ICO muscle flexing: First British Airways now Marriott

ICO muscle flexing: First British Airways now Marriott

Just over a year since the Data Protection Act 2018 (DPA 2018) set new standards for protecting personal data in accordance with the General Data Protection Regulation (GDPR), the Information Commissioner’s Office (ICO) has announced its intention to issue its first penalty fines under the new regime. The ICO intends to impose an eye watering £183m fine for a data breach on the ‘world’s favourite airline’ British Airways (BA) and £99m on Marriott, an international hotel group.

What happened?

The ICO indicates that users of BA’s website were diverted to a fraudulent website through which the personal details of over 500,000 customers were collected by the attackers. The incident, described as a “sophisticated, malicious criminal attack” on BA’s website, was disclosed to the ICO, as is required by the legislation, on 6 September 2018 but is believed to have begun in June 2018. The company initially indicated that some 380,000 transactions were affected which did not include information about customers’ travel or passport details. However, the ICO has said that a variety of information was “compromised” by BA’s poor security arrangements, including log in details, payment card details, travel booking details and address information along with customer names.

Regarding Marriott, hackers stole the records of 339 million guests. 30 million of the hacked guests’ records are said to relate to residents of 31 countries in the European Economic Area with some seven million UK residents affected. Personal data stolen includes credit card details, passport numbers and dates of birth. The data breach occurred in 2014 but was not discovered until late 2018.

The rules

GDPR, enforced through the DPA 2018, changed the regulatory landscape and gave the ICO the power to impose severe penalties for those in breach. The new rules introduced a more rigid regime of accountability to the holding and processing of data by companies and can be described as the most significant and far-reaching change to the protection of data in the last two decades. The regime does not only apply to tech giants like Facebook, Google and Twitter but covers any corporation which handles customer data. Any breach of data protection will attract the attention of the ICO, and all controllers of data should take warning as GDPR does not only apply to large corporations.

As the Information Commissioner, Elizabeth Denham, has said:

“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

The new rules allow for fines of up to 4% of a company’s annual global revenue or €20m or whichever is greater, in stark contrast to the maximum under the old regime of £500,000 (as was levied on Facebook for processing the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent). The £183m fine on BA amounts to just over 1.5% of its worldwide profit margin for 2017 and demonstrates that breaches of the regime can (and seemingly will) result in very significant financial penalties in addition to the reputational damage caused to companies by such incidents.

What can BA and Marriott do?

The decision is not final. The new rules provide for companies to appeal the decision of the ICO to impose fines for data breaches within a 28-day period, and the ICO is required to carefully consider the representations made before it makes a final decision.

Unsurprisingly, given the scale of the proposed fines and the companies’ portrayal of themselves as the victims of criminal hacking, both BA and Marriott have indicated that they intend to appeal the decision and make representations to the ICO.

Considerations going forward

This time last year GDPR was on everyone’s lips. However, if anyone thought that GDPR had dropped off the radar, the ICO’s decisions to fine BA and Marriott within the same week brings the issue to the forefront once more and demonstrates that the ICO will not be afraid to unleash its new fining powers. Companies and data controllers will do well to take warning to ensure that their cybersecurity processes and systems are up to date and regularly monitored to minimise the risk of data breaches which, as these ICO decisions show, can have huge financial consequences.

The imposition of the fines will also serve to put the cyber insurance market on notice. Companies should seek to insure themselves against the risk of these fines, but many companies have no specific cyber insurance and hope to rely on general insurance policies. This has given rise to disputes about whether general insurance policies cover data breach losses at all, and this decision will no doubt have a knock-on effect on cyber insurance premiums.

These first cases create a benchmark for the level of fines which might be imposed by the ICO for data breaches. Data protection and cyber security failures can bring corporate giants to their knees, and the scale of these penalties reinforces the need for companies to place data security at the top of their corporate risk agenda.

If you’d like to discuss any of the issues raised in this article with one of our solicitors then please get in touch in the strictest confidence.



Guevara Leacock is a legal assistant specialising in all aspects of white-collar crime; corporate investigations; dispute resolution; and regulatory law. He has been involved in matters concerning the FCA, HMRC, SFO, Private Prosecutions, Directors’ liability and Extradition.

Related articles