British Airways, Marriot, and Ticketmaster all penalized for failing to manage customer data
The UK’s Information Commissioner's Office (ICO) issued more than £42 million ($59m) worth of fines in 2020 to companies that breached data protection and privacy regulations.
The numbers were published in the agency’s annual ‘work to recover fines’ report, revealing a catalog of misadventures across a variety of sectors.
You get a fine, and you get a fine
The largest fine of 2020 was issued to British Airways (BA). Last October, the airline was hit with a £20 million ($28m) penalty after personal and financial details of more than 400,000 of its customers were stolen during a cyber attack in 2018.
ICO found that BA had failed to put in place adequate security measures to prevent such an attack, with the airline only discovering the breach two months after it occurred.
Hotel chain Marriott International took the second-largest fine, after a similar cyber attack in 2014 against its Starwood brand led to 339 million guest records stolen. That attack went undetected until 2018, with Marriott only being fined for the breach last October.
Email addresses, unencrypted passport numbers, and phone numbers were among the information obtained during the Marriott incident.
Ticketmaster was fined £1.25 million for a similar breach, which affected up to 40,000 customers.
A total of 17 penalties were issued last year according to official figures, with the likes of DSG Retail, CRDNN Limited, and Cathay Pacific all receiving fines totaling £500,000.
The industry worst affected was marketing, responsible for nine of the 17 fines.
Additionally, there were eight company directors disqualified following ICO enforcement action in 2020.