Cyber-attacks create £284m in potential GDPR fines

Published on Wednesday, July 10, 2019 - 15:26 by Camilla Winlo

The ICO announced its first two Notices of Intent to fine under the GDPR regime this week, and it was not messing around.

Under the former regime the maximum fine was £500,000. Previously, the largest GDPR fine announced was Facebook’s £50m, but the ICO’s GDPR fines are significantly larger and show that the Information Commissioner is fully prepared to use her powers.

British Airways

On Monday, the ICO announced its intention to fine British Airways £183.39m for a website hack from 2018. The maximum fine could have been either 2% or 4% of global annual turnover, and this represents 1.5% of BA’s annual turnover for the year.

We are still awaiting its full investigation report, but it seems like the plot has thickened considerably since the hack was first announced. In September 2018, just after the breach was originally announced, RiskIQ published a detailed report looking into the attack.

It appeared at the time that a bespoke version of the Magecart malware had been injected into the website’s Javascript. Timestamps on the website and in an SSL certificate related to the malware suggested that personal data had been compromised from 15 or 21 August. At the time, it was believed that the main information compromised was payment card details.

The ICO’s initial statement suggests that this hack was not in fact the only thing that happened.

It now appears that personal data was compromised from June, not August, that 500,000 customers were affected, not 380,000, and that names, addresses and passport details were affected as well as payment information.

This revised start date affects the time available to report the breach.

The timer starts when the organisation knows or should know that personal data has been compromised – the law is clear that appropriate measures should be in place to spot these, so the ICO may well decide that the timer should start when these appropriate measures would have picked up on the attack, not when the attack was actually identified.

Late reporting is one of the aggravating factors that has been considered when setting the proposed fine.

It’s also worth noting that these “appropriate measures” relate to what is necessary to protect the data, not to what is practicable for the organisation – if the measures are unaffordable, the processing should not take place.

Marriott and Starwood Hotels

On Tuesday, the ICO announced its intention to fine Marriott International £99.2m after IT systems belonging to its subsidiary company, Starwood Hotels, were breached and data was compromised for 339 million guests (7 million of which were in the UK).

According to the ICO statement, the systems were breached in 2014. Marriott acquired Starwood in 2016 but the breach was not discovered until 2018.

For all that time, personal data – again, payment and passport details - was not secure.

The ICO particularly calls out the failure of Marriott to carry out proper data protection due diligence during the acquisition process as an aggravating factor affecting the size of the proposed fine.

What should Information Security and Data Protection teams do now?

The size of these fines should put Information Security and Data Protection firmly on Board agendas right now.

Teams should take this opportunity to review their risk assessments and control environments to ensure that they are appropriately resourced in order to manage the risk.

It bears restating that “appropriate organisational and technical measures” means ones that address the risks, not what is achievable within budget. The budget must meet the size of the challenge, not the other way around.

Some organisations may need to rethink their approach to this.

The potential fines are only a part of the total cost of the breaches. Customer compensation may have been payable, the vulnerabilities needed to be addressed at pace, and the management distraction dealing with the incident and fall out will have been considerable. The negative PR has affected the share price of both companies.

Teams should also ensure that Information Security and Data Protection assessments are included within due diligence activities for any mergers and acquisitions organisations may be considering.

DQM GRC and IT Governance can help assess and mitigate your cybersecurity and data protection risks, designing appropriate controls that secure the personal data your organisation holds – helping to safeguard your organisation from a similar fate.  

Find out more?

Leave your contact details below and one of our expert team will be in touch

We will only use the contact details you supply on the basis of our legitimate interest to respond to your query and contact you about DQM GRC. You will always be given the opportunity to opt-out from future communications. Please read our privacy policy for more details.


Find out more..

If you are interested in any of our services then please either use the contact form or contact us via of the methods below:

  •   Telephone
  •   E-mail

  •   +44 (0)1494 442900