In two separate penalty notices published in October 2020, the ICO has fined hotel group Marriott International Inc £18.4 million, and British Airways plc £20 million, in each case for failings related to cyber attacks that took place in 2018. These amounts represent a significant reduction from the £99 million and £183 million fines proposed by the ICO in 2019, partly due to the impact of COVID-19 and perhaps partly from the need to set a precedent capable of withstanding any legal challenge for overreach. Even the reduced fines are likely to put any data controller subject to GDPR or equivalent provisions on extra alert.
For both Marriott and BA, their problems started when an unknown attacker gained access to their network and used this access to extract customers’ personal data over a period of time without detection. The key question for the ICO in each case was whether, and to what extent, they had failed to ensure “appropriate security of personal data, including protection against unauthorised or unlawful processing” as the GDPR requires.
What level of security is appropriate?
Of course, as both Marriott and BA argued, not every cyber attack is reasonably preventable. The ICO acknowledged in each case that it must avoid reasoning with the benefit of hindsight: suffering a data breach is not itself a breach of GDPR. Nonetheless, in light of available technology, associated costs and the nature of the data being stored among other factors, the ICO concluded that neither company’s security measures were “appropriate”. The ICO suggested several measures that each company should have had in place.
In particular, the malicious actor in each case was able to exploit a lack of multi-factor authentication (‘MFA’). MFA restricts system access to those that can complete a combination of two or more steps (eg entering a password and retrieving a code from a mobile device). Both companies were criticised for incomplete implementation of MFA, aggravated in BA’s case by its failure to explain this omission to the ICO’s satisfaction.
The ICO excused Marriott’s MFA deficiencies thanks to Marriott’s honest belief that MFA was in place. That belief derived from two (incorrect) Reports on Compliance by independent accredited assessors prior to the attack. The ICO considered that it was reasonable for Marriott to rely on these.
There is a red flag here for data controllers involved in outsourcing, mergers or acquisitions. Marriott actually inherited its data breach through a company acquisition in 2016. The attacker installed a web shell on a device in the target company’s network in 2014, where it remained undetected until two years after the acquisition. The ICO deemed Marriott responsible for not having measures to detect the threat as well as other omissions falling short of “appropriate” security. In BA’s case, the attack originated with the compromised credentials of an employee at its supplier, Swissport. The attacker used this as a way into BA’s Citrix environment for remote working by Swissport employees, then breaking out of that environment to reach BA’s wider systems. Again, the involvement of another entity did not prevent the ICO from finding Marriott and BA, as data controllers, ultimately responsible.
Looking to guidance
This raises the question of how controllers of personal data can be confident that their security measures are “appropriate”. The UK is likely to maintain equivalent duties in domestic law following the Brexit transition period, and it will also be important for any organisation controlling personal data of EU citizens to understand this requirement. Article 32 GDPR provides that that threshold is sensitive to “the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk […] for the rights and freedoms of natural persons”. In applying this standard to Marriott and BA, the ICO referred to guidance documents available from various sources, including the National Cyber Security Council and the Centre for the Protection of National Infrastructure, as well as the ICO itself. Although the ICO recognised that this guidance did not amount to “prescriptive requirements”, it was treated as a starting point for benchmarking compliance. Data controllers should regularly refer to these sources, and keep records of compliance activity, as well as any reasons for non-compliance.
Take away points
If we are to learn anything from these two cases, it is the heightened importance of due diligence when acquiring a company and when granting network access to a supplier, especially where that other company might not have high standards of security and compliance. In the wake of Marriott’s and BA’s penalties, we might see greater attention afforded to cybersecurity measures during tender processes. In turn, suppliers and companies up for sale will need to be ready to provide detailed compliance records.
In the meantime, the fate of these travel and hospitality businesses emphasises that GDPR compliance is not just for big tech, and that any organisation has reason for caution. No one wants a data breach, but in the face of an unavoidable threat, the ability to demonstrate GDPR compliance and avoid heavy fines seems as cost-effective now as it ever did.
Learn more about our data privacy practice here.