THE INFORMATION Commissioner’s Office (ICO) has fined British Airways £20 million for the latter’s failure to protect the personal and financial details of more than 400,000 of its customers.
An ICO investigation found that the airline was processing a significant amount of personal data without adequate security measures being in place. This failure broke data protection law and, subsequently, British Airways was the subject of a cyber attack during 2018, but which the company didn’t detect for more than two months.
ICO investigators found that British Airways ought to have identified weaknesses in its security and resolved them with security measures that were available at the time. Investigators concluded that addressing these security issues would have prevented the 2018 cyber attack being carried out in this way.
Speaking about the case, Information Commissioner Elizabeth Denham said: “People entrusted their personal details to British Airways and the company failed to take adequate measures to keep those details secure. The company’s failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued British Airways with a £20 million fine. This is the biggest fine we have issued to date.”
Further, Denham stated: “When organisations take poor decisions around personal personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”
Background to the case
Due to the fact that the British Airways data breach happened in June 2018, before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the General Data Protection Regulation (GDPR). The penalty and action have been approved by the other EU data protection authorities through the GDPR’s co-operation process.
In June 2019, the ICO issued British Airways with a notice of intent to fine. As part of the regulatory process, the ICO considered both representations from British Airways and the economic impact of COVID-19 on the business before setting a final penalty.
The cyber attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff. This included the names, addresses, payment card numbers and CVV numbers of 244,000 British Airways customers. Other details thought to have been accessed include the combined card and CVV numbers of 77,000 customers and the card numbers only for 108,000 customers.
Usernames and passwords of British Airways employee and administrator accounts as well as usernames and PINs of up to 612 British Airways Executive Club accounts were also potentially accessed.
Failure to prevent the attack
There were numerous measures British Airways could have used to mitigate or prevent the risk of an attacker being able to access its network. These included:
*limiting access to applications, data and tools to only those required to fulfil a user’s role
*undertaking rigorous testing (in the form of simulating a cyber attack) on the business’ systems
*protecting employee and third party accounts by employing multi-factor authentication
None of these measures would have entailed excessive cost or technical barriers, with some available through the Microsoft Operating System already used by British Airways.
Since the attack, British Airways has made considerable improvements to its IT security.
Third party alert
ICO investigators found that British Airways did not detect the attack on 22 June 2018 themselves, but was instead alerted by a third party more than two months afterwards on 5 September. Once the business became aware of the breach, British Airways did act promptly and notified the ICO.
It’s not clear whether or when British Airways would have identified the attack itself. This was considered to be a severe failing because of the number of people affected and also because any potential financial harm could have been more significant.
Commenting on the news, Mishcon de Reya’s data protection officer Jon Baines stated: “A £20 million fine is by far the largest ever issued by the ICO, and only the second fine issued by the ICO under the GDPR. However, given that the original intention was to fine British Airways £183 million, the actual amount may be seen by some as a climb-down by the ICO. The fact that the actual notice is 114 pages long, and also refers to multiple and robust arguments from British Airways’ lawyers, suggests that there may be an appeal and, therefore, more developments to come. This is likely to cost the ICO and British Airways heavily in terms of legal fees, at a time when both will have a whole host of Brexit-related and COVID-related matters on their rosters.”