Ibrahim Hasan

Common Knowledge Safety Regulation fines are like a quantity 65 bus: you wait for a very long time after which three arrive without delay. Within the area of a month the Info Commissioner’s Workplace (ICO) has issued three financial penalty notices. All relate to breaches of GDPR’s safety necessities as set out in articles 5 and 32.


The newest financial penalty discover requires Ticketmaster to pay £1.25m following a cyber-attack on its web site which compromised the private data of tens of millions of shoppers. The ICO investigation discovered a vulnerability in a third-party chatbot which Ticketmaster had put in on its on-line funds web page. A cyber-attacker was in a position to make use of the chatbot to entry buyer fee particulars which included names, fee card numbers, expiry dates and CVV numbers. This had the potential to have an effect on 9.four million Ticketmaster prospects throughout Europe together with 1.5 million within the UK.

In keeping with the ICO, because of the assault 60,000 fee playing cards belonging to Barclays Financial institution prospects had been subjected to recognized fraud. One other 6,000 playing cards had been changed by Monzo Financial institution after it suspected fraudulent use. The ICO mentioned these and different banks had warned Ticketmaster of suspected fraud. Regardless of these warnings Ticketmaster took 9 weeks to start out monitoring exercise on its funds web page. The ICO discovered that Ticketmaster did not:

  • assess the dangers of utilizing a chatbot on its fee web page;
  • establish and implement applicable safety measures to negate the dangers; and
  • establish the supply of advised fraudulent exercise in a well timed method.

Ticketmaster’s enchantment will put the ICO’s reasoning and actions when issuing fines beneath judicial scrutiny. It will assist GDPR practitioners confronted with related ICO investigations.

Marriott Worldwide

Two different latest ICO fines additionally involved cybersecurity breaches. In October 2020, Marriott Worldwide Inc was fined £18.4m after 339 million visitor data had been affected by a cyber-attack in 2014 on Starwood Accommodations and Resorts Worldwide Inc. The non-public knowledge concerned differed between people however might have included, amongst different issues, names, electronic mail addresses, cellphone numbers, unencrypted passport numbers and arrival/departure data. The assault, from an unknown supply, remained undetected till September 2018, by which period the corporate had been acquired by Marriott. 

The ICO acknowledged that Marriott acted promptly to contact company and the ICO. It additionally acted shortly to mitigate the chance of harm suffered by prospects. Nonetheless it was discovered to have breached the safety necessities of GDPR. The positive solely pertains to the breaches from 25 Could 2018, when GDPR got here into impact, though the ICO’s investigation traced the cyber-attack again to 2014.

Marriott doesn’t intend to enchantment the positive however this isn’t the tip of the matter. It’s nonetheless dealing with a civil class motion within the Excessive Court docket for compensation on behalf of all these affected by the info breach. 

British Airways

Additionally in October, the ICO lastly issued a positive to British Airways (BA) for a cybersecurity breach which noticed the private and monetary particulars of greater than 400,000 prospects accessed by attackers. The £20m positive is a far cry from the unique discover of intent, issued in July 2018, for £183m. However, then once more, the smaller positive is not any huge shock both.  

The BA positive adopted a cyber-attack in 2018 which remained undetected for greater than two months. The assault concerned diverting cardholder knowledge from BA’s official web site to at least one arrange by the attacker.  

The attacker is believed to have doubtlessly accessed the private knowledge of 429,612 prospects and employees. This included names, addresses, fee card numbers and CVV numbers of 244,000 BA prospects. Different particulars thought to have been accessed embody the mixed card and CVV numbers of 77,000 prospects and card numbers just for 108,000 prospects. The usernames and passwords of BA worker and administrator accounts, in addition to usernames and PINs of as much as 612 BA Government Membership accounts had been additionally doubtlessly accessed.

In keeping with the ICO, there have been quite a few measures BA might have used to mitigate or stop the chance of an attacker having the ability to entry its community. These embody:

  • limiting entry to purposes, knowledge and instruments to that required to fulfil a person’s position;
  • endeavor rigorous testing within the type of simulating a cyber-attack on the enterprise programs; and
  • defending worker and third-party accounts with multi-factor authentication.

Further mitigating measures BA might have used are listed within the penalty discover. None of those measures would have entailed extreme price or technical obstacles, with some accessible by way of the Microsoft working system utilized by BA.

Readers are inspired to learn the BA financial penalty discover, because it not solely units out the explanations for the ICO conclusion but additionally the elements it has taken into consideration in deciding to concern a positive and the way it calculated the quantity.

Up to now 75% of the fines issued by the ICO beneath GDPR relate to cybersecurity breaches. This space is without doubt one of the ICO’s prime regulatory priorities.


Ibrahim Hasan is a solicitor and director of Act Now Coaching (actnow.org.uk)