Two leading travel firms have been hit with the first major fines for data breaches imposed since new EU data protection rules were brought in last year.
British Airways revealed this week that it has received notice from the UK Information Commissioner’s Office that it faces a fine of £183 million.
The penalty relates to an incident when fraudsters stole after 500,000 customers’ details last year.
Days later, the ICO announced hotel chain Marriott will be fined £99 million after the theft of 339 million customers’ data came to light last year.
New General Data Protection Rules (GDPR) rules which came into law last year gave regulators enhanced powers to fine firms found to be in breach of data protection laws.
The BA fine, the biggest the ICO has ever imposed, is the equivalent of 1.5% of the airline’s global turnover. The airline has said it intends to launch an appeal and had 18 days to do so.
BA chairman and chief executive Alex Cruz said: “We are surprised and disappointed in this initial finding from the ICO.
“British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.
“We apologise to our customers for any inconvenience this event caused.”
Information commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.
“That’s why the law is clear – when you are entrusted with personal data you must look after it.
“Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.
The Marriott data breach dates back to 2014 and related to the Starwood Hotels brand before it was bought by Marriott in 2016.
The ICO said Marriott “failed to undertake sufficient due diligence” when it bought Starwood and should have done more to secure its systems and issued the fine for infringements of GDPR.
Around seven million British customers were affected by the breach and 30 million were based in Europe.
Denham said: “The GDPR makes it clear that organisations must be accountable for the personal data they hold.
“This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.
“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset.
“If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
Marriott International president, Arne Sorenson, said: “We are disappointed with this notice of intent from the ICO, which we will contest.
“Marriott has been co-operating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.
“We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”