At the mid-year point of 2019, the administrative authorities responsible for regulating internet players increasingly asserted themselves and no longer hesitated to sanction.
This time, it’s not the National Commission for Informatics and Freedoms (CNIL) that is concerned, but the Information Commissioner’s Office (ICO), which is the equivalent of our dear CNIL in the United Kingdom.
In less than a week, the English regulatory body has not sanctioned one but two players, with amounts exceeding 100 million euros each.
The first sanction: Marriott International hotel chain
110,000,000€, that’s the penalty imposed on the American hotel chain.
In 2016, Marriott acquired Starwood, another luxury American chain, and that’s when the trouble began.
It turns out that the hotel group’s reservation system had a security flaw, which had been present since 2014. However, it wasn’t until two years after the acquisition that this breach was discovered in 2018.
As a result, the personal data in approximately 340 million customer records leaked.
In the vast majority of cases, this involves names, postal addresses, phone numbers, email addresses, passport numbers, dates of birth, and gender… but it is all the more alarming that for some, we are also talking about leaks of banking information.
Many affected customers can be explained by the fact that, as mentioned earlier, the breach has been present since 2014. This number, therefore, results from four years of data leakage.
This is mainly what is being blamed on the Marriott group. The breach that occurred before their acquisition doesn’t excuse anything – on the contrary, it’s a failure to exercise due diligence during the purchase – and if we add to that, the discovery and resolution of this flaw only took place four years later…
We, therefore, have an explanation for the astronomical sum that is being demanded of them.
The second sanction: British Airways airline
202,000,000€ (183,000,000£), that’s the dizzying sum – and until now the highest ever imposed by the English CNIL – demanded of the airline.
This penalty concerns an incident in August 2018, which is nothing less than the theft of 500,000 bank and personal data from the airline’s customers.
It has been estimated that 380,000 payment cards were hacked.
Alex Cruz, CEO of British Airways, said he was “surprised and disappointed” by such a sanction against them and tried to defend himself by stating that until now, no evidence of fraudulent activity had been identified on the hacked accounts and that the company had been able to respond quickly to this criminal act.
However, the ICO is planning to keep its decision the same, so the company will likely appeal to challenge this decision.
Meaningful sanctions are starting to rain down
A Portuguese hospital was fined 400,000€ at the end of last year, 250,000€ for the Spanish football league, 400,000€ for a real estate agent last month, and now these two astronomical sanctions.
Regulatory bodies are no longer holding back; as we announced, sanctions will be more frequent and higher. The time for leniency for these bodies is over, and the focus is now on repression, as these new sanctions show.
All sectors are affected, so everyone will likely be in the sights of the CNIL or its international colleagues.