ICO Issues British Airways With A Ground-breaking Fine
To print this article, all you need is to be registered or login on Mondaq.com.
On 16 October 2020, The Information Commissioner’s Office
(the “ICO”) imposed a monetary penalty notice fining
British Airways Plc (“BA”) £20million for breaching
its data security obligations under the General Data Protection
Regulation (the “GDPR”) when they faced a cyber-attack in
2018. This is the ICO’s largest fine to date and the amount
imposed was a significant reduction on the £183.39 million
the ICO announced that it intended to fine BA back in July
Details of the cyber attack
The attacker is believed to have accessed the personal data of
over 400,000 BA customers and staff members worldwide. Information
obtained includes names, addresses, payment card numbers and CVV
numbers; although it is thought only around 100,000 customers had
their payment information accessed. The attack went undetected for
over 2 months spanning from 22 June to 5 September 2018.
Usernames and passwords of BA employee accounts, as well as
usernames and PINs of up to 600 BA Executive Club accounts, were
also potentially accessed.
Failure to prevent the attack
The ICO listed a number of factors in its penalty notice report
that BA could have used to mitigate the risk of the attacker being
able to access personal data through the BA network. These
- limiting access to applications, data
and tools to only those which are required to fulfil a user’s
- undertaking rigorous testing, in the
form of simulating a cyber-attack, on the business’ systems;
- protecting employee and third party
accounts with multi-factor authentication.
It was noted that these additional measures would not have
entailed excessive costs or technical barriers to BA, with some of
these measures already available through the Microsoft Operating
System that they used.
Another consequential factor taken into account by the ICO was
that on 22 June 2018 BA did not detect the attack themselves but
were informed by a third party more than two months after, on 5
September 2018. The ICO considered this to be a severe failing
because it is not clear whether or when BA would have identified
the attack themselves. Had it not been for this third party the
financial harm could have been even more widespread.
The fine payable by BA is the largest imposed to date by the ICO
for a breach of the GDPR. Although £20million appears to be a
narrow escape (compared to the £183million originally
suggested by the ICO), Article 83 of the GDPR does require the ICO
to ensure any fine imposed is “effective, proportionate and
dissuasive”. The ICO considered BA’s prompt action that
was taken to mitigate the risk of harm suffered (once aware of the
attack), as well as the economic impact of COVID-19 on the business
– and with all considerations taken into account, imposed a
greatly reduced (albeit still eye-watering) fine.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Privacy from UK