British travel group goes into administration affecting 50,000 travellers

Two package holiday firms have collapsed, affecting more than 50,000 travellers.

Malvern Group, which incorporates Manchester-based Late Rooms and York-based Superbreak Mini Holidays, known as Super Break, has ceased trading.

The group said Super Break hotel-only holidays would be cancelled and people currently on holiday might have to pay again.

It said it “anticipated” bookings through Late Rooms would be secure.

Malvern Group said those on package holidays would be protected by the travel association Abta.

But vouchers and tickets for entertainment, attractions or the Incredible North Iceland Charter were no longer valid, it said.

Late Rooms, acting as an agent, had not taken money for bookings, which would be payable to the accommodation supplier direct, the company said.

‘Vast majority’ covered

Malvern said its contact centre had closed and it intended to appoint administrators on Friday.

It advised customers to contact Abta, their travel agent or their credit card provider for further help.

Abta has issued advice for customers of Super Break, but said it did not cover Late Rooms.

In a statement, it said the “vast majority” of Super Break holidaymakers’ arrangements would be covered through Abta, Atol or their credit card companies.

“These customers will either be entitled to a refund or, if they’ve booked through another travel company, they should contact them to discuss options which may include continuing with their booking, re-booking or alternative arrangements,” it said.

Super Break has about 250 employees and had approximately 20,000 bookings, involving about 53,000 people.

About 400 customers are currently on holiday.

Abta suggested rail, coach or Eurostar tickets might be valid for travel. Rail company LNER said it would honour all existing tickets.

The ICO fines British Airways & Marriott should businesses be worried?

Earlier this month the UK’s data protection regulator – the Information Commissioner’s Office (ICO) – hit the headlines by announcing its intention to impose £283m in total in fines in quick succession.

First, British Airways (£183.39m) then Marriott International (£99.2m) – both due to cyber/IT security incidents where customer personal data was compromised.

Since 25 May 2018 when the General Data Protection Regulation (GDPR) came into effect data protection experts have been anxiously waiting to see what fines the ICO would levy under the GDPR . The ICO now has the power to potentially levy fines of the greater of Euro 20m or 4% of group worldwide turnover – far above the previous cap of £500,000.  And now we have two whopping intended fines.  Yet a sense of perspective is needed.

Firstly, such fines are only “intended” fines at this stage – the ICO may reduce them after hearing representations from the companies concerned.

Secondly, whilst we don’t yet have the full rationale for the fines it seems reasonable to assume that the fines will be higher than the fines the ICO itself would impose just in the UK.  This is because in these two cases the ICO is acting as the “lead supervisory authority” under the GDPR and so is representing the interests of other EU/EEA data protection authorities as well.

Thirdly, these appear to be very serious incidents at large corporates involving significant numbers of customers and taking place over an extended period of time with the risk of serious prejudice to those affected – so the fines were always going to be significant.

In Marriott International’s case the problem arose due to IT systems that were originally part of the Starwood hotels group acquired by Marriott in 2016.  It took Marriott until 2018 to discover the incident (which had its origins in a 2014 compromise of Starwood’s systems) and the ICO found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.

In BA’s case the cyber incident was notified to the ICO by BA in September 2018. Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018.  The ICO’s investigation found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well as name and address information.

Nevertheless, the days of a £500,000 cap on data protection fines are now well and truly over.  Also it’s not just fines that should concentrate the mind – there’s the reputational damage, the legal and administrative costs in dealing with the matter and perhaps most ominously the threat of class action data breach lawsuits on behalf of affected data subjects.  If significant numbers of data subjects are affected the claims here can easily outstrip the level of any fines.

Implications for business

As we await to see how these two cases proceed some initial conclusions can be drawn.

