The British information commissioner (ICO) issued massive fines this year against both British Airways (BA) and Marriott International for breaches in terms of the GDPR.
BA’s website was subject to a hack where a malicious third party extracted 500 thousand customer records, while Marriott suffered a hack resulting from undetected malware in a recently acquired database formerly belonging to a competitor.
Let’s see what we can learn from these information security incidents.
The circumstances of the fines
Marriott also found themselves in a precarious position when they discovered that a credit card stealing group had hacked the central reservation database of a competitor that Marriott had acquired. The acquired competitor was called ‘Starwood’ and Marriott discovered that the database had been hacked when IBM Guardium, the IT company managing the database, informed them that a query from an administrator’s account stood out because it showed a human operator was interfering with the database. They soon thereafter discovered that malware in the form of a Remote Access Trojan (RAT) was installed on Starwood’s IT systems. Investigators later found the ‘Mimikatz’ penetration tool which indicated that hackers were likely exfiltrating data from the system.
The results of the breaches
BA’s breach resulted in the compromise of:
- log in credentials including names and email addresses;
- payment card information including credit card numbers, expiry dates and CVV codes; and
- travel booking details.
The result of the Marriott breach was that Starwood had been hacked on an ongoing basis from 2014 to 2018, which impacted 30 million EU residents and included the compromise of:
- names, postal addresses, phone numbers, email addresses and passport numbers;
- five million unencrypted passwords; and
- payment information in the form of eight million credit card records.
The bases for the fines
ICO took action and announced an intention to fine both companies on the following bases:
- they held that BA had insufficient digital security measures on their website and the incident was the result of their own shortcomings;
- they said that Marriott hadn’t done enough due diligence when buying Starwood and should have taken additional steps to secure Starwood’s systems.
ICO also probably found it significant that:
- by all accounts, BA didn’t take proper precautions when rolling out their new website or app; and
- Marriott didn’t disclose the breach until three months after it happened, which would have caused ICO to take a dim view of how they handled the incident.
As a consequence of their findings, ICO announced an intention to fine:
- BA an amount of 183 million pound sterling (the largest GDPR fine so far, outstripping the 500 thosand pound fine leveled against Facebook for their involvement in the Cambridge Analytica incident); and
- Marriott an amount of 99 million pound sterling.
Reflecting on the fines
BA and Marriott could have probably avoided the breach circumstances leading to their respective fines by taking a few simple steps:
- BA needed to implement appropriate and reasonable technical and organisational information security on their website and app to prevent unauthorised access to the personal data therein – such as by having proper update procedures to make sure that they weren’t running a severely out-of-date version of the ‘Modernizr’; and
- Marriott needed to carry out a proper due diligence of Starwood’s systems to make sure they had appropriate and reasonable technical and organisational information security – such as by having an appropriate IT company check Starwood’s systems thoroughly before acquisition.
If you want to avoid similar circumstances in your business, we can help you work towards compliance with information security laws – such as the GDPR in the EU.