the law’s provisions. Information Commissioner Elizabeth Denham has issued a clear message to companies about what to expect this year.

In a a href=””>May 2019 blog post, Ms. Denham stated that many of the investigations her office has launched are nearly complete and suggested that the outcomes will “[demonstrate] the actions [her] office is willing and able to take to protect the public.”

“The focus for the second year of the GDPR must be beyond baseline compliance – organizations need to shift their focus to accountability with a real evidenced understanding of the risks to individuals in the way they process data and how those risks should be mitigated,” said Ms. Denham.

She added, “Well-supported and resourced [Data Protection Officers] are central to effective accountability.”

If you want to learn more about how the ICO intends to utilize their enforcement and sanctions powers, you can read their Regulatory Action Policy here. This details ICO’s approach to taking regulatory action against organizations and individuals that have breached the provisions of GDPR.


How Hyperproof Helps With GDPR Compliance

Hyperproof can help your organization get and stay compliant with GDPR. How? Hyperproof is creating a system of record for all of your compliance data coupled with an intuitive collaboration and work management system. We’ve collaborated with compliance experts to create ready-to-use templates and frameworks for common compliance programs, including GDPR. With Hyperproof, you can launch a GDPR compliance program in minutes, gather evidence with ease, and understand what is working and what needs attention next.

Our software will be ready for use this fall. To learn more about how we can help with your compliance challenges, come talk to us.