Photo credit: MI News / NurPhoto / PA Images
The Information Commissioner’s Office fined British Airways £ 20 million for violating data protection laws.
While the fine is by far the largest in the UK since the EU General Data Protection Regulation was launched in 2018, it is down from the £ 183 million the ICO announced in June 2019 that it intended to levy a levy , significantly reduced.
The company expressed its disappointment with the decision at the time and announced that it would appeal. After completing this process, the regulator said it had “considered both BA’s representations and the economic impact of Covid-19 on their business before imposing a definitive fine”.
The punishment relates to a cyber attack in which some visitors to the British Airways website were instead redirected to a fraudulent website. Attackers were able to access the names, addresses and payment card details – including CVV numbers – of 244,000 BA customers.
Another 185,000 customers and employees saw their data compromised to some extent, including breaches of “BA employee usernames and passwords and administrator accounts”.
The attack began on June 22, 2018 and went undetected for more than two months. When it was finally discovered on September 5, it was a third party who alerted the airline – and then notified the data guardian.
“It is not clear if or when BA would have identified the attack itself,” said the regulator. “This was viewed as a serious mistake because of the number of people involved and because potential financial damage could have been more significant.”
Before the attack, the ICO investigation team determined that “BA should have identified security gaps and fixed them with the security measures available at the time”.
These measures, which the regulator said could have prevented the attack from ever taking place, include restricting the use of data and systems based on the roles of employees, better test and simulation exercises, and the use of multi-factor Authentication.
“None of these measures would have created excessive costs or technical barriers, some of which are available through the Microsoft operating system used by BA,” the ICO said. “Since the attack, BA has improved its IT security considerably.”
Information Commissioner Elizabeth Denham said BA’s failure at prevention and detection earned the largest financial penalty ever imposed by the regulator.
“People have entrusted BA with their personal information, and BA has not taken adequate measures to keep that information secure,” she said. “Your failure to act has been unacceptable and has affected hundreds of thousands of people, potentially creating fear and distress. Because of this, we fined BA £ 20m – our largest to date. When companies make poor decisions about people’s personal information, it can have a real impact on people’s lives. Law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security. “
While £ 20m is a forty fold increase on the maximum £ 500,000 fine the ICO had before May 2018, it is still well below the amount it could have chosen to fined the airline.
The GDPR and the UK Data Protection Act, which it replaced after the UK left the European Union, have fines of EUR 20 million or 4% of the organization’s global turnover, whichever is greater.
In BA’s case, this would have been more than £ 500m.