GDPR fines are like a number 65 bus. You wait for a long time and then three arrive at once. In the space of a month the Information Commissioner’s Office (ICO) has issued three Monetary Penalty Notices. The latest requires Ticketmaster to pay £1.25m following a cyber-attack on its website which compromised millions of customers’ personal information.
The ICO investigation into this breach found a vulnerability in a third-party chatbot built by Inbenta Technologies, which Ticketmaster had installed on its online payments page. A cyber-attacker was able to use the chatbot to access customer payment details which included names, payment card numbers, expiry dates and CVV numbers. This had the potential to affect 9.4million Ticketmaster customers across Europe including 1.5 million in the UK.
As a result of the breach, according to the ICO, 60,000 payment cards belonging to Barclays Bank customers had been subjected to known fraud. Another 6000 cards were replaced by Monzo Bank after it suspected fraudulent use. The ICO said these bank and others had warned Ticketmaster of suspected fraud. Despite these warnings it took nine weeks to start monitoring activity on its payments page.
The ICO found that Ticketmaster failed to:
Assess the risks of using a chat-bot on its payment page
Identify and implement appropriate security measures to negate the risks
Identify the source of suggested fraudulent activity in a timely manner
James Dipple-Johnstone, Deputy Information Commissioner, said:
“When customers handed over their personal details, they expected Ticketmaster to look after them. But they did not.
Ticketmaster should have done more to reduce the risk of a cyber-attack. Its failure to do so meant that millions of people in the UK and Europe were exposed to potential fraud.
The £1.25milllion fine we’ve issued today will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda.”
In a statement, Ticketmaster said:
“Ticketmaster takes fans’ data privacy and trust very seriously. Since Inbenta Technologies was breached in 2018, we have offered our full cooperation to the ICO. We plan to appeal [against] today’s announcement.”
Ticketmaster’s appeal will put the ICO’s reasoning and actions, when issuing fines, under judicial scrutiny. This will help GDPR practitioners faced with similar ICO investigations.
Ticketmaster is also facing civil legal action by thousands of fraud victims. Law firm Keller Lenkner, which represents some of these victims, said:
“While several banks tried to alert Ticketmaster of potential fraud, it took an unacceptable nine weeks for action to be taken, exposing an estimated 1.5 million UK customers,” said Kingsley Hayes, the firm’s head of cyber-crime.
Data Protection Officers are encouraged to read the Monetary Penalty Notice as it not only sets out the reasons for the ICO’s conclusion but also the factors it has taken into account in deciding to issue a fine and how it calculated the amount. This fine follows hot on the heels of the British Airways and Marriott fines which also concerned cyber security breaches. (You can read more about the causes of cyber security breaches in our recent blog post.)
75% of fines issued by the ICO under GDPR relate to cyber security. This is a top regulatory priority for the ICO as well as supervisory authorities across Europe. Data Protection Officers should place cyber security at the top of their learning and development plan for 2021.
The Information Commissioner’s Office (ICO) has issued a fine to Marriott International Inc for a cyber security breach which saw the personal details of millions of hotel guests being accessed by hackers. The fine does not come as a surprise as it follows a Notice of Intent, issued in July 2018. The amount of £18.4 million though is much lower than the £99 million set out in the notice.
The Data
Marriott estimates that 339 million guest records worldwide were affected following a cyber-attack in 2014 on Starwood Hotels and Resorts Worldwide Inc. The attack, from an unknown source, remained undetected until September 2018, by which time the company had been acquired by Marriott.
The personal data involved differed between individuals but may have included names, email addresses, phone numbers, unencrypted passport numbers, arrival/departure information, guests’ VIP status and loyalty programme membership number. The precise number of people affected is unclear as there may have been multiple records for an individual guest. Seven million guest records related to people in the UK.
TheCyber Attack
In 2014, an unknown attacker installed a piece of code known as a ‘web shell’ onto a device in the Starwood system giving them the ability to access and edit the contents of this device remotely. This access was exploited in order to install malware, enabling the attacker to have remote access to the system as a privileged user. As a result, the attacker would have had unrestricted access to the relevant device, and other devices on the network to which that account would have had access. Further tools were installed by the attacker to gather login credentials for additional users within the Starwood network. With these credentials, the database storing reservation data for Starwood customers was accessed and exported by the attacker.
The ICO acknowledged that Marriott acted promptly to contact customers and the ICO. It also acted quickly to mitigate the risk of damage suffered by customers. However it was found to have breached the Security Principle (Article 5(1)(f)) and Article 32 (Security of personal data). The fine only relates to the breaches from 25 May 2018, when GDPR came into effect, although the ICO’s investigation traced the cyber-attack back to 2014.
