On 30 October 2020, the UK’s DPA (“ICO UK”) announced it had fined a multinational hospitality company for failure to keep secure an estimated number of 339 million guests’ records worldwide, following a cyber-attack in 2014.
ICO UK found the controller has failed to put appropriate technical or organization measures in place to protect its customer personal data. While the ICO UK’s investigation traced the cyber-attack back to 2014, according to ICO UK’s press release, the fine relates only to the breach from 25 May 2018, when GDPR’s requirements became applicable. The enforcement action has been approved by other data protection authorities concerned through the GDPR’s cooperation process.
ICO UK’s press release may be accessed here and the penalty notice here.
