The Information Commissioner’s Office (ICO) announced on 9th July 2019 its intention to fine hotel chain Marriott International over £99m, following an investigation into a major data breach last year. This update occurred in the same week in which the ICO had issued a similar notice to fine British Airways (BA) over £183m in relation to a data breach. These two instances constitute the ICO’s first investigations under the GDPR to produce monetary penalties.

Large fines and delayed reactions

In particular, the high value of the fines (in comparison to the ICO’s investigations over the previous few months) is due to the fact that data breaches which occurred after the GDPR entered into force (in May 2018) are being discovered or reported, meaning that the GDPR-level of fines can now be applied by regulators. Additionally, both these organisations could be subject to further PCI DSS fines depending on the level of Card Holder Data (CHD) that has been exposed.

Marriott: Due diligence and risk management

Marriott identified in November 2018 that a guest reservation system had been compromised, most likely in 2014, which had resulted in exposing 339 million guest records that included Personal Identifiable Information (PII) and CHD between 2014 and 2018, when the breach was identified. The compromised system was part of Marriott’s acquisition of Starwood in 2016.

In particular, in addition to the need to maintain controls on internal data security, Marriott’s data breach is a stark reminder to organisations that examining data protection governance and information security risk management should remain a core part of due diligence when acquiring a new organisation.

When conducting due diligence prior to acquisitions, organisations should check for evidence of:

  • Data mapping activities (including insecure locations where it could be stored or collected from) – particularly in relation to PII and CHD;
  • Information security risk assessments to identify key risks to sensitive information as identified in the data mapping activities;
  • Records of previous information security incidents or data breaches, and actions taken; and
  • Contracts with third parties to whom data is provided.

The absence of any such governance or self-assessment should signify an immediate red flag.

BA: Third-party management & IT security governance

In BA’s case, the data breach related to a security vulnerability on BA’s booking website and mobile app between 21st August 2018 and 5th September 2018 which involved 500,000 customers’ details being exfiltrated by cyber attackers in June-September 2018. The attackers exploited a vulnerability in a third party provided code that allowed the attackers to re-direct customers to a website/app which was controlled by the attackers.

Robust third-party management practices should have ensured that the third party had deployed the required level of security controls and practices. This should have been backed by IT security governance monitoring processes, which should have detected and flagged up the vulnerability.

In both cases, large datasets including customers’ personal information and card details were affected, which were clearly targeted by financially-motivated criminals. These breaches bring into sharp relief the fact that large stores of data, particularly those involving financial information, are likely to be particular targets for hackers.


As both cases were high-profile data breaches that the ICO could not possibly ignore (both Marriott and BA took steps to notify their customers and investors of the loss of information), they do not tell us much about its upcoming enforcement strategy. However, they do signal that the ICO will not be reticent to apply penalties up to the 2% of global turnover permitted for security lapses and 4% for wider governance failures, under the GDPR. Nevertheless, both organisations still have the right to make representations, which may reduce the fines projected to be levied on them. In addition, the ICO’s final monetary penalty notices will outline its reasoning as to how the eventual penalties were calculated.

This throws into stark relief how closely intertwined Data Protection and Information Security are and how lax practices relating to one can affect the other. It is also a wakeup call to organisations to ensure that they have robust Data Protection and Information Security governance frameworks in place to provide assurance that they will not be faced with the situations being experienced by BA and Marriott today.



Article Author.

Kaveh Cope-Lahooti

Data Protection Consultant
Kaveh is a Data Protection Consultant at Gemserv and is involved in delivering GDPR implementation projects and outsourced data protection officer... Read More From Kaveh Cope-Lahooti

Aparna Murali

Information Security Principal Consultant
Aparna is an experienced security professional with 10 plus years’ experience. She has an extensive working knowledge of Risk Management,... Read More From Aparna Murali

Our Latest Insights.

Our work means different things to different clients and we wanted to share some details of the projects we have managed to give you an insight into our capabilities and the impact we have delivered as a business.


View All Insights

Say Hi.

Did you like what you read? Did you want to find out more about the subject? Or did you simply want to get in touch with us? Either way if you would like to get in touch with us you can do so using the form on the right.

Gemserv will use your details to get in touch with you and to send you information about our products and services that you have requested, in accordance with our privacy policy. You can, of course, opt out of these communications at any time!

Get In Touch

Want to find out more?

Follow the links below find out more about the services we provide, our insight into the industries we serve or the opportunities available with us.
Sectors Capabilities Our Insights Careers