What you can learn from a £99m data protection mistake

x-icon

It’s hard to miss the fact that GDPR and data protection is back in the headlines again. Last year it felt like the world was going crazy about the impending new data protection legislation. British companies spent an average of £1.3 million to ensure their GDPR compliance.

But when the deadline hit, it wasn’t the apocalypse everyone had been expecting. In fact, nothing happened for months and the hype started to subside.

Then in April 2019, the first significant fine hit Bounty, a pregnancy and parenting club; £400k for illegally sharing personal information belonging to more than 14m people. It wasn’t the enormous data protection fine anticipated, but was noteworthy enough.

But things have ratcheted up, and it would seem the Information Commissioner’s Office (ICO) is finally ready to lay down the law with some bigger scalps. In a single week it issued two hefty fines:

  • £99m to Marriott: after hackers accessed its legacy Starwood guest reservation database, accessing 383m guest records, 18.5m encrypted passport numbers and 9.1m encrypted payment cards.
  • £183m to British Airways: after the personal details of 500k customers were harvested in a ‘sophisticated, malicious criminal attack’ on BA’s website by outside hackers.

On the face of it, yes, the scale of these fines is very bad news.

But for the last year we’ve repeatedly been told to expect fines of up to 4% of a company’s turnover. But based on the publicly available information for both companies’ annual revenue, we estimate the fines imposed to be approximately 1.5%.

Why?

Let’s look at the nature of the breaches. In both cases the hackers breached security with the intent to intercept and steal personal data. In the case of BA, it was an e-commerce website attack from the perimeter fence, rather than a leak of customer data from the ‘inside’ of BA’s data estate.

What’s the data protection lesson?

It’s possible that when the ICO investigated, it discovered that both organisations had made some effort to reduce the overall risk of a data breach under most of the principles of the GDPR. Maybe overall, they were doing a good job of ensuring their general compliance with the new regulations.

Well managed compliance would include policies and processes for securing customer data inside the data estate being locked down and followed well. Staff would have been trained in how to manage customer data, how not to email around Excel spreadsheets containing sensitive customer information and how to manage data lifecycles and databases. They would be using data discovery software designed to run periodic and automated data searches to reveal instantly where sensitive information is being shared or not protected, so action can be taken to secure systems and processes.

Despite all this, the ICP would have deemed an embarrassing high-profile website hack attack was enough to warrant a 1.5% fine. Our takeaway from this lower than expected fine, is that if a business secures it’s perimeter fence as best it can, and can prove that GDPR policies towards handling customer data are being followed to the letter, that the ICO may look more favourably upon it when meting out the fine.

Nobody is safe

The unfortunate truth is that any organisation could fall victim to sophisticated and deliberate external attacks. Hackers with enough intent can often find a way to exploit the slightest vulnerability within e-commerce websites.

It’s why organisations need a broad approach to good data protection, information governance and process, not just perimeter cyber-security. While much of the headline-grabbing might be around preventing deliberate theft, you can’t afford to rest on your laurels when it comes to good data management practice across your data estate.

 

Want to improve data protection and safeguard yourself from GDPR fines?

Achieving compliance to regulation is a constant mission and aim, not something that can be ticked off, marked complete and put to bed.

Read our guide to discover how you can ensure your ongoing compliance with ease:

How to transition data protection to business-as-usual