International Consolidat... (LSE:IAG)
Historical Stock Chart

From Apr 2019 to Apr 2024

By Catherine Stupp 

BRUSSELS -- U.K. Information Commissioner Elizabeth Denham said her office considered cybersecurity gaps, among other factors, in proposing that Marriott International Inc. and British Airways' parent company pay the biggest fines to date under Europe's data-privacy laws.

In an interview with WSJ Pro Cybersecurity, Ms. Denham said the companies' size, the number of people affected and the length of time that hackers had access to data before they were detected factored into the U.K. regulator's calculation of the potential fines, revealed this week.

International Consolidated Airlines Group SA faces a $230 million penalty for General Data Protection Regulation violations, while Marriott would be on the hook for $124 million related to poor security measures. Both companies disclosed the data breaches in question last year.

The companies have 28 days to respond before the U.K. regulator issues its final decisions, and they can appeal. Marriott said it would contest the planned fine. International Consolidated Airlines' chief executive said Monday that the company would defend British Airways' position.

Here are excerpts of Ms. Denham's conversation with WSJ Pro:

Q: The fines you proposed would be the highest GDPR fines to date. What factored into the assessments?

A: The number of individuals affected, the severity of the attacks, how long people were on the site doing malicious things with data before it was discovered. We looked at their rigor in terms of prevention of these kinds of attack. We also looked at the long-term implications for people. We obviously looked at the size of the company, their turnover. Our fines have to be effective, proportionate and dissuasive. For a fine to be dissuasive against a company that has a turnover in this stratosphere, we have to provide the fine accordingly. This is not a small business. This is not a charity. This is a large business that you'd expect would take care of personal data.

Q: British Airways and Marriott said they hadn't detected cases of fraud involving data stolen from them, which is counter to findings from some cybersecurity researchers who say data from those breaches is for sale on the dark web. Do you take into account such statements from companies?

A: We look at the opportunities for misuse of compromised data. In the Yahoo breach, which happened in 2014, it took three years to find a huge cache of personal data that was for sale on the dark web....That's not what we're measuring. We're not saying, can you prove a link between the compromise of the data and that specific cybersecurity incident? It sometimes takes years. That's not our focus. Our focus is whether or not there was adequate, reasonable, consistent, effective data security to protect people's data.

Q: Do you have technical experts who look for stolen data on the dark web as part of your investigations?

A: We do. We have a whole tech policy team; we have a lab that's disconnected from our own servers that's looking at all these issues.

Q: Some experts say security failures at British Airways that led to the cyberattack are common for e-commerce companies. Does failing on basic security measures mean a company could face a higher fine?

A: There are 100 pages behind our intention to fine, but that's not in the public domain....We found some fundamental failings in data security in both of the companies....They have to be PCI-compliant [adhering to standards for handling payment-card data]. They have to have protection because they run loyalty programs, because they've got the financial data of millions and millions of people....Some critics would say the company was a victim of criminal activity....That's for the police to investigate. For us, we look at whether or not the doors were left open to make it easy for cyberattacks, whether or not the attack was foreseeable, what kind of due diligence and steps were taken in the data security program.

Q: What's most frustrating?

A: So many of our investigations are finding basic or a lack of cybersecurity hygiene, lack of some of the most basic protections that people would expect, encryption of credit card data. The CVV codes on credit cards at British Airways were open. They were not encrypted. There's payment card industry standards that require that. Do we look at what other companies are doing? If everyone's at this really low common denominator, do we take that into account? We do look at what the industry is doing. We do look across the retail sector versus the tech sector versus the automotive sector and the transportation sector.

Q: Are you going to announce other major GDPR decisions soon?

A: We have a number of other investigations and enforcement actions in the pipeline. There will be some more fines that are going to come out over the summer....We didn't disclose this fine for British Airways nor did we disclose it for Marriott. Those companies had a confidential notice of intent and they had market obligations to disclose it. They decided. So we followed up with a statement. That's why you don't see the full report with all the details. Usually this is a confidential exchange.

Q: Statements from your office about British Airways and Marriott said the companies improved their data security since these incidents. Did those changes factor into your fines?

A: We fined Facebook GBP500,000 for their role in the Cambridge Analytica/ Facebook disclosure election misuse of 87 million people's data. That was our maximum fine that was available to us [before GDPR went into effect in May 2018]. That's not dissuasive, is it, for a company like Facebook....They have made some changes but I think we have to make a very strong statement to the market and companies about their GDPR obligations. It has to be a proportionate fine. But we're open to hear what companies have to say. That's the process.

Write to Catherine Stupp at Catherine.Stupp@wsj.com

(END) Dow Jones Newswires

July 10, 2019 05:44 ET (09:44 GMT)