Massive Fines in Travel and Hospitality Illustrate Investments in Cyber Security Are Risk Management Strategies

By

The EU imposed record fines this week on British Airways and Marriott, in fact the largest fines under the General Data Protection Regulation (GDPR) which is just over one year old.

The U.K. Information Commissioner’s Office (ICO) proposed a fine of British Airways $230 million for an incident that compromised the data of 500,000 customers.

The ICO proposed a $123 million fine of Marriot for the loss of 339 million customer records, a breach which was first reported in November 2018.

Both companies can respond to the fine proposals before the ICO issues a final decision, and both companies said they will appeal the decision.

The maximum GDPR fine is 4% of a company’s global turnover. The fines for BA and Marriott both represented 1.5% of their turnover.

The ICO said both companies cooperated fully with their respective investigations.

This makes the stakes particularly high for tech companies like Google and Facebook, which are either currently under investigation in the EU, and for whom the legislation essentially was tailor-made. Google could face a fine of up to $5 billion, and Facebook up to $2.2 billion, based on both companies’ annual revenue in 2018.

Marriot’s CEO Arne Sorenson said in a statement, “We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.”

According to reports, the European Data Protection Board questioned how well Marriott had vetted and protected data when it acquired Starwood in a $13.6 billion deal that closed in 2016.

“The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected,” the ICO board said in a statement.

British Airways parent IAG said it was “surprised and disappointed” by the decision, and said it would “vigorously” defend its stance.

The rulings according to GlobalData should increase the intensity of the light shone on cyber security by large, global enterprises.

Nick Wyatt, Head of R&A, Travel & Tourism at GlobalData, a leading data and analytics company, offers his view:

“In a survey conducted by GlobalData, 37% of respondents stated that their companies were making a ‘major investment’ into cybersecurity technologies now. A further 43% said they would be doing so in the next three years.”

Wyatt said that while 37% is encouraging, the fact that over 40% are still delaying investment despite last year’s large-scale breaches at Marriott and British Airways shows that measures are often “not yet robust enough.”

“The consequences are clearly significant in financial terms, but there is also a somewhat intangible reputational impact,” Wyatt continued. “Consumers’ faith in companies can be shaken, particularly in the travel and tourism industry, where companies have a duty of care to look after highly sensitive personal data such as that contained within passports. These fines must serve as a wake-up call for other companies, many of whom are still highly vulnerable to cyberattacks themselves. These companies need to act now and ensure that they are harnessing the latest technologies to protect their customers’ personal data.”

“Network security continues to be an afterthought for a large percentage of companies,” said Ed Wood, CEO, Dispersive, a network security company based in Atlanta. “This is indicated by the 43% of companies that are looking at the next three years to address their cybersecurity needs. There needs to be a sense of more urgency. With breaches becoming an almost daily occurrence, companies will not only start to pay more fines but they will also see their bottom line affected when consumers switch their allegiances to companies that take the security of their personal information more seriously and take the maximum steps needed to protect it.” 

Arti Loftus is an experienced Information Technology specialist with a demonstrated history of working in the research, writing, and editing industry with many published articles under her belt.

Edited by Maurice Nagle
Get stories like this delivered straight to your inbox. [Free eNews Subscription]

Special Correspondent

SHARE THIS ARTICLE
Related Articles

Why Block Websites? Understanding the Reasons

By: Contributing Writer    5/6/2024

The internet is such an expansive network where every click can lead to information, entertainment, or opportunities for productivity. However, this a…

Read More

ChatGPT Isn't Really AI: Here's Why

By: Contributing Writer    4/17/2024

ChatGPT is the biggest talking point in the world of AI, but is it actually artificial intelligence? Click here to find out the truth behind ChatGPT.

Read More

Revolutionizing Home Energy Management: The Partnership of Hub Controls and Four Square/TRE

By: Reece Loftus    4/16/2024

Through a recently announced partnership with manufacturer Four Square/TRE, Hub Controls is set to redefine the landscape of home energy management in…

Read More

4 Benefits of Time Tracking Software for Small Businesses

By: Contributing Writer    4/16/2024

Time tracking is invaluable for every business's success. It ensures teams and time are well managed. While you can do manual time tracking, it's time…

Read More

How the Terraform Registry Helps DevOps Teams Increase Efficiency

By: Contributing Writer    4/16/2024

A key component to HashiCorp's Terraform infrastructure-as-code (IaC) ecosystem, the Terraform Registry made it to the news in late 2023 when changes …

Read More