Posted on

GDPR superpowers lead to whopper ICO fines for BA, Marriott


Brace yourself, o ye spillers of data: the fury and the might of the GDPR has been unleashed this week, and lo, it is mighty, scary, and really, really expensive.

The UK’s Information Commissioner’s Office (ICO), pumped up with its newfound General Data Protection Regulation (GDPR) legal testosterone, has plans to uber-fine both Marriott and British Airways (BA) for data breaches.

On Monday, the ICO said that it’s looking to fine BA a record £183.39 million (US $229.34 million) for a breach discovered in September 2018. By diverting user traffic to a bogus site, attackers managed to steal personal data from about 500,000 customers, including their names, addresses, logins, payment card and travel booking details.

According to the BBC, the ICO says that this is the biggest penalty it’s ever handed out under the new rules, and it’s the first to be made public.

Then, on Tuesday, the ICO said that it’s also planning to fine Marriott £99,200,396 (US $123 million) for a breach that exposed the data of about 339 million guests globally. Attackers got into the company’s Starwood guest reservation database and stayed there for years: the unauthorized access started in 2014, and the breach was discovered and reported to the ICO in November 2018.

Marriott didn’t actually own Starwood when the breach started; the company bought the hotels group in 2016.