British Airways (BA) has been fined a total of £ 20 million on its website by the Information Commissioner’s Office (ICO) for a data breach that fined the personal and financial information of hundreds of thousands of customers who made bookings and changed their itineraries on its website occupied the summer of 2018.
The ICO had originally proposed a £ 183 million fine. This would have been the largest fine to date under the General Data Protection Regulation (GDPR), but after a series of appeals and statements taking into account a number of factors including the impact of the Covid-19 pandemic on the finances of the Airline this sum was cut.
The ICO’s subsequent investigation revealed that BA processed a significant amount of personal data without adequate security measures, in violation of the Data Protection Act. BA subsequently became the victim of a cyber attack that it did not detect or had fully detected for some time.
The watchdog said BA should have identified security vulnerabilities and took appropriate measures to prevent the cyberattack from taking effect.
“People have entrusted their personal information to BA and BA has not taken adequate measures to protect that information,” said Information Commissioner Elizabeth Denham.
“Your failure to act has been unacceptable and has affected hundreds of thousands of people, potentially creating fear and distress. This is why we fined BA £ 20million – our largest to date. “
Denham added, “When companies make bad decisions about people’s personal information, it can have a real impact on people’s lives. Law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security. “
The cyber criminals behind the attack on BA are believed to have accessed the personal information of 429,612 customers and employees, including the names, addresses, payment card numbers and CVV numbers of 244,000.
They also stole the combined card and CVV numbers of 77,000, the card numbers of just 108,000, the usernames and personal identification numbers (PINs) of 612 members of the airline’s Executive Club, and usernames and passwords for BA employee and administrator accounts.
In its final assessment, the ICO said BA should have taken the following steps: restrict access to internal IT applications, data and tools to only what is necessary to fulfill the role of a user; Conducting penetration test exercises and incident simulations; and implementation of multi-factor authentication to protect employee and customer accounts.
None of these measures would have resulted in excessive costs or technical obstacles – some only had to be activated in the Microsoft operating systems used by BA.
It also took into account the fact that BA did not detect the first attack on June 22, 2018, but was made aware of it in early September after the damage was done. The ICO said it was unclear whether or when BA would have noticed the attack would have occurred had no third party intervened. This was considered a fatal mistake as the number of customers affected might have been much higher.
However, it found that once BA became aware of the problem, it acted quickly, appropriately and in accordance with the GDPR and has since “significantly” improved its security posture. The airline also offered all those affected a 12-month membership in a credit review and administration service.
A BA spokesperson said: “We alerted customers as soon as we learned of the criminal attack on our systems in 2018, and we are sorry we did not meet our customers’ expectations.
“We are pleased that the ICO recognizes that we have significantly improved the security of our systems since the attack and that we have fully cooperated with the investigation.”
Francis Gaffney, Mimecast Director of Threat Intelligence and Response, commented, “Regulations are not just something companies must adhere to, they should encourage improved behavior and best practices. Too often regulation is viewed as a burden, but companies should start looking at it through the lens of their customers, partners or employees. When a customer trusts you with their information, you owe it to them to keep it safe and secure.
“Many organizations face financial penalties for such data breaches and only then does the cost of the breach outweigh the potential savings by not investing in security and data management solutions.”
Gaffney added, “It is often the case that the damage to the organization’s reputation and branding dwarfs the fine imposed. This breach is particularly worrying as it went undetected for a few months and a lot of personal information could be disclosed. “