Government officials are getting busy issuing fines under the General Data Protection Regulation (GDPR). The UK’s data regulating body posted notices of intention to fine two major organizations this month to the tune of a combined $317 million:
- July 8: British Information Commissioner's Office (ICO) posted a notice of its intent to fine British Airways $205.7 million for GDPR infringements.
- July 9: ICO issued a notice of its intention to fine Marriott International $111.5 million for GDPR infringements relating to a 2018 cyber incident.
These are the top two fines — easily — under the European Union’s GDPR law, put into effect May 25, 2018. We caught up with some experts to hear what other organizations should take away from the British Airways and Marriott GDPR fines.
How Did British Airway and Marriot Cross GDPR Guidelines?
First, some background on the incidents that led to fines. According to ICO officials, the 2018 incident with British Airways in part involved user traffic to the British Airways website being diverted to a fraudulent site, where cyberattackers harvested the personal data of approximately 500,000 customers.
With Marriott International, a variety of personal data contained in approximately 339 million global guest records were exposed by the incident. The vulnerability began when the systems of the Starwood hotels group were compromised in 2014, according to the ICO. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018. Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems, according to the ICO.
Related Article: What We Can Learn From the GDPR's First Fines
Security Audits Essential
Chris Olson, CEO of The Media Trust, said an immediate security audit should take place prior to combining complete systems. This will detect if security basics are in order such as ensuring that servers are set up and secured, customer information is encrypted and that both companies are aligned in how customer data is collected, handled and stored.
“IT teams must pay attention to not only transactions, but peripheral programs as well, such as loyalty programs that cybercriminals routinely hack to make their way into the corporate network as they have not been traditionally secured as heavily as transactions, reservations etc.” Olson said.
Beef Up Human Element of Cybersecurity
What can organizations do to prevent traffic being diverted to a fraudulent site? Today’s polymorphic malware demonstrates why you can’t fight malicious code with algorithms alone, Olson said. “You need to beef up the human element of cybersecurity,” Olson said. “Polymorphic malware is designed to change characteristics in order to outmaneuver pattern-based detection methods like conventional blocking and antivirus,” Olson said. “The brains behind these sophisticated attacks can only be outwitted by other experts, who can quickly spot and analyze new threat patterns and help disrupt the malware before it compromises a site and harms customers.”
Protecting today’s websites requires a multi-pronged approach, one that combines digital threat experts, a blocker that receives an infusion of new malware data every few minutes and continuous scanning for unauthorized code, he said.
Related Article: 6 Takeaways From GDPR's First Year
Update Your Employee Contracts
Peter Martini, president and co-founder of iboss, said the fines serve as a reminder to update your employee contracts. Making sure you have controls over what employees can and can’t share for data is a big step. This is especially true for global companies where employees will be communicating across regions and perhaps into the EU. “Make sure that your employee contracts are holistic across the organization, especially on a multinational level,” Martini said.
Know Where Your Data Is
Knowing where your data exists is always a good idea, especially considering GDPR provisions such as Article 14, which discusses when information is to be provided where personal data have not been obtained from the data subject. “Review where your data is at, who has access to it, identify any shadow IT, who can access it, what permissions they have when they access it,” Martini said. “Have an audit and track … any potential risk there.”
Related Article: Happy Anniversary GDPR — What Should Organizations Do Now?
Protection Against Common Web App Vulnerabilities
British Airways appeared to have failed to protect its site against common web application security risks, which led to the injection of a digital card skimmer by a malicious third party, according to Sweeney Williams, vice president of security, privacy and compliance at Vision Critical. The skimmer stole payment card and other personal data of approximately 500,000 customers, he said.
What could they have done differently? British Airways should have implemented stronger protection against common web application vulnerabilities, which could have prevented the attack.
Prevention, Breach Notification Errors
As for Marriott, the hotel chain initially detected suspicious activity in its Starwood reservation system in September 2018, but did not report the breach until mid-November, falling significantly short of its reporting obligations, Williams said.
“Marriott could have done a much better job of performing due diligence on acquisition, and should have implemented much stronger prevention and detection mechanisms in securing its systems,” Williams said. “Marriott also should have implemented a more robust breach response and notification process aligned with GDPR.” However, he added, while a great breach response is as essential as ever, it will not be sufficient cover to avoid a significant financial penalty.
Regulators Mean Business
Williams pointed to Information Commissioner Elizabeth Denham’s comment in the ICO’s British Airways July 8 press release as the ultimate lesson for organizations here:
“People’s personal data is just that — personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear — when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
When consumers put their trust in a brand and provide it with their sensitive information, that trust must be respected with proportionate and adequate defenses, Williams said. “All organizations that process personal data must prioritize data protection and ensure that appropriate resources are assigned to the creation, maintenance and constant improvement of security and privacy practices,” he said. “Failure to do so will make it difficult, if not impossible for organizations to avoid regulatory fines when things go wrong.”