ICO Plans to Impose Massive Fines on Marriott and British Airways for GDPR Violations

This week, the UK’s Information Commissioner’s Office (“ICO”) has issued two statements of its intention to slap massive fines on Marriott International, Inc. (about  $123 million)1 and British Airways (about  $229 million)2 for infringements of the General Data Protection Regulation (“GDPR”). Both fines relate to data breaches that resulted in a significant number of customers having their data exposed and potentially misused by hackers. The companies notified the UK watchdog about the incidents last autumn. The ICO has investigated the companies on behalf of other European regulators.

In British Airways’ case, consumers attempting to visit the British Airways website were being diverted to a fraudulent site where attackers could harvest their customer details (including address information, travel booking details, and payment card). The incident is believed to have impacted at least 500,000 customers, having reportedly begun in June 2018. The ICO found that the website vulnerability occurred due to poor security management at the company. The airline collaborated with the ICO in its investigation and, according to the regulator, it has improved its information security management since the breach was made public. However, this mitigation was not sufficient for BA to avoid a fine, which represents 1.5% of BA’s global turnover for the last year. The severe fine could have been higher since organizations can be fined 4% of their total annual worldwide revenue. If this fine holds, it will be the largest levied yet under the GDPR.

The penalty faced by Marriott relates to a cyber incident that began in 2014, in connection with vulnerabilities in the reservation systems of the Starwood hotels group. Marriott acquired Starwood in 2016, but the exposure of its customers’ personal data was only discovered in 2018. The ICO has concluded that Marriott did not conduct sufficient due diligence when it acquired Starwood and that it should have done more to secure Marriott systems. Information Commissioner Elizabeth Denham stated that, when making a corporate acquisition, organizations must put in place “proper accountability measures to assess not only what personal data has been acquired, but also how it is protected“. Marriott has also cooperated with the ICO in its investigation and has enhanced its security management following the incident. 

Both companies and other data protection authorities will have an opportunity to officially present their opinions to the ICO about the proposed fines before the decision is final.

We are witnessing a substantial increase in the enforcement activity among European data protection regulators. The informal grace period afforded by the authorities to allow organizations to adjust to life under the GDPR is over, and the era of fines for GDPR infringements is upon us. These fines serve as a wake-up call to organizations of all sizes. Marriott, Google, and Facebook may be financially strong enough to weather this storm. By contrast, if a smaller organization suffers a severe breach or commits a privacy infringement, the consequences may be much more devastating as the hefty penalties combined with the reputational damage and a loss of customer confidence may not always be survivable.

Other authorities, such as the French Supervisory Authority (CNIL) have expressed the importance of meeting the 72 hour notification requirement that organizations face following the discovery of a data breach. The CNIL indicated that it will give priority to supporting data controllers when they file their data breach notification within 72 hours of becoming aware of the breach and that, by contrast, it will adopt a repressive approach when the breach is not reported within the time limit. 

The lesson is that your organization must take privacy and security of personal data seriously and that processes must be implemented to ensure that data breaches can be mitigated and reported effectively, in compliance with the GDPR. As the best defence is a good offence, we invite you to contact VeraSafe to discover what our privacy and IT security experts can do for you. Apart from creating internal data breach notification policies and providing privacy training to your staff, VeraSafe can perform extensive manual penetration testing of web applications, websites, APIs, networks, and more, which can uncover deeply rooted vulnerabilities before hackers do.


  1. 1.
  2. 2.

Contact VeraSafe to discuss your data security management and privacy program today.