Don’t assume you can pass the blame onto others: the fact you’ve suffered a cyber/IT security incident caused by the criminal behaviour of others (as it appears Marriott and BA did) doesn’t necessarily get you off the hook – did you put in place appropriate procedures to help prevent, detect and then swiftly respond to and contain such an attack? – if you failed in your duty of care you will have to face the consequences.  Businesses need to take IT security very seriously and to embed this into how employees behave as well – frequently human error or worse will be responsible, not necessarily just a technical failure.

Respond immediately: If you are affected by a cyber or other “personal data breach” contact the ICO immediately where the law requires this (any breach of any substance will inevitably require this). Ensure you promptly assess the risk to those individuals affected and notify them as well where the law requires this or where it is sensible to do so (e.g. to mitigate damage to those involved) and provide full cooperation to the ICO throughout. Take immediate steps to contain and then stop the incident.  This will also help in mitigation of any fine.

Buyer beware: If you acquire another business you need to carry out robust GDPR and IT security due diligence to ensure you do not inherit a problem.

Don’t neglect compliance: take GDPR compliance seriously, be prepared for the worst and ensure you have appropriate technical and organisational security measures in place to ensure a level of security appropriate to the risk, and regularly test the measures in place.

Review or take out appropriate insurance cover: this is not a panacea but there are an increasing number of products available.

Learn from your mistakes:it is likely most businesses will suffer some sort of personal data breach or cyber/IT security incident at some point – not necessarily major. It is imperative to learn from the experience and prevent a repeat.

One in seven Brits admit to committing fraud

A new report released today shows one in seven British adults have committed one or more types of consumer fraud, while two in three know someone who has.

There are many types of first-party fraud – including:

• Money muling – agreeing to transfer illegal funds to a third-party from their bank account, generally keeping a share for themselves
• Claimed non-delivery – ordering goods online and falsely claiming they haven’t been delivered to get a refund

The most common type of consumer fraud committed by the British public is ‘fronting’, closely followed by ‘deshopping’, which 1 in 20 (5%) admit to carrying out.

Attitudes towards first party fraud

Alarmingly, many Britons consider some types of consumer fraud as reasonable, with the highest proportion seeing ‘fronting’ as reasonable. However, the consequences of committing this type of fraud could see individuals driving without valid insurance, and in some cases, result in a criminal record.

Interestingly, ‘money muling’ is considered reasonable by one in five Britons, the consequences of which could result in individuals unable to open a bank account and obtain a mortgage, as well as a potential prison sentence.

Demographics of consumer fraud

The research revealed that younger people were more likely to take part in fraudulent activity, with 21% of 18-34 year olds admitting they have committed first-party fraud, compared to only 6% of people aged over 65.

Prevention key to reducing fraud

The report found that companies are more likely to invest their energy into detection and prosecution of consumer fraud, rather than prevention. This is despite the fact that detection can be problematic, and prevention is generally regarded to be more effective. The report argues that efforts to reduce fraud would be better directed towards awareness campaigns focused on educating consumers about different types of fraud and their consequences, such as criminal records, fines, or difficulties in obtaining banking and credit facilities.

Chief Executive Officer of Cifas, Mike Haley, who was responsible for the report, commented: ‘It’s sad to note how common fraud is among the British population, and that even more people find such acts of dishonesty acceptable.

‘Many people seem unaware that what they consider to be reasonable,  such as buying shoes to wear for a night before returning them, or adding their parent as a main driver for cheaper insurance, can be considered acts of fraud.

‘We wanted to raise awareness of the consequences what can be considered everyday fraud, such as finding it difficult to obtain a financial product or a mobile phone account, and in some cases such as being a money mule, end up with a criminal record.’

Matthew Oakley, Director of WPI Economics, who co-authored the report, said: ‘It is shocking that one in seven British adults admit to having committed first-party fraud.

‘That many people also see this as reasonable highlights the lack of understanding of fraud as a criminal and harmful act.

‘This report shines a light on some of the routes to people committing fraud and highlights how industry can work together to tackle these; in particular by making sure that fewer people see fraud as reasonable and that the opportunities to commit fraud are reduced.’