GDPR fines on Marriott and British Airways : What can we learn?


While data protection & privacy are well-worn concerns for organisations and individuals alike, GDPR implementation remained a challenge. If there was ever any doubt that regulators would enforce GDPR, the Information Commissioner’s Office’s decision to fine British Airways £183 million ($230 million) following the 2018 data breach will surely put that to rest.

The ICO’s statement of intent explains that the airline’s ‘poor security arrangements’ made more than 500,000 of its customers victims of a data breach, wherein login details, payment card information, names, and addresses were stolen. Hacking group Magecart exploited a classic application security vulnerability and likely pulled off the heist by identifying a poorly secured third-party Javascript component on the company’s webpage and injecting their own code to route users to a fraudulent page that siphoned off their personal details.Details here.

This was not necessarily a sophisticated attack – rather, a welcome challenge for hackers to exploit a well-known application security vulnerability within a poorly governed IT infrastructure. “Actual expenditure on technical solutions and staff time to implement the right security to prevent this will not have been near a nine-figure sum like the fine,” Eerke Boiten, professor of cybersecurity at DeMontfort University says.

But not all data breaches are created equal. When Marriott failed to conduct sufficient technical due diligence when acquiring Starwood Hotels and Resorts in 2016, it unknowingly incurred a data breach which had been undetected in Starwood’s database since 2014. Starwood’s guest database was compromised by bad actors duplicating, encrypting, and working to erase personal data of guests. Hotel chain Marriott is now facing a £99.2 million ($120 million) fine from the ICO for GDPR violations.

With so many moving parts of an acquisition, completing rigorous technical due diligence is often taken for granted. While a company’s financials are easy to objectively evaluate, IT assets and risks are more cumbersome to assess. “I don’t think there is an ideal process, and maybe that’s part of the problem,” says Jeff Pollard, VP and principal analyst at Forrester. Acquirers can typically only make guesses as to what IT risks and opportunities they’re inheriting, but as software is ever more a key factor in a company’s valuation, buyers should insist on more objective technical due diligence. The same concept applies to technology assets received from third-party suppliers. After all, you are what you eat.

It’s worth nothing that neither British Airways nor Marriott were actively involved in any wrongdoing. They did not overtly breach any rules – rather, they fell victim to their own substandard application security & GDPR arrangements. Keeping on top of data protection and GDPR is no small task – especially when businesses are continually evolving the services offered to customers. But the consequences of adopting a reactive rather than a proactive approach to application security and the integrity of IT infrastructure can be in the millions. High time for these organizations to proactively leverage Software Intelligence to ensure application security and data protections are built-in their software.

Filed in: Risk & Security
Isabelle Arnson
Isabelle Arnson Solutions Specialist
Isabelle is a Solutions Specialist for CAST UK. She recently graduated from St Andrews University in Scotland with a degree in Management and French. Before heading to St Andrews, Isabelle held several positions in France and attended the Seoul National University in South Korea. She now uses her international pedigree to further the mission of Software Intelligence.
Load more reviews
Thank you for the review! Your review must be approved first
You've already submitted a review for this item