ICO announces intention to fine Marriott and BA a combined £282m in first GDPR penalties

This article has been contributed by Michelle Clerville for Gemserv Ltd

The Information Commissioner’s Office (ICO) announced on 9th July 2019 its intention to fine hotel chain Marriott International over £99m, following an investigation into a major data breach last year. This update occurred in the same week in which the ICO had issued a similar notice to fine British Airways (BA) over £183m in relation to a data breach. These two instances constitute the ICO’s first investigations under the GDPR to produce monetary penalties.

Large fines and delayed reactions

In particular, the high value of the fines (in comparison to the ICO’s investigations over the previous few months) is due to the fact that data breaches which occurred after the GDPR entered into force (in May 2018) are being discovered or reported, meaning that the GDPR-level of fines can now be applied by regulators. Additionally, both these organisations could be subject to further PCI DSS fines depending on the level of Card Holder Data (CHD) that has been exposed.

Marriott: Due diligence and risk management

Marriott identified in November 2018 that a guest reservation system had been compromised, most likely in 2014, which had resulted in exposing 339 million guest records that included Personal Identifiable Information (PII) and CHD between 2014 and 2018 when the breach was identified. The compromised system was part of Marriott’s acquisition of Starwood in 2016.

In particular, in addition to the need to maintain controls on internal data security, Marriott’s data breach is a stark reminder to organisations that examining data protection governance and information security risk management should remain a core part of due diligence when acquiring a new organisation.

When conducting due diligence prior to acquisitions, organisations should check for evidence of:

  • Data mapping activities (including insecure locations where it could be stored or collected from) – particularly in relation to PII and CHD;
  • Information security risk assessments to identify key risks to sensitive information as identified in the data mapping activities;
  • Records of previous information security incidents or data breaches, and actions taken; and
  • Contracts with third parties to whom data is provided.

The absence of any such governance or self-assessment should signify an immediate red flag.

BA: Third-party management & IT security governance

In BA’s case, the data breach related to a security vulnerability on BA’s booking website and mobile app between 21st August 2018 and 5th September 2018 which involved 500,000 customers’ details being exfiltrated by cyber attackers in June-September 2018. The attackers exploited a vulnerability in a third party provided code that allowed the attackers to re-direct customers to a website/app which was controlled by the attackers

Robust third-party management practices should have ensured that the third party had deployed the required level of security controls and practices. This should have been backed by IT security governance monitoring processes, which should have detected and flagged up the vulnerability.

In both cases, large datasets including customers’ personal information and card details were affected, which were clearly targeted by financially motivated criminals. These breaches bring into sharp relief the fact that large stores of data, particularly those involving financial information, are likely to be particular targets for hackers.


As both cases were high-profile data breaches that the ICO could not possibly ignore (both Marriott and BA took steps to notify their customers and investors of the loss of information), they do not tell us much about its upcoming enforcement strategy. However, they do signal that the ICO will not be reticent to apply penalties up to the 2% of global turnover permitted for security lapses and 4% for wider governance failures, under the GDPR. Nevertheless, both organisations still have the right to make representations, which may reduce the fines projected to be levied on them. In addition, the ICO’s final monetary penalty notices will outline its reasoning as to how the eventual penalties were calculated.

This throws into stark relief how closely intertwined Data Protection and Information Security are and how lax practices relating to one can affect the other. It is also a wakeup call to organisations to ensure that they have robust Data Protection and Information Security governance frameworks in place to provide assurance that they will not be faced with the situations being experienced by BA and Marriott today.