Data Protection Officers are encouraged to read the Monetary Penalty Notice as it not only sets out the reasons for the ICO’s conclusion but also the factors it has taken into account in deciding to issue a fine and how it calculated the amount.
It is also essential that DPOs have a good understanding of cyber security. We have some places available on our Cyber Security for DPOs workshop in November.
The Information Commissioner, Elizabeth Denham, said:
“Personal data is precious and businesses have to look after it. Millions of people’s data was affected by Marriott’s failure; thousands contacted a helpline and others may have had to take action to protect their personal data because the company they trusted it with had not.”
“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect.”
Marriott said in statement:
“Marriott deeply regrets the incident. Marriott remains committed to the privacy and security of its guests’ information and continues to make significant investments in security measures for its systems. The ICO recognises the steps taken by Marriott following discovery of the incident to promptly inform and protect the interests of its guests.”
Marriott has also said that it does not intend to appeal the fine, but this is not the end of the matter. It is still facing a civil class action in the High Court for compensation on behalf of all those affected by the data breach.
This is the second highest GDPR fine issued by the ICO. On 16th October British Airways was fined £20 million also for a cyber security breach. (You can read more about the causes of cyber security breaches in our recent blog post.) The first fine was issued in December 2019 to Doorstep Dispensaree Ltd for a for a comparatively small amount of £275,000.
Even with the best data protection training and awareness programme, mistakes can and do happen when organisations process personal data of a sensitive nature. Personal data can be lost or simply sent to the wrong person. Two recent Hight Court cases involve local authorities seeking injunctions in an attempt to limit the impact caused by inadvertent disclosures.
In Redbridge LBC v Jennings [2020] 5 WLUK 122 (to the best of our knowledge, only reported on Westlaw) the London Borough of Redbridge was granted an injunction to prevent X from publishing highly sensitive information about another family, that the Council had inadvertently sent to X. London Borough of Lambeth v Anthony Amaebi Harry [2020] EWHC 1458 (QB) was partly about a Breach of Confidence action by Lambeth Council against the Respondent who had also received third-party personal data. Let’s consider both cases and what we can learn from them.
The Disclosures
In the Redbridge case, a council employee wrote to X regarding her family. However the employee inadvertently included documents, containing highly sensitive information about another family (Family A), in the envelope. When X received the documents, she realised that she should not have seen them and so she returned them to the council. However, it later transpired that X had taken copies of the documents and that she planned to visit Family A to inform them about the council’s error. X also indicated that she would not destroy the copies that she had retained but she would give them to her solicitor. It is clear that X understood the confidential nature of the documents, and that she did not intend to share them with anybody else. However, it appears that she intended to retain the documents (in the hands of her solicitor) for the purpose of pursuing her own data protection claim against the council. X alleged that information about her family had been sent to a third-party who had “knocked on her door to return the documents”. At the time of writing it is uncertain whether X has brought such an action.
In the Lambeth case, Mr Harry made a subject access request (in November 2018) to the Council seeking information held about his child. It appears that another person (HJ) had made allegations to the Council about the care that Mr Harry and his wife were providing for their child. Lambeth Council provided the information to Mr Harry by electronic means. However it turned out that Mr Harry was able to manipulate the data (by removing the redactions that the Council had made) and was able to identify HJ, who had made the initial allegations. He commenced legal proceedings against HJ for defamation.
Lambeth Council sued Mr Harry for Breach of Confidence. It claimed that the information was provided to Mr Harry in circumstances where he knew it was confidential and that he had breached that confidentiality by “unredacting” the data, retaining it and using it as evidence to start court proceedings against HJ. The Council’s rationale for bringing the Breach of Confidence action was that informants have an expectation of confidentiality. The Council obtained an interim injunction in February 2019 to restrain Mr Harry from using the information he had acquired.
A Notifiable Data Breach
Both cases involve a personal data breach as defined by GDPR Article 4 (12):
“A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”
Article 33 of GDPR requires a Data Controller to notify the Information Commissioner’s Office (ICO) about a personal data breach “without delay and where feasible, not later than 72 hours after becoming aware of it”. Notification is not required if the personal data breach is “unlikely to result in a risk to the rights and freedoms of natural persons”. Disclosing highly sensitive information about one family to another is likely to be a notifiable breach. A failure to adequately redact the name of a person who makes confidential allegations is also likely to have the same result.
The problem with inadvertent and accidental disclosures is the Data Controller may not necessarily be aware of them for some time. In the Redbridge Council case, X told the Council she had received the documents by mistake. According to the Article 29 Data Protection Working Party Guidelines on Personal Data Breach Notification under Regulation 2016/67, when a third party informs a Data Controller that they have accidentally received the personal data of one of its customers and provides evidence of the unauthorised disclosure, the Data Controller has become “aware” of the personal data breach. Where a Data Controller has been presented with clear evidence of a confidentiality breach then there can be no doubt that it has become “aware”. In the Redbridge case the Council took a decision to self-refer to the Information Commissioner’s Office; although interestingly the facts suggest that this happened prior to the GDPR coming into force.
