The British information commissioner (ICO) issued massive fines this year against both British Airways (BA) and Marriott International for breaches in terms of the GDPR.

BA’s website was subject to a hack where a malicious third party extracted 500 thousand customer records, while Marriott suffered a hack resulting from undetected malware in a recently acquired database formerly belonging to a competitor.

Let’s see what we can learn from these information security incidents.

The circumstances of the fines

BA found themselves in a troubling situation where hackers accessed personal data through a vulnerability in a third-party Javascript on the BA website. The hackers added 22 lines of code to ‘Modernizr’, which diverted users to the fake BA website at ‘baways.com’ where hackers could collect their personal data. ‘Modernizr’ is a JavaScript library designed to detect Internet browser features. This was a well-known vulnerability in the software and BA had not updated it since 2012, probably because their processes and procedures for updating their software on their website and app were insufficient.

Marriott also found themselves in a precarious position when they discovered that a credit card stealing group had hacked the central reservation database of a competitor that Marriott had acquired. The acquired competitor was called ‘Starwood’ and Marriott discovered that the database had been hacked when IBM Guardium, the IT company managing the database, informed them that a query from an administrator’s account stood out because it showed a human operator was interfering with the database. They soon thereafter discovered that malware in the form of a Remote Access Trojan (RAT) was installed on Starwood’s IT systems. Investigators later found the ‘Mimikatz’ penetration tool which indicated that hackers were likely exfiltrating data from the system.

The results of the breaches

BA’s breach resulted in the compromise of:

  • log in credentials including names and email addresses;
  • payment card information including credit card numbers, expiry dates and CVV codes; and
  • travel booking details.

The result of the Marriott breach was that Starwood had been hacked on an ongoing basis from 2014 to 2018, which impacted 30 million EU residents and included the compromise of:

  • names, postal addresses, phone numbers, email addresses and passport numbers;
  • five million unencrypted passwords; and
  • payment information in the form of eight million credit card records.

The bases for the fines

ICO took action and announced an intention to fine both companies on the following bases:

  • they held that BA had insufficient digital security measures on their website and the incident was the result of their own shortcomings;
  • they said that Marriott hadn’t done enough due diligence when buying Starwood and should have taken additional steps to secure Starwood’s systems.

ICO also probably found it significant that:

  • by all accounts, BA didn’t take proper precautions when rolling out their new website or app; and
  • Marriott didn’t disclose the breach until three months after it happened, which would have caused ICO to take a dim view of how they handled the incident.

The consequences

As a consequence of their findings, ICO announced an intention to fine:

  • BA an amount of 183 million pound sterling (the largest GDPR fine so far, outstripping the 500 thosand pound fine leveled against Facebook for their involvement in the Cambridge Analytica incident); and
  • Marriott an amount of 99 million pound sterling.

Reflecting on the fines

BA and Marriott could have probably avoided the breach circumstances leading to their respective fines by taking a few simple steps:

  • BA needed to implement appropriate and reasonable technical and organisational information security on their website and app to prevent unauthorised access to the personal data thereinsuch as by having proper update procedures to make sure that they weren’t running a severely out-of-date version of the ‘Modernizr’; and
  • Marriott needed to carry out a proper due diligence of Starwood’s systems to make sure they had appropriate and reasonable technical and organisational information securitysuch as by having an appropriate IT company check Starwood’s systems thoroughly before acquisition.

If you want to avoid similar circumstances in your business, we can help you work towards compliance with information security laws – such as the GDPR in the EU.