The ‘world’s favourite airline’ and the largest hotel chain both reported huge data breaches in recent times, affecting millions of records. After investigations by the Information Commissioner’s Office (ICO), British Airways and Marriott International are both facing record fines for data breaches under the General Data Protection Regulation (GDPR).


In November 2018, the Marriott International group of hotels reported a massive breach to the ICO. It relates to a cyber incident involving the unauthorised access of the Starwood hotels group systems in 2014. Marriott subsequently acquired the Starwood Group, however, the breach wasn’t discovered or reported until 2018.

As a result, the personal data of approximately 339 million guests globally was compromised. Of which around 30 million related to residents of 31 countries in the European Economic Area (EEA); around seven million related to UK residents.

After an extensive investigation, on 9 July 2019, the ICO issued a notice of its intention to fine Marriott in excess of £99M under the GDPR. While Marriott International has co-operated with the ICO investigation and since the data breach was reported, have made improvements to its security arrangements. However, the ICO’s contention is that Marriott had failed to perform due diligence when it acquired the Starwood Group and should have made sufficient checks to ensure their IT systems were secure.

In a statement, Marriott have revealed that they intend to appeal the fine and defend their position.

British Airways

The ‘world’s favourite airline’, on the other hand, is facing a record fine of £183M for breaches of data protection law. The proposed fine relates to a cyber incident in June 2018 when 500,000 customers browsing the British Airways website and booking tickets online were being directed to a fraudulent website. Their personal data, including name, address, login, payment card and travel booking details, were then harvested by the cyber attackers.

As per the investigation by the ICO, personal data of approximately 500,000 customers were compromised in this cyber incident, including login, payment card, and travel booking details as well name and address information.

In a statement, British Airways apologised to customers, expressed disappointment and revealed the intention to appeal.

Fines Issued in 2018

The ICO are simply reaffirming their commitment to the GDPR by disclosing the details of its fines and investigations to the public. Since the GDPR came into effect on 25 May 2018, a number of high-profile data breaches have come to light. The ICO issued some of the biggest fines last year including fines for the Crown Prosecution Service (CPS), Equifax UK, Uber, Facebook and Bounty.

With the ICO adopting a tough stance and walking the talk, businesses must bear in mind the very expensive consequences as a result of data breaches.

Is Your Business Prepared?

What we have learnt from these recent breaches is that the GDPR goes beyond ‘consent’ and data privacy issues. Both the breaches at British Airways and Marriott were a result of IT or web systems failures and hackers gaining unauthorised access.

A quick recap of what any form of data breach under GDPR could cost your business: the ICO can issue a fine of up to 4% of a company’s global annual revenue for a breach under the GDPR. For British Airways, the ICO fine comes up to 1.5% of global turnover for the year, while for Marriott, it’s 3% of the company’s global revenue.

Mitigate the risks of a hefty fine and ensure that your business is prepared to combat the lapses in cyber security. Investing in cyber security and information security is key to keeping the hackers out. Keeping your systems secure and up to date is the first step and one of the most effective weapons against cyber-attacks.

Not forgetting the importance of awareness training for your workforce. Are your staff engaged to spot the signs of an intended cyber-attack and understand the implications? By training your employees on the various aspects of cyber security and GDPR, and the risks they face, businesses can keep the hackers out and prevent costly breaches under the GDPR.

How Can We Help

Our FREE download on Handling a Data Breach offers practical tips for reducing the risk of a breach, including a checklist for managing and reporting data breaches should your data be compromised.

We can also support your business with a wide range of eLearning solutions dedicated to cyber security and GDPR. Our eLearning can be delivered as off-the-shelf packages, or we can customise the content to suit your organisation. To find out more, check out our great value Compliance package.

Leave a Reply

Your email address will not be published. Required fields are marked *