What do travel companies need to know about data protection?

Blake Morgan Logo






The UK General Data Protection Regulation (GDPR) and Data Protection Act 2018, which came into force in 2021, overhauled rights and obligations regarding the processing of personal data in the UK. While the UK GDPR general processing arrangements apply to most UK based organisations, those operating in the travel sector are typically also required to comply with EU GDPR, making the situation particularly complex. We have previously written about the impact of GDPR and its application, and new developments, which need to be complied with.

Travel companies are also directly exposed to the risk of severe data breaches, and the potential fall out, due to the nature and sensitivity of the personal data collected. This includes, ID and passport information, contact information, and sensitive data such as payment information, among others. The scope of potential data issues in the travel industry were considered in an investigation by Which? in 2020. When publishing the results of its cyber security review of 98 travel firms, Which? identified 497 vulnerabilities on the Marriott group websites alone, asserting that 20% presented a critical or high risk to data. However, these risks can be mitigated with appropriate security, support, and training. 

Data Protection Breaches 

There have been a number of high-profile data breaches within the travel industry in recent years. Well established travel companies, such as EasyJet and British Airways, have experienced publicised breaches, often resulting from targeted attacks or insufficient data security. 

Perhaps the most widely known travel data breach was experienced by British Airways in 2018, which affected 420,000 people and resulted in a £20 million fine issued by the Information Commissioner's Office (ICO). The group claim brought by those affected represents the largest data breach claim in the United Kingdom to date. Similarly, the ICO had initially stated its intention to fine the company £183 million, with the eventual reduced £20 million figure still being the highest fine of its kind. The breach itself arose from a cyber-attack and involved the names, addresses and payment details of customers and staff. The airline's system was compromised, with the attackers using their access to harvest information as it was entered over at least a 2 month period. The success of the attack has been credited to insufficient security measures, including no multi-factor authentication being in place. The incident serves as a stark warning to travel companies as to the potential seriousness, not only in terms of data breaches themselves, but the financial and reputational repercussions they may bring. 

A similar breach was reported by EasyJet in 2020, affecting the personal information of 9 million customers and the theft of over 2,000 payment card details. However, in contrast to the British Airways attack, the EasyJet breach led to secondary phishing attempts against those affected. The extent of the issue has seen data experts recommend that any individuals who have previously bought any travel services from EasyJet should be very careful when navigating communications presented as being sent by the company. EasyJet itself set about contacting the affected 9 million customers, a feat that was undoubtedly expensive and time consuming. 

Also in 2018, the Marriott group experienced a data breach affecting its reservation system and involving the data of hundreds of millions of customers. The breach was a result of existing security issues inherited by Marriott following its acquisition of the Starwood hotel chain. Notably, a remote access trojan had granted cyber attackers administrative access to the Starwood system, a fact that was not identified as Marriott had failed to carry out an adequate cybersecurity audit. Alongside reputational damage, Marriott incurred around $30 million in expenses dealing with the breach, and was fined £18.4 million by the ICO alone (reduced from £99 million) in addition to other international fines.

The ICO have reiterated that people have the right to expect companies to handle their personal information securely and in a responsible manner, and when this doesn’t happen it will set about taking robust action.

How Blake Morgan Can Help?

Blake Morgan has a number of experienced lawyers able to deliver succinct and pragmatic advice to travel companies, and individuals, on the topic of data protection. Our services include:

•    Advice relating to data protection and GDPR compliance
•    Dealing with data breaches and breach notifications
•    Data protection impact assessments and audits
•    Assisting with subject access requests
•    Drafting data sharing and data processing arrangements
•    Advising on privacy law
•    Providing information governance guidance

Blake Morgan is also the only UK law firm that delivers the prestigious British Computer Society BCS Practitioner Certificate in Data Protection

If you are concerned about a potential data breach, would like some advice on preventative measures, or have been affected by a breach, please contact our team of data protection lawyers. You can also read more about the services we offer here.

Authors: Rob Jefferies and Alette Anderson-Whitehouse