Data Protection Breach Fines – July 2019

After months of investigations the ICO have come down hard on two international organisations who have been deemed not to have taken the necessary preventative actions to protect their sizeable customer databases. 14 months after the European General Data Protection Regulations were instated, the Information Commissioner’s Office has handed out two record-breaking Data Protection Breach fines to British Airways and hotel chain Marriott.

The GDPR outlines how organisations should protect the personal data it controls. Instated in May 2018, they require all who control or process the personal data of European citizens to take preventative actions to ensure that this information is safe and not shared, stolen or misused. Historically, organisations have been liable to fines of a maximum of £500,000, however those who do not abide by the GDPR are now at risk of incurring a fine of up to 4% of global annual turnover, or 20 million Euros. It’s not until recently that the ICO have followed through with this threat.

British Airways fined £183m

British Airways informed their customers and the ICO of a hack to their booking systems in September 2018, however the breach itself is stated by the company to have occurred between 21st August 2018 and 5th September 2018. The hack involved cyber criminals gaining access to BA’s booking system on their website and app. For over a fortnight, these criminals were able skim personal and financial details from every booking made online. It’s estimated that the personal data of 500,000 people were exposed during this time.

On July 8th the ICO announced that they intended to fine BA £183 million, equivalent to 1.5% of the company’s global turnover for their 2018 financial year ended December 31st.

Marriot faces £98m fine

Just one day later, the ICO announced their intention to fine hotel chain Marriot in response to the hack of their Starwood Reservation system in November 2018. 500 million hotel guests were affected by this hack, with 300 million of these having personal information such as passport numbers, dates of birth and mailing addresses exposed to cyber-criminals. One of the most troubling aspects of this hack is that it dates back to 2014, prior to Marriot’s purchase of the Starwood System and its properties.

The ICO announced Marriot’s data protection breach fine on the 9th July, declaring their intention to fine the company £98m, estimated to be 3% of the company’s global annual revenue.

More fines to come?

Although the Marriot and BA data protection breach fines are the largest handed out by the ICO so far, there have already been several instances of big organisations getting ‘slap on the wrist’ fines in response to minor infringements. Facebook was given a £500,000 fine in response to the Cambridge Analytica scandal, Equifax were fined the same amount after failing to protect the personal data of up to 15 million UK citizens, whereas TalkTalk were fined £400,000 after their serious data hack.

With more fines still to be announced by the Irish data protection authorities, and new incidents such as the Lancaster University breach and Fashion Nexus data breach being discovered in the last month, there’s no shortage of work for the ICO to handle.

Information Commissioner Elizabeth Denham said:

People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.

Data protection breaches are used to deter organisations from making the same security mistakes, but they do not compensate the people who have been affected by their errors. If your personal data has been exposed by a company or organisation then you be due compensation.

Let us know using the contact form below, or by using the chat feature in the bottom right to see if you could have a claim.