The UK Information Commissioner's Office ("ICO") will impose significant fines against British Airways and Marriott for violating data security rules under the European Union's General Data Protection Regulation ("GDPR").
According to a statement of "intention," the ICO will impose a "record fine" on British Airways of $230 million. In September 2018, the ICO received notification that a cyber incident at British Airways compromised an estimated 500,000 customers' personal data. The ICO stated that its investigation found that user traffic to the British Airways website was redirected to a fraudulent website, where hackers obtained customers' information, including login credentials, names, email addresses, and credit card information.
The ICO said that it is also planning to fine Marriott £99,200,396 (U.S. $123 million) for a breach that exposed the data of about 339 million customers globally. According to the ICO, the unauthorized access of the company's Starwood guest reservation database started in 2014, and the breach was discovered and reported in November 2018.
The ICO is the lead supervisory authority on behalf of EU Member State data protection authorities. Under the GDPR "one stop shop" provisions, the data protection authorities in the European Union whose residents have been affected will also have the chance to comment on the ICO's findings.
The UK Information Commissioner's Office proposed a draft statutory code of practice on data sharing.