The Information Commissioner’s Office (ICO), a public body sponsored by the UK’s Department for Digital, Culture, Media and Sport (DCMS), has again deferred the payment of multi-million-dollar fines levied on Marriott International and British Airways after both firms had customer information stolen by hackers.

The fines, issued two days apart in July last year, will be deferred until later in 2020 “pending further investigations”.

It is the second time a deferral has been announced, following the first in January 2020.

Given the fines were the ICO’s first flex of its newly strengthened GDPR muscle – and the fact that, to negotiate a deferral it has to seek agreement from the entities being penalised Under Schedule 16 of the Data Protection Act 2018 – it’s a less than ideal situation for the a regulator to be in.

British Airways – which is no stranger to huge IT issues – was handed its “notice of intent” for a fine of £183.4 million last year after hackers stole login details as well as information on names, addresses, travel booking information and payment cards, including CVV codes.

The extent of the hack, which came to light in October 2018, was revealed over several weeks. Initially the airline said 380,000 payment cards had been compromised but later revised this down to 244,000

Then BA said customers who made a rewards booking using a payment card between April and July that year “may be at risk”. Later it said that a further 77,000 customers had had their names, addresses, email addresses, card numbers, expiry dates, and CVV numbers stolen, and that a further 108,000 “may have had details stolen” but not the CVV.

Marriott International’s hack also occurred in 2018, with the chain aware from September that year. The news broke that November and the following July the ICO issued a fine of £99.2 million. The hack included credit card, passport and DOB details of 30 million guests across 31 EU countries, and hundreds of millions of more beyond the ICO’s jurisdiction.

In a statement issued in July 2019, Marriott International’s president and CEO Arne Sorenson, said: “We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.

“We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”

Marriott International has since suffered other hacks, most recently in March this year.

Flexing the GDPR

To date, the UK has led other European nations in issuing fines and these two penalties were also the ICO’s first use of regulatory powers designed to protect consumer data under GDPR.

Under the regulation, the office has the power to issue fines of up to £18 million or 4% of annual global turnover, whichever is greater.

Demonstrating just how much additional power that gives the ICO, in 2018 when Facebook shared the data of 87 million users with third parties without sufficient consent, it was fined £500,000.