GDPR Fines and how to avoid them with Runecast

The General Data Protection Regulation (GDPR) is an EU data protection law that came into effect on May 25, 2018. It replaces the 1995 EU Data Protection Directive strengthening EU data protection rules by giving individuals more control over their personal data and establishing new rights for individuals. GDPR applies to any company that processes the personal data of EU citizens, regardless of whether the company is based inside or outside the EU.

It imposes significant fines for companies that violate its provisions, including up to 4% of their annual global revenue or €20 million (whichever is greater), for breaching certain GDPR provisions. These fines can be increased to up to 8% of annual global revenue or €40 million (whichever is greater), if the company is found to have intentionally or recklessly violated the regulations. Since its introduction in 2018, GDPR authorities have issued more than 900 fines and all of them are large amounts.

Let’s analyze 4 of the thirty biggest GDPR fines, what caused them and how they could have been avoided.

Marriott – €20.4 million ($23.8 million)

Marriott Hotels & Resorts is Marriott International's brand of full-service hotels and resorts worldwide. So, what happened? Marriot acquired Starwood Group in September 2016, and an earlier hack was discovered in 2018. Marriot was fined with a $123 million fine originally but it was reduced after Marriot’s plan to mitigate the risks of the incident.

In 2014, a piece of code was installed onto a device in the Starwood system, which gave the author the ability to access and edit contents of this device remotely. The attacker gained unrestricted access to the device and other devices in the network. Further tools installed by the attacker that gathered login credentials enabled the malicious actors to access the database storing reservation data for Starwood customers. After the database was compromised, 383 million guest records, of which 30 million were EU residents, were exposed. Data like guests’ names, addresses, passport numbers, and payment card information.

How could this enormous fine have been avoided? The Information Commissioner's Office is a non-departmental public body which reports directly to the Parliament of the United Kingdom and is sponsored by the Department for Digital, Culture, Media and Sport. ICO’s investigation found out that Marriot had failed to perform an adequate assessment of their systems after the acquisition of the Starwood Group. If they had managed to better safeguard their systems and mitigate their vulnerabilities, they very well could have avoided the fund, and the damage that followed millions of customers.

British Airways – €22 million ($26 million)

British Airways is a very popular UK airline considered to be the second largest UK based carrier, based on fleet size and the amount of passengers carried.  After an ICO investigation found the airline was processing significant amount of personal data without adequate security measures, the ICO fined British Airways with a $22 million fine (originally $238 million)

In 2018 British Airways systems were compromised and the breach affected more than 400,000 customers' sensitive data like log-in details, payment card information, and travelers’ names and addresses. According to the ICO, British Airways failed to protect the personal and financial details of its customers and this failure broke the provisions of GDPR, making BA the subject of a cyber-attack, which was not detected for more than two months.

What could have been done differently? According to the ICO, BA had failed to identify vulnerabilities in their systems and didn’t have sufficient security measures to protect their environment, which would have made the attack preventable. It suggested that the airline should take a security-first approach and invest in security solutions in order to ensure the data policy set by GDPR.

Meta (Facebook) Ireland – €17 Million ($18.2 Million)

Everyone knows Meta, the enormous technology conglomerate that owns the biggest social media platforms. In March 2022, Meta Platforms Ireland was charged by the Irish Data Protection Commission (DPC) with a $18.2 million dollar fine for not demonstrating the security measures implemented for the protection of EU users’ data.

In 2018, after a series of twelve data breaches, the DPC started investigating to what extent Meta Platforms Ireland achieved compliance with GDPR. The DPC found out that there were GDPR violations of several provisions regarding the processing of personal data relevant to the twelve breach notifications.

How could this large fine have been prevented? Meta Platforms Ireland could have prevented the breaches if they had taken a security-first approach, invested in security solutions and had strict data privacy policies regarding GDPR compliance rules.

Vodafone Italia – €12.3 million ($14.5 million)

Vodafone Italia S.p.A. is an Italian telephone company, and subsidiary of Vodafone. Back in November 2020, Vodafone Italia was fined $14.5 million for many alleged GDPR provision violations related with the processing of personal data.

In 2020, the Italian Data Protection authority ('Garante') started an investigation into Vodafone Italia after customers complained about unwanted calls they were receiving from different companies advertising their products. The investigation concluded that the company had failed to properly secure customer data, sharing personal data with third-party call centers.

How could this have been avoided? Despite coming into light from the ‘mistake’ of telemarketing campaigns, this event caused Italian Data Protection authorities to discover that a series of GDPR provisions were being violated. To avoid this fine Vodafone Italia should have conducted regular GDPR audits and documented all the relationships with third-party data processors. 

So what is the solution and what should we learn from this?

There’s a wise saying as follows: “Everyone learns from their own mistakes, but learning from those of others is considered wise”. We do believe that this is important as it suggests a proactive way of doing things. Everyone is vulnerable to these types of incidents and even worse, but let us learn from others incidents and save ourselves some pain. This is what wise means, to have a vision for the future and to act according to that. We know you look to the future, that’s why you have such a successful business, and we want to be part of that success by providing proactive protection.

Dealing with EU residents’ data is a task that comes with responsibilities. You need regular GDPR audits that will ensure the security of your environment. We have thought about that. We don’t want you to get bogged down trying to achieve compliance with multiple security standards all at once. That is why we designed Runecast. Runecast is a platform that provides automated security audits, vulnerability management and risk management for AWS, Azure, GCP, VMware, Linux OS, Windows OS, and Kubernetes. Now you don’t have to put yourself at the mercy of malicious actors’ or data protection authorities who will fine you enormous amounts of money. You can trust Runecast!