General Data Protection Regulation fines are like a number 65 bus: you wait for a long time and then three arrive at once. In the space of a month the Information Commissioner’s Office (ICO) has issued three monetary penalty notices. All relate to breaches of GDPR’s security requirements as set out in articles 5 and 32.
The latest monetary penalty notice requires Ticketmaster to pay £1.25m following a cyber-attack on its website which compromised the personal information of millions of customers. The ICO investigation found a vulnerability in a third-party chatbot which Ticketmaster had installed on its online payments page. A cyber-attacker was able to use the chatbot to access customer payment details which included names, payment card numbers, expiry dates and CVV numbers. This had the potential to affect 9.4 million Ticketmaster customers across Europe including 1.5 million in the UK.
According to the ICO, as a result of the attack 60,000 payment cards belonging to Barclays Bank customers had been subjected to known fraud. Another 6,000 cards were replaced by Monzo Bank after it suspected fraudulent use. The ICO said these and other banks had warned Ticketmaster of suspected fraud. Despite these warnings Ticketmaster took nine weeks to start monitoring activity on its payments page. The ICO found that Ticketmaster failed to:
- assess the risks of using a chatbot on its payment page;
- identify and implement appropriate security measures to negate the risks; and
- identify the source of suggested fraudulent activity in a timely manner.
Ticketmaster’s appeal will put the ICO’s reasoning and actions when issuing fines under judicial scrutiny. This will help GDPR practitioners faced with similar ICO investigations.
Two other recent ICO fines also concerned cybersecurity breaches. In October 2020, Marriott International Inc was fined £18.4m after 339 million guest records were affected by a cyber-attack in 2014 on Starwood Hotels and Resorts Worldwide Inc. The personal data involved differed between individuals but may have included, among other things, names, email addresses, phone numbers, unencrypted passport numbers and arrival/departure information. The attack, from an unknown source, remained undetected until September 2018, by which time the company had been acquired by Marriott.
The ICO acknowledged that Marriott acted promptly to contact guests and the ICO. It also acted quickly to mitigate the risk of damage suffered by customers. However it was found to have breached the security requirements of GDPR. The fine only relates to the breaches from 25 May 2018, when GDPR came into effect, although the ICO’s investigation traced the cyber-attack back to 2014.
Marriott does not intend to appeal the fine but this is not the end of the matter. It is still facing a civil class action in the High Court for compensation on behalf of all those affected by the data breach.
Also in October, the ICO finally issued a fine to British Airways (BA) for a cybersecurity breach which saw the personal and financial details of more than 400,000 customers accessed by attackers. The £20m fine is a far cry from the original notice of intent, issued in July 2018, for £183m. But, then again, the smaller fine is no big surprise either.
The BA fine followed a cyber-attack in 2018 which remained undetected for more than two months. The attack involved diverting cardholder data from BA’s official website to one set up by the attacker.
The attacker is believed to have potentially accessed the personal data of 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers. Other details thought to have been accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers. The usernames and passwords of BA employee and administrator accounts, as well as usernames and PINs of up to 612 BA Executive Club accounts were also potentially accessed.
According to the ICO, there were numerous measures BA could have used to mitigate or prevent the risk of an attacker being able to access its network. These include:
- limiting access to applications, data and tools to that required to fulfil a user’s role;
- undertaking rigorous testing in the form of simulating a cyber-attack on the business systems; and
- protecting employee and third-party accounts with multi-factor authentication.
Additional mitigating measures BA could have used are listed in the penalty notice. None of these measures would have entailed excessive cost or technical barriers, with some available through the Microsoft operating system used by BA.
Readers are encouraged to read the BA monetary penalty notice, as it not only sets out the reasons for the ICO conclusion but also the factors it has taken into account in deciding to issue a fine and how it calculated the amount.
Thus far 75% of the fines issued by the ICO under GDPR relate to cybersecurity breaches. This area is one of the ICO’s top regulatory priorities.
Ibrahim Hasan is a solicitor and director of Act Now Training (actnow.org.uk)