The Information Commissioner’s Office (ICO), a public body sponsored by the UK’s Department for Digital, Culture, Media and Sport (DCMS), has again deferred the payment of multi-million-dollar fines levied on Marriott International and British Airways after both firms had customer information stolen by hackers.
The fines, issued two days apart
in July last year, will be deferred until later in 2020 “pending further
It is the second time a deferral
has been announced, following the first in January 2020.
Given the fines were the ICO’s
first flex of its newly strengthened GDPR muscle – and the fact that, to
negotiate a deferral it has to seek agreement from the entities being penalised
Under Schedule 16 of the Data Protection Act 2018 – it’s a less than ideal situation
for the a regulator to be in.
Airways – which is no stranger to huge
IT issues – was handed its “notice of intent” for a fine of £183.4 million last
year after hackers stole login details as well as information on names,
addresses, travel booking information and payment cards, including CVV codes.
The extent of the hack, which came
to light in October 2018, was revealed over several weeks. Initially the
airline said 380,000 payment cards had been compromised but later revised this
down to 244,000
Then BA said customers who made a rewards booking using a payment card between April and July that year “may be at risk”. Later it said that a further 77,000 customers had had their names, addresses, email addresses, card numbers, expiry dates, and CVV numbers stolen, and that a further 108,000 “may have had details stolen” but not the CVV.
Time is precious, but news has no time. Sign up today to receive daily free updates in your email box from the Data Economy Newsroom.
International’s hack also occurred in 2018, with the chain aware from
September that year. The news broke that November and the following July the
ICO issued a fine of £99.2 million. The hack included credit card, passport and
DOB details of 30 million guests across 31 EU countries, and hundreds of millions
of more beyond the ICO’s jurisdiction.
In a statement issued in July
2019, Marriott International’s president and CEO Arne Sorenson, said: “We are
disappointed with this notice of intent from the ICO, which we will contest.
Marriott has been cooperating with the ICO throughout its investigation into
the incident, which involved a criminal attack against the Starwood guest
“We deeply regret this incident
happened. We take the privacy and security of guest information very seriously
and continue to work hard to meet the standard of excellence that our guests
expect from Marriott.”
Marriott International has since
suffered other hacks, most recently in March
To date, the UK has led other European nations in issuing fines and these two penalties were also the ICO’s first use of regulatory powers designed to protect consumer data under GDPR.
Under the regulation, the office has the power to issue fines of up to £18 million or 4% of annual global turnover, whichever is greater.
Demonstrating just how much additional power that gives the ICO, in 2018 when Facebook shared the data of 87 million users with third parties without sufficient consent, it was fined £500,000.
Read the latest from the Data Economy Newsroom: