Information Commissioner’s Office hits hard on data security, Ian Taylor reports

British Airways and Marriott International were united in their expressions of surprise and disappointment at the size of fines imposed by the UK Information Commissioner’s Office (ICO) this week.

Both should have known better. Exemplary punishments for the first major data breaches since the EU General Data Protection Regulation (GDPR) came into force in May last year were utterly predictable.

Major firms were warned what to expect if their data security practices were exposed as shoddy. In these cases, both were.

Perhaps one or other of the companies’ challenges to the ICO penalties will lead to a reduction in fine, but don’t bank on it.

BA faces a fine of £183 million after hackers stole the data of half a million or more customers last summer.

In BA’s case the ICO did not mince its words. Its investigation found “a variety of information was compromised by poor security arrangements”.

The carrier disclosed the breach in September, reporting the personal data of about 380,000 customers had been swiped from the airline’s website and mobile app.

It subsequently revealed the credit card details of 185,000 additional customers had been stolen.

The ICO reported log in, payment card, booking, name and address data compromised from mid-June through to September – with card numbers, expiry dates and three-digit CVV codes all hacked.

Information commissioner Elizabeth Denham put it succinctly: “When you are entrusted with personal data you must look after it. Those that don’t will face scrutiny.”

BA chief Alex Cruz suggested in response: “We are surprised and disappointed. We have found no evidence of fraudulent activity on accounts linked to the theft.”

That rather misses the point.

Willie Walsh, head of BA parent IAG, was typically more combative. He pledged BA would “take all appropriate steps to defend the airline’s position vigorously, including any necessary appeals”.

Too bad BA/IAG did not defend its customers’ data vigorously. It has 28 days from the announcement of the fine to appeal.

Marriott’s ‘criminal attack’

Marriott was equally offended by its ICO fine of £99 million for the breach of the reservations database of its Starwood subsidiary revealed in late November.

Like BA, Marriott reacted saying: “We are disappointed with this notice of intent from the ICO, which we will contest.

“The company intends to respond and vigorously defend its position.”

The hospitality giant’s indignation was palpable. The “incident”, Marriott noted, “involved a criminal attack against the Starwood guest reservation database.”

Again, this misses the point and claiming ‘We’re the victims here’ is a poor response.

Companies are charged with taking action to withstand criminal attacks against their databases. They extract, store and use customers’ data to make money. The victims are those whose data was kept insufficiently secure.

In Marriott’s case, data from the records of up to 383 million guests was lost – including encrypted card numbers.

The company’s assessment in March was that details of more than nine million payment cards had been stolen, of which 385,000 were unexpired – i.e. open to fraudulent use – and this includes “several thousand unencrypted payment card numbers” along with 5.25 million unencrypted passport numbers.

This does not sound like much of a case for the defence.

The company remains unable to quantify the exact number of customers affected “because of the nature of the data in the database”, which rather makes a mockery of claims for the insight afforded by ‘big data’.

BA and Marriott, like all major corporations, should have seen this coming. Other travel businesses should take note.

The industry is awash with personal data. Yet a survey by data analytics firm GlobalData suggests more than 40% of businesses “are delaying investment” on cybersecurity.

US law firm Nelson Mullins Riley and Scarborough noted: “Whatever grace period to become GDPR-compliant companies may have believed existed unequivocally ended with the ICO’s July 8 announcement [of the BA fine].”

And a word of warning to businesses which, in pursuit of GDPR compliance, have anointed the head of IT as data protection officer – a role the regulation requires.

I’m told regulatory bodies take a dim view of this. It won’t help a business demonstrate it has good processes in place when something goes wrong.