The Information Commissioner’s Office (‘ICO’) announced, on 8 July 2019, its intention to issue a £183.39 million fine to British Airways Plc for data security failures under the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’). In particular, the ICO found, as part of its investigation into British Airways’ data breach, that poor security arrangements within the company’s systems, resulted in user traffic to their website being diverted to a fraudulent website, allowing access to 500,000 customers’ personal information, including names, addresses, login, payment card and travel booking details.
The ICO outlined that British Airways had initially filed its breach notification in September 2018 and had cooperated during the ICO’s investigation. In addition, the ICO noted that British Airways had made improvements to its security arrangements as soon as the breach was discovered. The ICO highlighted that British Airways would now have the opportunity to make written representations on ICO’s intention to give a penalty notice, including the suggested results and sanctions. Schedule 16(3)(4) of the Data Protection Act 2018 states that this must be within a period of not less than 21 days, after which the ICO will make a final decision.
Furthermore, the ICO also announced, on 9 July 2019, its intention to issue a £99.2 million fine to Marriott International Inc. (‘Marriott’) following its investigation into a data breach involving the personal data contained in 339 million guest records globally, affecting around 30 million related to residents of 31 countries in the EEA, and seven million related to UK residents. In particular, the ICO found that Marriott failed to undertake sufficient due diligence during the corporate acquisition of Starwood Hotels and Resorts Worldwide, LLC and omitted putting in place proper accountability measures to assess how acquired personal data were protected.
MATTEO QUARTIERI Junior Privacy Analyst