The U.K. Information Commissioner’s Office’s (ICO) fines against British Airways, Marriott, and Ticketmaster are among the largest under the General Data Protection Regulation (GDPR) this year. Yet in each case—and in their representations to the data regulator—the companies held accountable said it was their third-party service providers that were at fault.
For example, British Airways blamed cargo handling firm Swissport for compromising or possibly sharing login information. Marriott blamed IT consultancy Accenture for not picking up the security flaws in its systems, and Ticketmaster blamed Inbenta Technologies for failing to prevent malware from installing on the chatbot it created that featured on the ticket seller’s Website payment page.
