Yesterday the Information Commissioner’s Office (ICO) announced the largest fine ever imposed by a European data regulator on British Airways in respect of its well-publicised data breach, in which the data of 500,000 customers was compromised (see our blog article here). This represented a significant ramping up in what some companies might perceive as the “threat level” coming from the ICO.
Today, rather ramming home the point, the ICO has announced that the international hotel group Marriott is to be fined almost £100m as a consequence of a hack that led to the theft of personal data including credit card details, passport numbers and dates of birth of 339 million former guests. The ICO has stated that it is believed that the vulnerability began in 2014 within the Starwood hotels group, which was acquired by Marriott in 2016. The breach was not discovered until November 2018 at which point it was reported to the ICO.
The announcement was made after Marriott filed notice of the ICO’s intent with the US Securities and Exchange Commission. The company has the right to respond before any final determination of the fine and has stated that it intends to respond and vigorously defend its position.
This fine would be the second largest GDPR fine ever and its release only a day after the news broke on the BA fine merely emphasises the intent of the ICO to announce its presence as a major, board level issue for all firms in and out of the technology sector.
Two such announcements in two days can only make us ask, what next.
This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.