British Airways, Marriott & GDPR

Regardless of the specific title of a cyber security professional, the day that lies ahead of them is unlikely to follow a generic 9 to 5 pattern. The unpredictable nature of information security means that though certain tasks will always need to be completed, such as checking in with the latest security news reports, the days’ events will likely differ from its predecessors. The likelihood is that cyber security experts will be working for a number of different types of businesses and when one comes under attack  –  as British Airways did between June and September 2018 – the job that unfolds consists of various components of detection, prevention and protection. Due to the immediate and sensitive nature of a cyber-attack and its effect on a business, the cyber security team will work day and night to expose the attack, shut down access to IT systems, remove the network’s weak spots and then reach out to affected customers and stakeholders. Unfortunately not every step has been followed by our flagship career.

The job of an information security manager or risk analyst is to act as the front line of defence against external threats through constant monitoring and analysis. Implementing measures to keep a company’s security systems up to date is vital in establishing a protective shield against hackers. Analysis equates to the bulk of a cyber security professional’s daily job load, with around half their time committed to dealing with current detections and incidents and slightly less than that dedicated to the detection of new threats. Understanding potential threats relevant to the specific business they could endanger is key to successfully navigating their demise, with cyber security analysts needing to be able to detect a breach as soon as it occurs and effect an immediate response plan to minimise potential loss.

British Airways was exposed to a prolonged data breach. This incident in part involved user traffic to the airline’s website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised, which is believed to have begun in June 2018. The Information Commissioner’s Office has been notified in September that year. The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well as name and address information. The outcome: the ICO has issued a notice of its intention to fine British Airways £183.39M for infringements of the General Data Protection Regulation (GDPR).

The Marriott Data Breach took place between 2014 and 2018. The breach has exposed the names, addresses, phone numbers, email addresses, date of birth, gender, passport numbers, account information, booking information and communication preferences of up to 339 million guests (around 30 million related to residents of 31 countries in the European Economic Area (EEA). Seven million related to UK residents). The targeted database also contained encrypted credit card information of some of those guests. The company was unable to confirm that the components needed to decrypt this information were not also taken during the breach. Such a large scale breach of personal data could make it the second biggest to-date, behind only the 2013 Yahoo! breach in which the details of some 3 billion users were compromised.

Following an extensive investigation the ICO has issued a notice of its intention to fine Marriott International £99,200,396 for infringements of the General Data Protection Regulation (GDPR). It is believed the vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018. The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.

Cyber analysts need to think like a hacker in order to premeditate their actions and prevent them. There are those professionals working in cyber security and GDPR whose job is to test a company’s system with the sole purpose of exposing any holes in their security. GDPR practitioner’s main focus will naturally be on ensuring business compliance with the regulations set out by the EU. This could potentially be a fairly wide-ranging remit depending on how large and diverse the organisation is. It’s likely that they will need to work with senior management, compliance, IT, marketing and various other departments, as GDPR has fairly broad-reaching implications. There are many things that a practitioner might do. For example, they may ensure that subject access requests (SARs) are being handled appropriately, they may be responsible for communication if a data breach occurs, and they will likely have a hand in ensuring that data about EU citizens is kept secure as an ongoing concern. Any businesses that are still transitioning to be GDPR compliant will likely need their practitioner to help guide policy and transition in the first place. This will involve helping various business functions to change the ways in which they do things, so that they can stay on the right side of the law. For example, the marketing department might need help changing the way that they collect email addresses from the company website and updating the privacy policy or terms and conditions.

Sampson Hall has a proven track record of working successfully throughout an organisation and can advise and bring together all the functions of the business in order to ensure overall GDPR compliance.

Our offer includes:

We offer a free strategic GDPR audit, please get in touch for further information.

Tom Ziemski (Data Protection Officer):


Share this post