In the Lambeth Case it is not entirely clear when or how the Council became aware that Mr Harry had been able to manipulate the data. However the facts, as recorded in the judgement, suggest that it became aware sometime in late 2018 when the ICO investigated complaints made by Mr Harry about the Council’s handling of his subject access request. In other words, it does not look like the Council was aware of the breach until the ICO investigated, although this is not certain from the limited factual information in the judgment.
When a Data Controller becomes aware that personal data has been unlawfully disclosed to a third party, it needs to contain the incident and assess the risk that could result from it. One way of doing this is to request the recipient to either return the information or to securely destroy it. However the Article 29 Guidelines make it clear that the Data Controller must “trust” the recipient to do this. In both cases it was quite clear that the recipients had no intention of safely destroying the personal data or returning it to the respective councils. In both cases the recipients intended to use the data as evidence in their own legal claims. In both cases the Councils sought an injunction to prevent the recipients from misusing private information and/or a Breach of Confidence.
Injunctions and Offences
Before granting an injunction, the High Court is required to consider whether an injunction would affect a person’s right to freedom of expression; for example his/her right to publish the information online or via the press. It can only grant an injunction if it is satisfied that publication should not be allowed.
In the Redbridge case the Court considered that the information was highly sensitive and that there would be a breach of confidentiality if the documents were either revealed to the press or published on-line. It therefore granted the injunction. In the Lambeth case the Court granted an interim injunction but the case concerning the Breach of Confidence has been listed for trial in July 2020 where Mr Harry will argue that he has a public interest defence.
In April 2020 the ICO decided to prosecute Mr Harry (in the Lambeth case) for the two offences of knowingly or recklessly re-identifying de-identified personal data, without the consent of the Data Controller, contrary to under s.171(1) of the Data Protection Act 2018 (“the DPA”) and the offence of knowingly or recklessly processing re-identified personal data, without the consent of the data controller, contrary to the S.171(5). There are no further details about this prosecution at this moment in time.
Lessons Learnt
The incidents in the cases referred to above were not major cyber-attacks or large-scale disclosures. In one case personal data was inadvertently put into an envelope. In another personal data was not properly redacted. But the consequences were potentially severe and could have had significant and adverse consequences for the data subjects concerned.
Both cases show that, although breach notification goes a long way towards addressing issues of awareness and accountability, Data Controllers may need to take further legal action, in the form of an injunction, to prevent collateral damage from an accidental disclosure. The ICO can use its enforcement powers under the DPA 2018 to prosecute people who unlawfully reidentify personal data and seek to process it, but this may come too late if the damage is already done.
GDPR is going global! Ibrahim Hasan is delivering a webinar which will give you a whistle-stop tour of data protection laws around the world. Want a GDPR qualification Our next online GDPR Practitioner Certificate course is fully booked. There are a few places remaining on the course starting at the end of August.
On 19th May 2020 it was reported that in January 2020 EasyJet was subject to what they describe as a “highly sophisticated” cyber-attack, resulting in the personal data of over 9 million customers being “hacked”. Detailed information about the attack is sparse, with most media sources repeating the same bare facts. Some of the information below is based on the media reports and emails sent to EasyJet customers. At the time of writing there was no information about this on the Information Commissioner’s Office web site.
What little information is available points to a number of breaches of the General Data Protection Regulation (GDPR) which could result in the Information Commissioners Office (ICO) imposing a monetary penalty.
However, in view of the ICO’s reassessment of its regulatory approach during the current Coronavirus pandemic and reports that it has further delayed the imposition of its £183 million fine against British Airways, readers may be forgiven for thinking that EasyJet will not be on the receiving end of a fine any time soon. In any event, it seems likely that the ICO will be forced to consider the fact that EasyJet, along with the whole airline industry has been very severely affected by the Coronavirus and faces huge financial pressures.
The consequences for EasyJet in respect of this breach will remain unclear for many months and may disappoint customers whose personal information has been stolen.
