ICO issues notices of intention to fine BA and Marriott

Following an extensive investigation, the Information Commissioner’s Office (ICO) has announced that it has issued a notice of its intention to fine British Airways (BA) £183.39 million for infringements of the General Data Protection Regulation (GDPR). If imposed, the fine will be a record amount in the UK for breach of data protection laws. The infringements relate to an incident in summer 2018 when cyber attackers gained access to the personal data of around 500,000 BA customers, due to poor security measures. User traffic to the BA website was diverted to a fraudulent site, where customer details were harvested by the cyber attackers. A variety of information was compromised by the poor security arrangements, including log in, payment card and travel booking details, as well as name and address information. BA will have the opportunity to make representations to the ICO before it makes its final decision. The ICO noted in its announcement that BA has cooperated with its investigation and has made improvements to its security arrangements following the breach.

The ICO has also announced that it has issued a notice of intention to fine Marriott International, Inc. (Marriott) £99,200,396 for infringements of the GDPR in connection with a cyber incident affecting approximately 339 million guest records held globally in Starwood hotels' guest reservation database. The vulnerability apparently began when the systems of the Starwood hotels group were compromised in 2014. Marriott acquired Starwood in 2016, but the exposure of customer information was only discovered in 2018 and Marriott then notified the ICO. The ICO found that Marriott had failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems. Marriott has again cooperated with the ICO's investigation and has made improvements to its security arrangements following the breach. Marriott will now have the opportunity to make representations to the ICO as to the proposed findings and sanction.

The ICO is dealing with both cases as the lead supervisory authority on behalf of other EU member state data protection authorities. Under the GDPR, the data protection authorities in other EU member states whose nationals have been affected by the two breaches will also have the chance to comment on the ICO's findings.