ICO Intends to Fine BA and Marriott for Data Breach

12th July 2019 Media Law

The UK’s independent regulator of data protection, the Information Commissioners Office (ICO) has announced its intention to fine British Airways (BA) and Marriott International. The fines have been announced within days of each other and are as a result of the ICO’s findings concerning BA’s and Marriot’s failure to keep the personal data of customers safe.

British Airways

In September 2018, BA informed the ICO that a cyber-incident had occurred which resulted in hackers harvesting personal data of 500,000 BA customers.

What appears to have happened is that hackers interfered with BA’s payments systems and BA customers were diverted to a fraudulent website. Their personal data such as log in details, payment card and travel booking details were then taken by the fraudsters. The ICO believe that the incident occurred in June 2018.

The ICO has said that the BA fine will be £183.39m and that BA has fully co-operated with their investigation.

Marriott International

In November 2018, Marriott International also informed the ICO of a cyber-incident which resulted in 339 million customer records being exposed globally. The ICO have said that 7 million of the guests are UK residents.

Again, the ICO report that Marriott fully co-operated with the investigation.

BA and Marriott have 28 days to make representations to the ICO. The ICO will then consider the representations made by the companies before announcing its final decision.

It is not possible at this stage to draw any conclusion as to the rationale behind the size of the respective proposed fines because the full decisions have not been published yet (and, as noted, there is an opportunity for BA and the Marriott to make representations).

The Law

What does the law say?

The applicable law is the General Data Protection Regulations (GDPR). The GDPR came into force on 25 May 2018.

Article 5(1)(f) of the GDPR says that personal data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and accidental loss.

This means that organisations need to ensure that customer data and any other data they process is safe.

ICO’s Powers

If a data breach does occur, the ICO has powers under Article 83 of the (GDPR) to impose fines of a maximum amount of 4% of the total annual worldwide turnover of a company or 20 Million Euros whichever is the greater amount.

There are a number of things that companies should consider in the event of a data breach, see my previous blog here.

If you have been a victim of data breach, you may be entitled to compensation. JMW Solicitors are experts in data breach law and are currently representing thousands of people whose data has been misused or exposed. If you have been affected by a data breach and need legal help, please contact our Data Law team on 0345 872 6666.

We're Social

Dominic Walker is a Solicitor located in Manchesterin our Media Law department

View other posts by Dominic Walker

Let us contact you


COVID-19 Update - Our website and phone lines are operating as normal and our teams are on hand to deal with all enquiries. Meetings can be conducted via telephone and video conferencing.

View our Privacy Policy

Areas of Interest