At the beginning of July, news broke about the Information Commissioner’s Office’s (ICO) plan to fine British Airways (BA) £183m for leaking personal data, which the airline is seeking to appeal. If the ICO triumphs, BA will set the new record for the largest fine for mishandling of data (366x the previous record) for approximately 500,000 customers.
The related incident involved user traffic to the BA website being diverted to a fraudulent site where customer details such as login credentials, payment cards and travel booking details were harvested, in addition to name and address information. The attack is believed to have begun in June 2018.
After the attack was announced in September 2018, BA tried to rectify their poor security arrangements, however, the damage had already been done.
The following day, the ICO announced its intention to fine Marriott International more than £99 million in relation to a cyber incident which was notified to the ICO in November 2018. Personal data contained in approximately 339 million guest records globally were exposed, of which around 30 million related to residents in the European Economic Area. Seven million related to UK residents.
It is believed the systems of the Starwood hotel group, subsequently acquired by Marriot in 2016, had been compromised back in 2014. The exposure of data was not discovered until 2018.
The ICO found that Marriott had failed to undertake sufficient due diligence when it bought Starwood and should have done more to secure its systems.
These are not the first instances where big brands have faced a hefty fine. In 2016 TalkTalk Telecom faced penalties after theft of 157,000 records. Carphone Warehouse and parenting club Bounty also took a hit due to lack of cyber security and unlawful sharing of personal data records in the millions. Additionally, in 2018 Equifax and Facebook were issued maximum fines for exposure of people’s personal data by the ICO.
And it’s not just big business that is vulnerable to action. On the 19th July, the ICO fined a London estate agency £80,000 for leaving 18,610 customers’ personal data exposed for almost two years.
Steve Eckersley, Director of Investigations at the ICO said:
“Customers have the right to expect that the personal information they provide to companies will remain safe and secure. That simply wasn’t the case here.”
“As we uncovered the facts, we found LPVL had failed to adequately train its staff, who misconfigured and used an insecure file transfer system and then failed to monitor it. These shortcomings have left its customers exposed to the potential risk of identity fraud.
“Companies must accept that they have a legal obligation to both protect and keep secure the personal data they are entrusted with. Where this does not happen, we will investigate and take action.”
The message is clear and should not go un-noted. Companies who do not comply with GDPR requirements, or are not taking security or protection protocols seriously, will face significant consequences. The number and complexity of cyber-attacks have shown no indication of coming to a halt, thus, businesses should aim to mirror this pace in order to protect their organisation.
The action taken exemplifies how far the ICO will go with their new powers. This should reinforce an advisory or red flag to any business that is involved in the collection or handling of data. Without sufficient investment in security technology, businesses of all sizes could face substantial expenses in the future. Don’t wait until it’s too late.