British Airways and Marriott International bear the brunt of non-compliance of GDPR
Britain’s Information Commissioner’s Office (ICO) has recently fined two organizations that failed in complying with GDPR. British Airways and Marriott International have been collectively fined with a whopping £282 million.
The fine has been imposed after these organizations failed to protect its customers’ personal and financial information from being compromised and due to their inability to implement adequate security measures.
British Airways
British Airways was penalized with a heavy fine of £183.39. This fine is the equivalent of 1.5% of the worldwide turnover of the company for the financial year 2017. According to the policy, a maximum penalty of 4% of the company’s turnover can be imposed.
The organization admitted about a breach in 2018 that exposed the personal details of the customers who booked flights on its official website and mobile application between 21st August and 5th September 2018 had their details stolen by attackers. The organization has 28 days to appeal against the penalty.
Magecart, one of the most notorious hacking groups, that specializes in stealing credit card details from websites was found to be responsible for the attack on one of the world’s biggest airlines. The hackers insert malicious code into the checkout page of the compromised website that captures customers’ payment details and then sends them to a remote server. The group has also been found to be responsible for card breaches on high-profile companies’ websites like Newegg, TicketMaster etc.
Marriott International
Another organization to bear the brunt as a consequence of the non-compliance of GDPR was Marriott International. In November 2018, the hospitality group came to know about a data breach that likely happened in 2014. The group was hacked by an unknown group of hackers that compromised the guest reservation database abusing its Starwood hotels subsidiary and accessed the personal details of around 339 million guests. This included the compromised database leaked guests’ names, mailing addresses, phone numbers, email addresses, dates of birth, gender, arrival and departure information, reservation date, and communication preferences. The breach also exposed unencrypted passport numbers of at least 5 million users and approximately 8 million credit card records. This incident of a data breach has affected approximately 30 million residents of 31 European countries and 7 million UK residents.
According to Britain’s Information Commissioner’s Office (ICO), these data breaches have been the result of:
Poor Security arrangements
With weak cyber-security infrastructure, attackers can exploit loopholes and enter within the organization’s network thus, extracting information and data vulnerable to the organization. It is, therefore, important to take proper safety measures to protect the organization’s data from being exploited by any malicious entity.
Lack of due diligence
Lagging in the enforcement of stringent security measures is a major cause for most of the cases of data breaches. In case, there is any negligence, the attackers can slip in the system and extract sensitive information that might harm the organization.
How can organizations protect themselves?
With tools such as ThreatCop, organizations can provide periodic cybersecurity awareness and training programs to employees that will educate employees about various forms of cyber attacks and the attack methodologies that are used in deploying such attacks.
Complying with the industry regulations helps in maintaining the security standards that are required for safeguarding organizations. Compliance like GDPR, ISO 27001, HIPAA etc. help organizations in functioning in accordance with the industry standards.
Create policies for controlling access to computer systems and the data within them. These policies will help in implementing procedures and technical controls that will help in enforcing these regulations.
With an increase in the number of cyber-crimes every day, it is important for organizations to ensure the proper enforcement of security measures and policies that can strengthen the organization’s defence against cyber threats.
