This week we saw the Information Commissioner’s Office (ICO) finally signal its intention to use its powers to issue to issue Monetary Penalty Notices (fines) under the General Data Protection Regulation (GDPR). Two Notices of Intent have been issued. Both relate to cyber security incidents but are for different reasons and amounts.
Under the GDPR, supplemented by the Data Protection Act 2018 (DPA18), the ICO has a number of statutory duties and powers with regards to regulating Controllers’ and Processors’ obligations. Article 58 gives the ICO its powers. Article 83(2) sets out the criteria that have to be taken into account by the ICO when issuing fines. These include the nature, gravity and duration of the breach, the number of data subjects affected, level of damage and action taken to mitigate the damage. All this is outlined in the ICO’s Enforcement Policy.
British Airways Notice of Intent – £183 Million
According to the statement from the ICO:
“The proposed fine relates to a cyber incident notified to the ICO by British Airways in September 2018. This incident in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018.
The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.”
According to various sources at the time, for a period of two weeks BA’s systems were compromised. Hackers took the personal and financial details of customers who made, or changed, flight bookings on www.BA.com or its app during that time. Names, email addresses and credit card information were stolen – including card numbers, expiration dates and the three-digit CVC code required to authorise payments.
According to an article from wired.co.uk, the BA vulnerability was a well-known one and could have been prevented with a simple fix. While we don’t know the exact details yet, perhaps that is why the ICO wants to fine BA a whopping £183 Million!
What this also appears to show is that because the BA breach resulted in customers of BA being stuck in various holiday locations unable to get home the effect on “the rights and freedoms of individuals” was certainly far more concrete (and some could say worse) than what we currently know about the Marriott data breach (see below). Perhaps this is why the fine amount is so high.
As soon as the notice of intent was filed BA announced they were going to appeal, either because they see themselves as the victim here (as stated in various press statements about the incident) or they believe that the ICO has acted disproportionately. We shall see…
Marriott Hotels Notice of Intent – £99 Million
According to the statement from the ICO:
“The proposed fine relates to a cyber incident which was notified to the ICO by Marriott in November 2018. A variety of personal data contained in approximately 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). Seven million related to UK residents.
It is believed the vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018. The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.”
According to various sources (see the BBC article at the time) this specific cyber security breach related to one of the booking databases belonging to Starwood hotels. A vulnerability in the database was exploited in 2014 and has been exploited ever since then until an internal security tool detected suspicious activity in 2018. The database in question contained records of up to 500 million customers of which 339 million were compromised including names, addresses and encrypted payment card information.
In 2016 Starwood (and all its assets and liabilities) were bought by Marriott. Part of the ICO statement accuses Marriott of not completing effective due diligence on Starwood and that appears to be the main reason for the intention to fine. One would conclude therefore that when purchasing a company a full security assessment and penetration test on the IT network and systems should be completed. Marriott have also announced their intention to appeal the notice of intent. Not surprising when it is £99 Million!
What does this mean?
As with the Metropolitan Police announcement a few weeks ago, I’m sure these announcements will go down in Data Protection history but until the action is confirmed and the money exchanges accounts, what it exactly means for the regulatory landscape is yet to be seen. These are just intentions to fine, not the actual fine itself. The press (and some people that still don’t understand Data Protection when they claim to) got all excited about it at the time (and were corrected by many on social media). I think someone used the phrase (which I now cannot find so I can’t credit you – sorry!) “it’s basically like me saying I have an intention to buy my lunch”. But your lunch currently isn’t bought, and you are, indeed, still hungry!
What it means in terms of what you can practically do in your day jobs however is quite clear. GDPR emphasises the need to have ‘effective organisational and technical measures’. So, if you are going to buy a business (or just build a new system) ensure you have done your due diligence and testing on it to help mitigate any potential risks. You can’t catch everything (especially in a cyber security context) but at the very least you must be seen to be trying. Doing nothing, or ‘ignorance is bliss’, will ultimately land you in trouble.
Secure systems, privacy by design, effective cyber security and a half decent data culture will help you on your path and is a fair size more beneficial than the world of ignorance.
Scott Sammons is a trainer with Act Now. More on these and other developments will be in our GDPR Update webinar and full day workshop presented by Ibrahim Hasan. Looking for a GDPR qualification, our practitioner certificate is the best option.
Photo: Thanks to Sam Truong Dan for making this photo available freely on @unsplash 🎁 https://unsplash.com/photos/-rF4kuvgHhU