Not long ago, the authorities heavily punished two giants of their sector.
On the one hand, british civil aviation company British Airways and the global hotel chain Marriott. They were heavily punished for paying fines ranging from 18 to 20 million pounds, respectively. The cause: they did not adequately protect the personal data of their customers who were under their responsibility.
It should be noted, however, that this is not at the level of the record fine that is still held by Google and amounts to 50 million euros, imposed by the French authorities in 2019. Let's say it's not far away. The sanctions of the two companies reprimanded were imposed by the UK's data protection body. A trend that has been in effect in Europe since the adoption of the general regulation of personal data has been years now. The aim of this sanction and to remind the large groups that often process millions of data, the responsibility for securing its information. Information that in some contexts are quite sensitive.
The US hotel giant has been accused of failing to leak data belonging to nearly 339 million people through computer hacking. Faced with this situation, which is its direct responsibility, the Information Commissioner's Office (ICO) imposes a fine of nearly 18.4 million pounds, equivalent to 20.4 million euros. Several types of information have leaked. These include addresses, names, passport numbers, telephone numbers, dates of birth, loyalty programs, dates of arrival and departure of hotels. Some pretty sensitive information taken in a context in general. The drama in all this, the culprit of this cyberattack has not yet been discovered. Given that the case took place at the end of September 2018, that is, before Brexit, it is the general regulation of personal data, so the European standard applies in this case. In fact, it was the British body that applied. At the end of this European standard, a company that does not deploy sufficient means to protect the data that is under its protection is subject to the payment of a fine which will be determined according to its annual turnover. In this particular case, given that 30 million European nationals are involved in this story, the British body imposed the fine on behalf of all the countries of the European Union. A mechanism that has also been provided for by the European regulation.
It should be noted, however, that the fine could have been much higher. But the UK's personal data agency said the amount imposed was based on the date the EU regulation came into force and the cyber-attack.
"Personal data is valuable and companies need to take care of it. (…) When one of them fails, the impact is not just a fine, what matters most are the people whose company had a duty to protect the data," said Elizabeth Dunham. The head of the Information Commissioner's Office.
For the British airline, the fine amounted to 20 million pounds or 22 million euros. The data leaked under british Airways surveillance belonged to nearly 400,000 customers and employees. In addition, the British body had indicated that, initially, the original fine was 204 million euros compared to the general data protection regulation. This would have been the most severe sanction applying the European standard. Eventually, the fine was later revised downwards by the British body.
This is because of the direct impact of the coronavirus pandemic on the company's financial state. In fact, the company that owns the majority stake in British Airways, IAG, said it had suffered a loss of more than 5.6 billion euros due to the pandemic since the beginning of 2020. "We alerted our customers as soon as we heard about this criminal attack on our systems in 2018 and are sorry to have disappointed their expectations. We are pleased that the ICO acknowledges that we have made significant progress in the safety of our systems since this attack and that we have fully cooperated with the investigation," the airline spokesman said.
Now access an unlimited number of passwords: