GDPR superpowers lead to whopper ICO fines for BA, Marriott

Brace yourself, o ye spillers of data: the fury and the might of the GDPR has been unleashed this week, and lo, it is mighty, scary, and really, really expensive.

The UK’s Information Commissioner’s Office (ICO), pumped up with its newfound General Data Protection Regulation (GDPR) legal testosterone, has plans to uber-fine both Marriott and British Airways (BA) for data breaches.

On Monday, the ICO said that it’s looking to fine BA a record £183.39 million (US $229.34 million) for a breach discovered in September 2018. By diverting user traffic to a bogus site, attackers managed to steal personal data from about 500,000 customers, including their names, addresses, logins, payment card and travel booking details.

According to the BBC, the ICO says that this is the biggest penalty it’s ever handed out under the new rules, and it’s the first to be made public.

Then, on Tuesday, the ICO said that it’s also planning to fine Marriott £99,200,396 (US $123 million) for a breach that exposed the data of about 339 million guests globally. Attackers got into the company’s Starwood guest reservation database and stayed there for years: the unauthorized access started in 2014, and the breach was discovered and reported to the ICO in November 2018.

Marriott didn’t actually own Starwood when the breach started; the company bought the hotels group in 2016.

The ICO said that both BA and Marriott have cooperated with its investigations and have fortified security since they discovered the breaches. Both companies also will get a chance to respond to the ICO’s findings and its proposed fines.

Information Commissioner Elizabeth Denham had this to say in the announcement about the Marriott fine:

The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.

Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.

Is that decimal point in the wrong place?

The proposed penalty for BA is about 367 times higher than the previous record setter: the £500,000 (US $645,000) penalty handed to Facebook over the Cambridge Analytica scandal. Those were pre-GDPR days: it was the largest fine the ICO could dish out for a data breach before the regulations went into effect last year.

While BA says it’s “surprised and disappointed” at the size of the penalty, it could have been worse. Penalties for violating the GDPR can be as high as €20 million, or 4% of the worldwide annual revenue of the prior financial year – whichever is higher.

Nonetheless, the size of these fines are nothing to sneeze at, and they reflect the fact that the ICO isn’t going to pull its punches. They’re a staggering amount of comeuppance, and anybody in cybersecurity who’s in charge of taking care of their organization’s customer data should – no, let’s instead make that “absolutely must” – take heed.

Having said that, we’re here to help. We’ve pulled together this advice:

Don’t-fall-foul-of-GDPR tips

  1. Patch early, patch often. Minimize the risk of a cyberattack by fixing the vulnerabilities that can be used to gain entry to your systems illegally. There is no perimeter, so everything matters: therefore, patch everything.
  2. Secure personal data in the cloud. Treat the cloud like any other computer: close unwanted ports and services, encrypt data, and ensure that you have proper access controls in place. Do that on all your environments, including QA and development.
  3. Minimize access to personal data. Reduce your exposure by collecting and retaining only the information you need, and by restricting access to the people who need it to do their job.
  4. Educate your team. Ensure everyone who may come into contact with personal data knows how they need to handle it, which is a GDPR requirement.
  5. Document and prove data protection activities. Be able to show that you’ve thought about data protection and that you’ve taken sensible precautions to secure personally identifiable information (PII).