UK’s Information Commissioner’s Office Issues a Record Fine Against British Airways

On October 16, 2020, UK’s Information Commissioner’s Office (ICO) issued a £20 million fine against British Airways (BA). The fine stems from the June 2018 data breach resulting from what the ICO investigation found to be “poor security arrangements.”  The incident involved the diversion of BA’s website traffic by malware to a fraudulent website.  The attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers. Other data believed to have been accessed include the combined card and CVV numbers of 77,000 customers and card numbers for 108,000 customers. Usernames and passwords of BA employee and administrator accounts as well as usernames and PINs of up to 612 BA Executive Club accounts were also potentially accessed.

The ICO concluded that BA failed to implement adequate security measures when processing a significant amount of personal data.  The ICO investigators found BA should have identified weaknesses in its security and resolved them with security measures that were available at the time.  According to the ICO, some of the controls that BA should have implemented include: limiting access to applications, data and tools to only that which are required to fulfil a user’s role; undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems; and protecting employee and third-party accounts with multi-factor authentication.

The ICO also faulted BA for lack of awareness of the attack.  The ICO investigators found that BA did not detect the attack as it occurred in June of 2018 but were alerted by a third party more than two months later.

In July of 2019, the ICO proposed a £184 million fine against BA in connection with the breach.  In the subsequent months, British Airways and the data protection authorities from the other GDPR jurisdictions had an opportunity to weigh in on the proposed fine. According to techcrunch.com report, about £150 million of the reduction in fine was made as the ICO further analyzed the events that led to the attack and put less blame on BA than it had originally made; another £6 million was discounted based on BA’s response to the breach, and yet another £4 million was taken off to reflect the adverse impact the coronavirus pandemic on BA’s business.

Even though the fine imposed on BA is significantly less than what the ICO originally proposed, it is still the biggest fine issued by the ICO to date.  Equally important is that the data breach which led to the fine could potentially have been prevented or minimized if BA implemented the fundamental cybersecurity controls, as identified by the ICO.  The bottom line is that companies that ignore their privacy and data protection obligations are bound to pay the price in the form of regulatory fines, litigations, and diminished reputation with privacy-conscious consumers.

Ask Clarip today how we can solve your biggest privacy compliance pain points, Call Clarip at 1-888-252-5653