The UK’s Information Commissioner’s Office recently announced its intention to levy record fines on British Airways and Marriott for severe data breaches that occurred in 2018. BA, which the ICO intends to fine £183.39m, lost 500,000 customer records in September 2018, which included login details, travel plans and payment data. Meanwhile, the ICO intends to fine Marriott more than £99m for a data breach relating to roughly 339m customer records worldwide, 7m of which related to UK residents.

 

These cases, and the record fines that are associated with them, are the first major tests of the new GDPR that applies across the EU.  In both cases, the ICO notes that the parties co-operated with the ICO investigation and have subsequently made improvements to their cyber security posture since the original incident, however the sheer size of the fines will worry investors and give CISOs and other executives some sleepless nights. Both fines are subject to appeal, and it seems reasonable to expect that they will come down as BA and Marriott make their representations to the ICO, but they are still likely to be extremely punitive and will surely be making organisations across the economic spectrum extremely nervous; following news of the ICO’s enforcement action on Monday, IAG – BA’s parent company – saw their shares drop almost 10% by Tuesday afternoon. Whilst the shares have subsequently recovered, it shows the real impact that the ICO’s new enforcement powers can have.

 

What this means is that anyone with responsibility for security in an organisation that processes personal data will need to carefully consider the impact of a potential GDPR fine. Strong segmentation controls and visibility into who is sharing what, and where are a key part of protecting sensitive data. It is also critical to know what data your organisation and to ensure that you really need it as part of your business. Gathering personal data for the sake of it should be a thing of the past. Last and probably most important is ensuring that an effective incident response and notification procedure is in place, and regularly tested. Whilst BA and Marriott face heavy fines, it would certainly have been worse had they not notified the ICO in good time and co-operated with their subsequent investigation.

 

It’s worth looking at how the data breaches at BA and Marriott actually hapened. In BA’s case, they were the victim of a supply chain attack where code used on their website, and provided by a third party, was compromised. BA was also in a relatively poor state with regard to PCI-DSS compliance, with reports that it had failed a PCI-DSS accreditation in 2017. In Marriott’s case, their network had been compromised since 2014, and it was an alert from a security monitoring tool in November 2018 that eventually alerted security staff to the breach. Both cases could be described as stemming from systemic security weaknesses.

 

One of the intentions of the GDPR was to drive an improvement in security effectiveness in businesses that increasingly rely on the gathering of sensitive personal data. Time will tell whether the new enforcement powers will have a lasting impact or whether companies will find ways to minimise and evade enforcement, as they have in the past. One thing is certain, though: the days of ICO fines that amount to a slap on the wrist are over.

 

Neil Anderson – Director of Security