We could not find any results for:
Make sure your spelling is correct or try broadening your search.

Trending Now


It looks like you aren't logged in.
Click the button below to log in and view your recent history.

Registration Strip Icon for default Register for Free to get streaming real-time quotes, interactive charts, live options flow, and more.

IAG International Consolidated Airlines Group S.a.

-0.60 (-0.39%)
30 Nov 2023 - Closed
Delayed by 15 minutes
Share Name Share Symbol Market Type Share ISIN Share Description
International Consolidated Airlines Group S.a. LSE:IAG London Ordinary Share ES0177542018 ORD EUR0.10 (CDI)
  Price Change % Change Share Price Bid Price Offer Price High Price Low Price Open Price Shares Traded Last Trade
  -0.60 -0.39% 153.10 152.75 152.85 154.30 151.95 154.10 14,889,194 16:35:10
Industry Sector Turnover Profit EPS - Basic PE Ratio Market Cap
Air Transport, Scheduled 23.07B 431M 0.0867 22.49 9.69B

U.K. Regulator on Why It Is Pursuing Record Fines Against BA, Marriott

10/07/2019 10:59am

Dow Jones News

International Consolidat... (LSE:IAG)
Historical Stock Chart

From Dec 2018 to Dec 2023

Click Here for more International Consolidat... Charts.
By Catherine Stupp 

BRUSSELS -- U.K. Information Commissioner Elizabeth Denham said her office considered cybersecurity gaps, among other factors, in proposing that Marriott International Inc. and British Airways' parent company pay the biggest fines to date under Europe's data-privacy laws.

In an interview with WSJ Pro Cybersecurity, Ms. Denham said the companies' size, the number of people affected and the length of time that hackers had access to data before they were detected factored into the U.K. regulator's calculation of the potential fines, revealed this week.

International Consolidated Airlines Group SA faces a $230 million penalty for General Data Protection Regulation violations, while Marriott would be on the hook for $124 million related to poor security measures. Both companies disclosed the data breaches in question last year.

The companies have 28 days to respond before the U.K. regulator issues its final decisions, and they can appeal. Marriott said it would contest the planned fine. International Consolidated Airlines' chief executive said Monday that the company would defend British Airways' position.

Here are excerpts of Ms. Denham's conversation with WSJ Pro:

Q: The fines you proposed would be the highest GDPR fines to date. What factored into the assessments?

A: The number of individuals affected, the severity of the attacks, how long people were on the site doing malicious things with data before it was discovered. We looked at their rigor in terms of prevention of these kinds of attack. We also looked at the long-term implications for people. We obviously looked at the size of the company, their turnover. Our fines have to be effective, proportionate and dissuasive. For a fine to be dissuasive against a company that has a turnover in this stratosphere, we have to provide the fine accordingly. This is not a small business. This is not a charity. This is a large business that you'd expect would take care of personal data.

Q: British Airways and Marriott said they hadn't detected cases of fraud involving data stolen from them, which is counter to findings from some cybersecurity researchers who say data from those breaches is for sale on the dark web. Do you take into account such statements from companies?

A: We look at the opportunities for misuse of compromised data. In the Yahoo breach, which happened in 2014, it took three years to find a huge cache of personal data that was for sale on the dark web....That's not what we're measuring. We're not saying, can you prove a link between the compromise of the data and that specific cybersecurity incident? It sometimes takes years. That's not our focus. Our focus is whether or not there was adequate, reasonable, consistent, effective data security to protect people's data.

Q: Do you have technical experts who look for stolen data on the dark web as part of your investigations?

A: We do. We have a whole tech policy team; we have a lab that's disconnected from our own servers that's looking at all these issues.

Q: Some experts say security failures at British Airways that led to the cyberattack are common for e-commerce companies. Does failing on basic security measures mean a company could face a higher fine?

A: There are 100 pages behind our intention to fine, but that's not in the public domain....We found some fundamental failings in data security in both of the companies....They have to be PCI-compliant [adhering to standards for handling payment-card data]. They have to have protection because they run loyalty programs, because they've got the financial data of millions and millions of people....Some critics would say the company was a victim of criminal activity....That's for the police to investigate. For us, we look at whether or not the doors were left open to make it easy for cyberattacks, whether or not the attack was foreseeable, what kind of due diligence and steps were taken in the data security program.

Q: What's most frustrating?

A: So many of our investigations are finding basic or a lack of cybersecurity hygiene, lack of some of the most basic protections that people would expect, encryption of credit card data. The CVV codes on credit cards at British Airways were open. They were not encrypted. There's payment card industry standards that require that. Do we look at what other companies are doing? If everyone's at this really low common denominator, do we take that into account? We do look at what the industry is doing. We do look across the retail sector versus the tech sector versus the automotive sector and the transportation sector.

Q: Are you going to announce other major GDPR decisions soon?

A: We have a number of other investigations and enforcement actions in the pipeline. There will be some more fines that are going to come out over the summer....We didn't disclose this fine for British Airways nor did we disclose it for Marriott. Those companies had a confidential notice of intent and they had market obligations to disclose it. They decided. So we followed up with a statement. That's why you don't see the full report with all the details. Usually this is a confidential exchange.

Q: Statements from your office about British Airways and Marriott said the companies improved their data security since these incidents. Did those changes factor into your fines?

A: We fined Facebook GBP500,000 for their role in the Cambridge Analytica/ Facebook disclosure election misuse of 87 million people's data. That was our maximum fine that was available to us [before GDPR went into effect in May 2018]. That's not dissuasive, is it, for a company like Facebook....They have made some changes but I think we have to make a very strong statement to the market and companies about their GDPR obligations. It has to be a proportionate fine. But we're open to hear what companies have to say. That's the process.

Write to Catherine Stupp at


(END) Dow Jones Newswires

July 10, 2019 05:44 ET (09:44 GMT)

Copyright (c) 2019 Dow Jones & Company, Inc.

1 Year International Consolidat... Chart

1 Year International Consolidat... Chart

1 Month International Consolidat... Chart

1 Month International Consolidat... Chart

Your Recent History

Delayed Upgrade Clock

By accessing the services available at ADVFN you are agreeing to be bound by ADVFN's Terms & Conditions

Support: +44 (0) 203 8794 460 |