Skip to content
Naked Security Naked Security

GDPR superpowers lead to whopper ICO fines for BA, Marriott

The ICO isn't pulling its punches: The penalty for BA's data breach is about 367 times higher than the previous record-setting fine.

Brace yourself, o ye spillers of data: the fury and the might of the GDPR has been unleashed this week, and lo, it is mighty, scary, and really, really expensive.

The UK’s Information Commissioner’s Office (ICO), pumped up with its newfound General Data Protection Regulation (GDPR) legal testosterone, has plans to uber-fine both Marriott and British Airways (BA) for data breaches.

On Monday, the ICO said that it’s looking to fine BA a record £183.39 million (US $229.34 million) for a breach discovered in September 2018. By diverting user traffic to a bogus site, attackers managed to steal personal data from about 500,000 customers, including their names, addresses, logins, payment card and travel booking details.

According to the BBC, the ICO says that this is the biggest penalty it’s ever handed out under the new rules, and it’s the first to be made public.

Then, on Tuesday, the ICO said that it’s also planning to fine Marriott £99,200,396 (US $123 million) for a breach that exposed the data of about 339 million guests globally. Attackers got into the company’s Starwood guest reservation database and stayed there for years: the unauthorized access started in 2014, and the breach was discovered and reported to the ICO in November 2018.

Marriott didn’t actually own Starwood when the breach started; the company bought the hotels group in 2016.

The ICO said that both BA and Marriott have cooperated with its investigations and have fortified security since they discovered the breaches. Both companies also will get a chance to respond to the ICO’s findings and its proposed fines.

Information Commissioner Elizabeth Denham had this to say in the announcement about the Marriott fine:

The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.

Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.

Is that decimal point in the wrong place?

The proposed penalty for BA is about 367 times higher than the previous record setter: the £500,000 (US $645,000) penalty handed to Facebook over the Cambridge Analytica scandal. Those were pre-GDPR days: it was the largest fine the ICO could dish out for a data breach before the regulations went into effect last year.

While BA says it’s “surprised and disappointed” at the size of the penalty, it could have been worse. Penalties for violating the GDPR can be as high as €20 million, or 4% of the worldwide annual revenue of the prior financial year – whichever is higher.

Nonetheless, the size of these fines are nothing to sneeze at, and they reflect the fact that the ICO isn’t going to pull its punches. They’re a staggering amount of comeuppance, and anybody in cybersecurity who’s in charge of taking care of their organization’s customer data should – no, let’s instead make that “absolutely must” – take heed.

Having said that, we’re here to help. We’ve pulled together this advice:

Don’t-fall-foul-of-GDPR tips

  1. Patch early, patch often. Minimize the risk of a cyberattack by fixing the vulnerabilities that can be used to gain entry to your systems illegally. There is no perimeter, so everything matters: therefore, patch everything.
  2. Secure personal data in the cloud. Treat the cloud like any other computer: close unwanted ports and services, encrypt data, and ensure that you have proper access controls in place. Do that on all your environments, including QA and development.
  3. Minimize access to personal data. Reduce your exposure by collecting and retaining only the information you need, and by restricting access to the people who need it to do their job.
  4. Educate your team. Ensure everyone who may come into contact with personal data knows how they need to handle it, which is a GDPR requirement.
  5. Document and prove data protection activities. Be able to show that you’ve thought about data protection and that you’ve taken sensible precautions to secure personally identifiable information (PII).


All the money from these fines goes to a “Treasury”. I looked this up, and that’s all it says. Meaning pockets of people you don’t know? Is the goal to fine/rob companies until they shut down and buy ice-cream and race cars for underprivileged hedge fund managers? I would expect that making a company spend (at least half) the fine on improving their security would be a MUCH better constructive use than just beating a dog for having a broken leg.


I agree–but I wonder if they’ve decided against it for “creative accounting.”

The same sort of accounting that leads to the CEO’s tax-deductible, three-day “business lunch” in the Bahamas, with the only other company employees being waitstaff and the pilot.

Oh yeah, my kids tagged along, but don’t worry: they weren’t in the meeting–they were further down the beach.


darn sneaky CEOs. Okay, how about 1 year in jail for each CEO for every $100 of misspending of the; fix it fine?


This is a generic problem in the US legal theory. Companies have legal rights like persons; i.e. the corporate veil. When I see a company go to jail for stealing pampers or cheating people, I will accept that. The bigger they are the more immunity they seem to enjoy; ref. the financial crisis.


Not a Treasury; rather, The Treasury. My understanding is that the money is paid into the Treasury’s Consolidated Fund, and therefore is offset against government spending. So (depending on your view of such things, it allows for a tiny reduction in taxation, increase in services, or reduction of government borrowing.


This prompts two questions (for me anyway); Will the fines actually be paid? And will any of the ‘real’ victims (customers) of this breach see a penny of this?
Or maybe three questions…. What does the ICO do with the monies gained from these fines?


See above regarding what happens to the fines collected by ICO; they are given to the Treasury for use elsewhere. Regarding whether fines will be paid, the ICO usually offer a ‘deal’ if the fines are paid promptly. This can equate to a quite a reduction, so whilst BA and Marriott may not pay the amounts given in the Press now, they do need to pay up.

I think the new structure for fines is a lot fairer. In the pre-GDPR/DPA2018 days, huge organisations got off with very small fines. The massive Sony breach saw them only getting a fine of around £250k which was a paltry sum for such a worldwide organisation. By comparison, Councils were being fined £80k for sending a fax to the wrong person. Ok, so these fines are tempered by the sensitivity of the data involved in the breach, but quantity also counts here. Industry giants were getting away with these breaches very cheaply. We won’t even mention TalkTalk…..


“£99,200,396 (US $123 million) for a breach that exposed the data of about 339 million guests”, correct me if I’m wrong but this seems to be about 0.30 dollars per guest. This hardly seems like a deterrent. Let’s get this straight; the victims are the guests, not Marriott. Cybersecurity has been warned about for decades and we still see breaches. IMHO: the governments have been negligent in not enforcing stiffer regulation on protocols and such. As a result, the companies have just accepted trivial fines as “the cost of doing business”.
I guess I am sorry for the (minor) rant; delete if off topic.

Living in a country that has the best government “money can buy”.


It would be good as well if there was a followup, have lessons been learnt, has the company undergone pen tests to confirm compliance checks etc. rather than just one big stick


In addition to the fines there is usually an agreed set of undertakings agreed with the ICO. This would include what steps will be taken to ensure the breach does not happen again, remedial actions to deal with the current breach, communications to customers and compensatory actions. For example if card details are exposed, organisations can offer a free subscription to a service that will monitor your affected accounts and warn you if there are any suspect transactions. You can see published reports on the ICO website for specific details of these agreements and the agreed monetary fine.
PS I don’t work for the ICO just in case you are wondering, I just work in this area so have some knowledge :)


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!