Breach of Security
All Data Controllers must comply with the data protection principles set out in Article 5 of GDPR. In particular, Article 5 (1) (f) (the security principle) requires Data Controllers to process personal data in a manner that “ensures appropriate security” of the personal data that they process. That includes protecting against “unauthorised or unlawful processing and against accidental loss, destruction or damage.” This obligation to process personal data securely is further developed in GDPR Article 32 which requires Data Controllers to implement “appropriate technical and organisational measures to ensure a level of security appropriate to the risk”. The steps that a Data Controller has to take will vary, based upon “the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons”. In other words, Data Controllers must implement security measures that are “appropriate to the risks” presented by their processing, which reflects the GDPR’s risk-based approach. So, for example, a village hairdresser will not be expected to take the same amount of security precautions as an international airline handling personal data (and often Special Category Data) about millions of people. We do not know what cyber-security precautions EasyJet had in place to prevent this-attack, however it is arguable that it should have reviewed its security arrangements (which it may well have done) in the wake of the British Airways attack that was widely reported in September 2018.
There is no doubt that the incident amounts to a “personal data breach” under GDPR Article 4 (12) since it involves a breach of security leading to the unauthorised access of the personal data of about 9 million people. Of the 9 million people affected, 2,208 had their credit card details stolen.
Breach Notification
When a Data Controller becomes aware of a “personal data breach” it must notify the ICO “without undue delay, and where feasible not later than 72 hours after becoming aware of it” (GDPR Article 33). The controller is relieved from this duty where the breach is “unlikely to result in a risk to the rights and freedoms of natural persons”. That does not appear to be the case here given both the scale of the attack and the fact that the hackers gained access to customers’ credit card details and travel plans. The media reports indicate that the ICO was informed about the attacks that took place in January 2020, but there is no indication exactly when it was informed. If EasyJet did not notify the ICO within the time frames of Article 33, then this constitutes a further breach of the GDPR.
Phased notification is allowed though when a Data Controller does not have all the full details of the data breach within the 72 hours. This is likely to be the case in the EasyJet case where they instructed an immediate forensic investigation to establish the nature and extent of the breach, but the initial notification should have been within the 72 hour period as per Article 33.
Notifying Easy Jet Customers
GDPR Article 34 requires a Data Controller to notify any Data Subjects when the personal data breach is “likely to result in a high risk to the[ir] rights and freedoms”. The threshold for communicating a data breach to Data Subjects is higher than for notifying the ICO and therefore it will not always be necessary to communicate with affected Data Subjects.
Data Controllers must assess the risk on a case by case basis. However, the Article 29 Working Party Guidelines on Breach Notification suggests that a high risk exists when the breach may lead to identity theft, fraud or financial loss. This would appear to be the case in the EasyJet breach. The GDPR does not state any specific deadline for notification but it does say that it should be “without undue delay”.
Media reports suggest that EasyJet customers were notified in two separate tranches.
The first notification to customers, whose credit details were stolen, was sent by email in early April. The second tranche, to all other customers, was sent by 26th May.
Customers who received emails at the end of May were advised that their name, email address and travel details were accessed (but not their credit card or passport details).
The purpose of notifying customers is to enable them to take steps to protect themselves against any negative consequences of the breach. The email suggested that customers take extra care to avoid falling victim to phishing attacks.
It remains to be seen whether EasyJet customers were notified “without undue delay” given that the airline became aware of the breach in January but the first notification to customers whose credit card details were stolen was not until end of April. It is plausible that this may have been too late for some customers. If this is the case then not only would this result in a further breach of the GDPR, but could expose EasyJet to claims for compensation under GDPR Article 82. Indeed, according to SC Magazine, a law firm has already issued a class action claim in the High Court. Note that according to Google v Lloyd (and now under GDPR) claimants not do now have to show direct material damage to claim compensation.
Will Easy Jet Be Fined?
The details available to date certainly suggest a breach of Article 5 (1) (f) and possibly Article 32. In addition, it may be the case that EasyJet failed to notify their customers without undue delay and have breached Article 34. Breaches of these provisions could theoretically result in the ICO imposing a monetary penalty of up to 4% of EasyJet’s total worldwide annual turnover in respect of a breach of Article 5 and up to 2% of its total worldwide annual turnover for breaches of Articles 32 and 34.
It is too early to compare the circumstances of the EasyJet breach with the British Airways breach. The numbers of Data Subjects whose credit card details were involved in the BA attack was reported to be half a million (compared to 9 million with the EasyJet attack). However the number of people whose credit card details were stolen in the BA attack was much greater (about 380,000 booking transactions), although British Airways notified its customers immediately. Therefore the scale and gravity of the two breaches are not identical. The ICO will need to take these factors into account in deciding on the level of any fine. The maximum that she could fine is (as stated above) up to 4% of EasyJet’s annual turnover. It is not clear what this figure is but the EasyJet Annual Report for 2019 states that the company’s total revenue in 2019 was £6,385 million. In contrast BA’s total revenue was £12.2 billion. The fine will almost certainly be smaller than that imposed on British Airways, but it really remains to be seen how the ICO will react to the financial pressure that EasyJet are clearly under as a result of the Coronavirus pandemic. All we can do is watch this space.
