This week, Britain’s GDPR watchdog, the Information Commissioner’s Office (ICO), announced the intention to issue massive, record-breaking fines related to data breaches. On July 8 ICO announced the intent to fine British Airways £183.39M (€204M) for infringements of the General Data Protection Regulation (GDPR) and on July 9 a similar notice was released regarding Marriott International and a £99.2M (€110M) fine.
In our June 3 blog post “SIEM: A holistic approach to compliance”, we recapped the consequences of the first year of the GDPR, including a total of £56M in fines. But we also predicted that to be the “tip of the iceberg” and a precursor of what is still to come, as data protection authorities get up to speed and consumers become increasingly aware of their right to data privacy. We were right. In that blogpost you can also read about how the LogPoint SIEM solution can help with compliance, including GDPR.
While it’s important to note that the ICO statements released this week only announces the “intention” to fine and ICO verdicts likely can and will be appealed, it clearly demonstrates the will of data protection in Europe, to dramatically increase sizes of fines that under GDPR rules can extend as far as 4% of the turnover of a company.
But the ICO announcements also underline the fact that companies not resident in the EU, but doing business within the EU, answer to GDPR. Whereas British Airways (and parent company IAG) is registered in the UK and traded on Stock Exchanges in London and Madrid, Marriott International is resident in Bethesda, Maryland, USA and traded on the NASDAQ stock exchange in the US.
The two breaches in question are very different in nature. Whereas the British Airways breach was relatively limited in time from June to September 2018, the Marriott breach likely began all the way back in 2014. The British Airways breach in part involved user traffic to the British Airways website being diverted to a fraudulent site.
Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised in this incident. The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including login, payment card, and travel booking details as well as as name and address information.
In the case of the Marriott breach, it is believed the vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018. The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.
The Marriott case highlights the challenges posed in maintaining cybersecurity during mergers and acquisitions (M&A). In the four years since the acquisition of Starwood, hackers have been able to gather information, bypass the in-house security measures and infiltrate the exact information they required. The longer it takes to contain a breach, the more damage is done and the more time it will take to remediate the impact.
In the wake of the discovery of the Marriott breach, LogPoint CPO, Christian Have, wrote this blog post on M&A Cybersecurity: Lessons from the Marriott Breach. That’s worthwhile reading for anyone involved with mergers and acquisitions.