On 8 July 2019, the ICO confirmed that it intended to fine British Airways £183.39m for breaches of data protection law. It is reported that this amounts to approximately 1.5% of British Airways' global turnover. The UK Information Commissioner Elizabeth Denham CBE explained that her office had investigated if British Airways had taken "appropriate steps to protect fundamental privacy rights" of its customers.
The proposed fine relates to a cyber-attack that occurred between June and September 2018. The incident involved user traffic to the British Airways website being diverted to a fraudulent site where customer information, including names, addresses and credit card details were harvested by the cyber attackers. The ICO statement reports that the personal data of approximately 500,000 customers were compromised during the four month attack.
British Airways had first disclosed details of the attack to the ICO in September 2018 when it reported that hackers had targeted its website and mobile app and had stolen the data of 380,000 customers. It subsequently revealed in October 2018 that the credit card details of a further 185,000 customers had also been stolen. The ICO stated that the severity of the attack was not helped by the poor security arrangements British Airways had in place, but that once it became aware of the breach, the airline company cooperated fully with the investigation and has since made improvements to its security systems.
Marriott International, Inc
The next day, 9 July 2019, the ICO issued a further notice of its intention to fine Marriott International, Inc £99,200,396 for breaches of data protection law. This notice was issued in response to Marriott International, Inc notifying the US Securities and Exchange Commission ("SEC") of the ICO's intention. Marriott International, Inc has stated that it intends to "vigorously" defend itself in the proceedings that will follow before the final determination on the fine is made.
The proposed fine, as with the British Airways proposed fine, relates to a cyber-attack of which the ICO was made aware of in November 2018. According to the ICO, the attack resulted in the personal data of 30 million EU citizens contained in guest records being exposed by the perpetrators. The personal data exposed is reported to include credit card details, passport numbers and dates of birth. The ICO believes Marriott International, Inc's vulnerability began in 2014, continued through its acquisition of Starwood in 2016 and was not discovered until 2018. The ICO's investigation discovered what it believes to be two key factors that exacerbated the damage:
- insufficient due diligence was carried out when the company acquired Starwood, and
- insufficient work was done on securing its systems.
While the attacks are not limited to the UK, under the "One Stop Shop" mechanism introduced by the GDPR, the ICO is the lead supervisory authority in both investigations. However, the supervisory authorities in the countries of other affected data subjects will be able to comment on the ICO findings. Similarly, British Airways and Marriott International, Inc will be given the opportunity to make representations to the ICO on the decisions and proposed fines.
What have we learned about the potential impact of GDPR?
Under GDPR, a company can be fined up to €20m or 4% of its global turnover from the previous year for breaching the GDPR. While it is not yet known what percentage of Marriott International, Inc's global turnover is reflected in the proposed fine, such detail might help explain the discrepancy in the amount levied by the ICO against British Airways. If enforced, these will be the largest fines under the GDPR to date, dwarfing the €50 million levied against Google by the French supervisory authority, the CNIL (see our article on this fine here). The ICO has said it will take care to ensure the comments from British Airways, Marriott International, Inc, and other supervisory authorities are taken into consideration before its final decisions are reached.
A detailed rationale for each of the ICO's decisions is keenly awaited, particularly given the substantial size of both proposed fines. Both companies are reported to have notified the ICO of the breaches, fully cooperated with the ICO's investigations and to have taken measures to seek to rectify their respective issues after becoming aware of the attacks. It is as yet unknown what other factors contributed to the decision of the ICO.
Understanding how the ICO came to its decision might inform the level of future fines under GDPR, and as such these decisions might act as precedent for supervisory authorities for similar breaches. Underlying these cases is the importance for companies to ensure that a review of their data security is undertaken regularly and that they have in place appropriate technical, organisational and security measures in order to minimise security (including cyber security) risks. As the UK Information Commissioner noted: "personal data has a real value so organisations have a legal duty to ensure its security".