ICO issues British Airways with a landmark fine
November 02, 2020
Charles Russell Speechlys LLP
To print this article, all you need to do is be registered or log in to Mondaq.com.
On October 16, 2020, the Information Commissioner’s Office (“ICO”) fined British Airways Plc (“BA”) £ 20 million for breaching its data protection obligations under the General Data Protection Regulation (“GDPR”) in 2018 exposed to a cyber attack. This is the ICO’s largest fine to date, and the amount imposed was a substantial reduction from the £ 183.39m that the ICO announced it would fine BA back in July 2019.
Cyber attack details
It is believed that the attacker accessed the personal data of over 400,000 BA customers and employees worldwide. The information received includes names, addresses, payment card numbers and CVV numbers. although it is believed that only around 100,000 customers have accessed their payment information. The attack went undetected for over two months from June 22 to September 5, 2018.
BA employee account usernames and passwords and usernames and PINs of up to 600 BA Executive Club accounts may also have been accessed.
Failure to prevent the attack
The ICO listed a number of factors in its criminal report that BA could have used to reduce the risk that the attacker could access personal data via the BA network. These include:
- Restricting access to applications, data and tools to those necessary to fulfill the user role;
- Carrying out rigorous tests simulating a cyber attack on corporate systems; and
- Protect employee and third party accounts with multi-factor authentication.
It was found that these additional measures would not have created excessive costs or technical barriers for BA as some of these measures were already available through the Microsoft operating system they were using.
Another factor taken into account by the ICO was that BA did not discover the attack itself on June 22, 2018, but was informed by a third party more than two months later, on September 5, 2018. The ICO considered this a fatal flaw because it is not clear if or when BA would have identified the attack itself. Had it not been for this third party, the financial damage could have been even more widespread.
The fine to be paid by BA is the largest ever imposed by the ICO for violating the GDPR. Although £ 20m seems like a tight escape (compared to the £ 183m originally proposed by the ICO), Article 83 of the GDPR requires the ICO to ensure that a fine is “effective, proportionate and dissuasive”. The ICO took into account the immediate actions taken by BA to mitigate the risk of harm suffered (once the attack became known) as well as the economic impact of COVID-19 on the business, and with all considerations in mind, resulted in a significant reduction (albeit still tearful) good.
The content of this article is intended to provide general guidance on the subject. A professional should be obtained about your particular circumstances.