ICO: Announce­ment of lar­ge fines against Mar­riott (CHF 122 mil­li­on) and Bri­tish Air­ways (CHF 226 million)

The U.K. regu­la­tor, the Infor­ma­ti­on Commissioner’s Office, has issued hef­ty fines in two cases:

  • Mar­riott: the equi­va­lent of CHF 122 mil­li­on against Mar­riott Inter­na­tio­nal as a result of a data leak that expo­sed per­so­nal data of around 339 mil­li­on gue­sts (inclu­ding around 30 mil­li­on in the EU). The leak stem­med from the Star­wood Group, which Mar­riott acqui­red in 2016. It was only dis­co­ver­ed in 2018, and – accor­ding to the ICO’s inve­sti­ga­ti­on – becau­se Mar­riott had neglec­ted due dili­gence when it bought the group (Media release of the ICO);
  • Bri­tish Air­waysThe case is also the result of a data leak in June 2018, which was cau­sed by ina­de­qua­te secu­ri­ty mea­su­res on the part of Bri­tish Air­ways and in which per­so­nal data (inclu­ding payment card data) of around 500,000 peo­p­le fell into cri­mi­nal hands via a fake site.

In both cases it is not about a finebut a so-cal­led “noti­ce of inten­ti­on to fine”. The com­pa­nies con­cer­ned have the oppor­tu­ni­ty to com­ment on the facts estab­lished and the impen­ding fine.

The ICO’s actions cle­ar­ly show – against the back­ground of the (non-legal) CNIL fines Goog­le and cor­re­spon­ding State­ments from regu­la­tors – that aut­ho­ri­ties across Euro­pe have moved from a more advi­so­ry to a more puni­ti­ve stance.




Rela­ted articles