ICO issues notices of intention to fine BA and Marriott

ICO issues notices of intention to fine BA and Marriott

ICO issues notices of intention to fine BA and Marriott

Topic: ICO issues notices of intention to fine BA and Marriott

Following an extensive investigation, the Information Commissioner’s Office (ICO) has announced that it has issued a notice of its intention to fine British Airways (BA) £183.39 million for infringements of the General Data Protection Regulation (GDPR). If imposed, the fine will be a record amount in the UK for breach of data protection laws. The infringements relate to an incident in summer 2018 when cyber attackers gained access to the personal data of around 500,000 BA customers, due to poor security measures. User traffic to the BA website was diverted to a fraudulent site, where customer details were harvested by the cyber attackers. A variety of information was compromised by the poor security arrangements, including log in, payment card and travel booking details, as well as name and address information. BA will have the opportunity to make representations to the ICO before it makes its final decision. The ICO noted in its announcement that BA has cooperated with its investigation and has made improvements to its security arrangements following the breach.

The ICO has also announced that it has issued a notice of intention to fine Marriott International, Inc. (Marriott) £99,200,396 for infringements of the GDPR in connection with a cyber incident affecting approximately 339 million guest records held globally in Starwood hotels’ guest reservation database. The vulnerability apparently began when the systems of the Starwood hotels group were compromised in 2014. Marriott acquired Starwood in 2016, but the exposure of customer information was only discovered in 2018 and Marriott then notified the ICO. The ICO found that Marriott had failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems. Marriott has again cooperated with the ICO’s investigation and has made improvements to its security arrangements following the breach. Marriott will now have the opportunity to make representations to the ICO as to the proposed findings and sanction.

The ICO is dealing with both cases as the lead supervisory authority on behalf of other EU member state data protection authorities. Under the GDPR, the data protection authorities in other EU member states whose nationals have been affected by the two breaches will also have the chance to comment on the ICO’s findings.

For more information on notices of intention to fine BA and Marriott, Book a Free Consultation

Need Accountancy Support?

For information on bespoke training, or if you have any other questions for Makesworth Accountant, please fill in your details below



    By submitting the form, you agree with the storage and handling of your data to contact you to arrange a free consultation with us and to receive latest updates by Makesworth Accountants in accordance with our Privacy Policy

    Proud to be featured in

    Happy with our services? Please leave us a Google Review. Click here