ICO Activity Update – October

The ICO are tasked with ensuring companies and organisations meet their obligations in relation to GDPR.

They have the power to fine, prosecute, and bring enforcement notices against companies that have breached their obligations in relation to GDPR.

October was a month that saw significant fines being awarded across a variety of sectors and industries.

Here, we take a closer look at the most high profile.

British Airways – Transport and Leisure

On the 16th October, British Airways were fined £20million for their failure to protect personal details of over 400,000 customers. The original notice of intent to fine had been at £198 million but after recent representations that was reduced. Not a surprise as BA have barely flown anyone anywhere for quite a while.

"Between the 22nd June and the 5th September, a malicious actor gained access to an internal BA application through the use of compromised credentials…the edits made by the attacker were designed to enable to exfiltration of cardholder data from [company website] to an external third party domain [website] controlled by the attacker” [1]

BA notified the commissioner of the breach, and cooperated fully with the investigation.


Reliance Advisory Limited - Marketing

On the 29th October, Reliance Advisory Limited were fined £250,000 for breaking electronic marketing law.

The company had made 15.1 million calls relating to claims management services. Many of the people who received the calls, had not consented to receive them.

“Reliance Advisory appear to have employed aggressive and rude practices as reported to the Commissioner by subscribers. The complaints detail how subscribers received persistent and repeated calls resulting in several calls, multiple times per day. This demonstrates a high degree of intrusion into the privacy of subscribers”[2]


Marriott International Inc – Transport and Leisure

Mariott International were fined £18.4 million for a breach that started in 2014 when they bought another hotel chain which unfortunately had compromised IT systems and that was not spotted due during due diligence nor for years afterwards.

The data of 339 million guests was compromised. The original fine was set at £99 million but again was reduced.

“Mariott did not detect the attack at any time between acquiring Starwood and September 2018, including in the period after the entry into force of the GDPR in May 2018. During this latter period, the Attacker continued to traverse through the Starwood systems and had gained access to the cardholder data environment within the Starwood network. This access allowed the Attacker to export the personal data of Starwood customers…”[3]


Avoiding fines and prosecution

It is clear that the ICO are exercising their right to issue fines and prosecute companies who are not taking their responsibilities towards data seriously. Whilst these are high profile fines, as we have said it is not the fines that are going to cause most damage to businesses, but the compensation claims that ensue.

For more information on becoming GDPR complaint, click here.

By Telephone

Leave a comment

Please note, comments must be approved before they are published