Marriott and British Airways face record high fines, under GDPR

Home  »  Blog  »  Cyber Security  »  Marriott and...

By Bill Minahan   |   July 11, 2019   |   0 Comments

The EU imposes record-high GDPR fines after data breaches

High fines after lack of data protection

The Information Commissioner’s Office (ICO) is fining The Marriott and British Airways record-breaking penalties for 2018 data breaches.

The ICO announced its intention to fine British Airways an unprecedented $229 million for a data breach that exposed the data of 500,000 customers. The breach included customer login information, credit cards, travel details, as well as names and addresses.

Additionally, a day later the ICO announced its intent to fine The Marriott $123 million for a data breach that exposed 339 million guest records globally.

Under the Global Data Protection Regulation (GDPR), the maximum amount in GDPR fines is 4% of a company’s global turnover.

The ICO is fining both The Marriott and British Airways 1.5% of their respective turnovers.

Both companies cooperated fully with the investigation, but the consequences for losing data and the frequency with which it’s happening are growing significantly.

From May to July, we’ve seen massive health care breaches on medical testing giants and local governments paralyzed by ransomware that has cost the industries millions.

A more punitive approach to data loss: GDPR fines

The European Data Protection Board and the ICO used punitive language in their statements towards The Marriott and BA. Historically, especially in the U.S., hacked companies were treated as victims of cybercrime.

However, more and more we are seeing compromised businesses treated like perpetuators of data loss.

Information Commissioner Elizabeth Denham said in a statement:

“People’s personal data is just that- personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear- when you are entrusted with personal data you must look after it.”

The attitude toward data protection is swiftly changing. It reveals the scope and frequency of the data breaches that are plaguing companies both private and public. More importantly, it shows a resistance to continue blaming only the hacker.

Big tech companies have seen this more and more, and are being fined heavily for it.

Data Protection as a ROI?

Data protection, or rather, lack thereof it, has cost millions of dollars to industries across the board in 2019 alone.

Breaches can cause serious financial and reputational damage. When it comes to GDPR fines that can take up to 4% of your global turnover, data protection is cash protection.

Google is currently under investigation by the Irish Data Protection Commission. Based on Google’s 2018 revenue the GDPR fine could be up to $5 billion. Facebook and Amazon are currently under investigation as well.

The scale of these fines should give companies a reason to evaluate whether their current security measures are enough to withstand scrutiny.

Companies who are victims of cybercrime immediately invest in cyber security precautions. However, too many businesses wait until after an attack to assess their weaknesses and reduce their risk of a breach.

Fortunately, many companies regardless of size have begun to consider cyber security an essential part of running and maintaining a business.

When you protect your data, you protect your assets and reputation. Proactively defend your business, educate and train your employees, and introduce sophisticated cyber security prevention.

It’s never too late or too early to protect your business. Take our free cyber security assessment and read about the types of businesses we serve.