Skip to content

What the GDPR fines of British Airways & Marriott mean for the Enterprise

GDPR needs no introduction – since it was established in April 2018, it’s been simmering gently below the surface. Over the course of its first year, it collected £3 million. This all changed recently, however, with two GDPR fines – British Airways and Marriott – collectively adding up to a staggering £282 million.

These fines didn’t come without warning, with clear regulations laid out, alongside the potential penalties of breaching them. Yet these fines have shocked the business world and made many organisations question their current security.


British Airways
British Airways (BA) revealed in September 2018 that they had been victim of a data breach. Around 380,000 cards were compromised after the personal details of customers were extracted by cybercriminals over a period of 15 days.

The Consequence
The ICO (Information Commissioner’s Office), who are the UK’s data protection authority, announced a GDPR fine for BA of £183.4 million. The fine represents 1.5% of BA’s 2017 turnover.

International hotel group Marriott revealed in November 2018 that personal data, including credit card details, passport numbers, and dates of birth had been stolen in a hack. Unauthorised access to the guest database was found to date back to 2014, and a staggering 339 million guest’s data was stolen.

The Consequence
Under GDPR, the ICO are proposing a £99.2 million fine for Marriott, which is 0.5% of the company’s revenue.


GDPR’s introduction was designed to bring industries under a strict set of rules regarding data protection. But prior to these two huge fines, it seemed like a mere threat, hanging menacingly above heads, but with little real impact visible.

British Airways and Marriott are two major organisations, who should have both been investing in cyber security measures to protect both corporate and customer data. Both fines have proven that regulators are not afraid to levy the powers bought in by GDPR.

With fines of up to €20 million or 4% of annual global turnover, failing to comply with GDPR is no small matter. Some organisations have been avoiding implementing new systems and security measures due to cost. But these fines dwarf the cost of implementation, whilst restoring the reputation of a company in the event of a data breach can also be costly. IAG, BA’s parent company, have already seen a stock price hit, whilst customer confidence in BA has been hugely shaken.

The message of these fines is clear – if companies are collecting data, they need to ensure that it is safe, and it has the required controls around it.


Mobliciti can help you secure and protect your data, stopping bad actors from maliciously stealing your data. We can ensure that only people who are intended to access your sensitive data can, protecting user credentials by moving away from the traditional static username and password. Learn more about the benefits of adaptive authentication here.

Mobliciti can also enable you to harness cloud computing without risk, with cloud security technology that eliminates blind spots, quickly targeting and controlling activities across thousands of cloud services and millions of websites

Get in touch to find out more about staying secure and safe in a GDPR world.