The UK Information Commissioner’s Office (ICO) has fined British Airways £20 million, the ICO’s largest fine to date, for failing to protect the personal and financial details of more than 400,000 of its customers.
In a statement published online on 16 October 2020, the ICO stated that its investigation had found that British Airways was “processing a significant amount of personal data without adequate security measures in place”. This failure is said to have breached data protection laws and, subsequently, the airline was the subject of a cyberattack in 2018, which was not detected for more than two months.
The cyberattack in 2018 involved user traffic to the airline’s website being diverted to a fraudulent website, where the personal data of approximately 429,612 customers and staff was harvested, which included names, addresses, payment card numbers and CVV numbers.
The ICO’s investigation found that the airline ought to have identified and resolved “weaknesses” in its security, and that addressing these security issues would have prevented the 2018 cyberattack. In particular, the ICO noted that British Airways could have used a number of security measures to mitigate or prevent the attack, including:
limiting access to applications, data and tools to only that which are required to fulfil a user’s role;
undertaking rigorous testing on the business’ systems; and
protecting employee and third party accounts with multi-factor authentication.
Although the ICO had planned to fine the airline nearly £184 million in its notice of intention last year, the reduced penalty is in light of British Airways improving its security systems since the attack as well as the impacts of COVID-19 on the airline industry.
We have seen a number of data breaches recently where personal data of large customer bases has been compromised. They demonstrate that simple security measures, such as administrative controls and multi-factor authentication, can be your best defence in preventing future cyberattacks (and large fines!).
Copyright 2020 K & L GatesNational Law Review, Volume X, Number 293