The not so mega ‘mega fine’: ICO fines British Airways £20 million for its 2018 data breach

  • The ICO fined British Airways £ 20m for violating the GDPR in connection with its 2018 privacy breach.
  • This is a significant reduction from the originally proposed £ 183 million fine.
  • In the fine statement issued to British Airways, the ICO confirmed that the almost 90% reduction was only partially influenced by the impact of COVID-19 on British Airways’ financial condition.
  • In contrast, the vast majority of the reduction appears to be due to the fact that the ICO took into account BA’s representations after its letter of intent, coupled with a change in the ICO’s approach to being less about sales than driving a factor in the calculation of fines.
  • The ICO has also released details of the specific GDPR violations committed by British Airways, limited to violations of the integrity and confidentiality principles in Article 5 and the security obligations in Article 32 GDPR.
  • The moral of the story seems to be that it may be commercially worthwhile for controllers to vigorously back out against any declaration of intent.


As we reported Herein July 2019 the Office of the Information Commissioner (“ICO“) Posted a notice of its intention to fined British Airways a whopping $ 183 million for violating the General Data Protection Regulation (GDPR) as a result of its 2018 data protection breach in which the personal information of approximately 500,000 British Airways customers was stolen by hackers . To punish GBP.

What is important is that this was a letter of intent and not a final fine. The 2018 Data Protection Act provides a strict six-month deadline for converting the ICO into a fine. However, this deadline can be extended if the ICO and the proposed recipient of the fine agree to an extension. The ICO and British Airways used this extension mechanism several times, so the final criminal complaint was not published until October 16, 2020, more than a year after the initial letter of intent.

At this point in time, neither side gave any reasons for either of the extensions, although this emerges from the 2019 annual report and financial statements of the International Airline Group (IAG, parent company of British Airway) and has now been confirmed by the final criminal complaint. that British Airways has made extensive statements to the ICO regarding the proposed fine and that there have been several other requests for information. The effects of COVID-19 likely played a role in the expansion as well.

At the time of the initial letter of intent, the proposed fine was touted by British Airways as the first “mega-fine” imposed by a European data regulator since the GDPR was introduced. The largest data protection fine previously imposed by the ICO was £ 500,000, the maximum possible under the old legislation.

The first GDPR “mega” fine: not so “mega”: a reduction of almost 90%

The ICO finally issued its criminal complaint to British Airways on October 16, 2020, fined British Airways £ 20million. While this is still the largest ICO fine to date, it represents a significant reduction of almost 90% from the original £ 183.39million value.

Although in some places the criminal complaint refers to the originally proposed £ 183.39 million fine, very little is said in the notice of exactly why the final fine was reduced by such a substantial amount. Instead, the notice seems to start over when calculating the final fine, taking into account the following factors under Article 83 GDPR and the ICO Regulatory Policy:

  • Financial gain: BA did not directly or indirectly obtain any financial advantage or avoid losses as a result of the breach.
  • Nature and Gravity: The ICO considered the nature of the errors serious and affected a significant number of people for a significant period of time (103 days).
  • Guilt: Although the breach was not a willful or willful act on the part of BA, the ICO found that BA was negligent.
  • Responsibility: The ICO determined that BA is fully responsible for the violations of Articles 5 and 32 GDPR.
  • Previous Actions: BA had no relevant previous violations or previous notice violations.
  • Cooperation: BA fully participated in the investigation of the ICO.
  • Categories of personal data: Although no special category data was affected, the type of data, particularly the payment card data, was nonetheless sensitive.
  • Notification: BA immediately informed the ICO of the attack.

Taking all of these factors into account, the ICO held a penalty of 30 million pounds This would be a reasonable starting point to reflect the gravity of the breach and the need for the penalty to be effective, proportionate and dissuasive in the context of BA’s scale and turnover. So far there is no obvious reason why the fine is so much lower than the letter of intent.

The ICO did not consider that there were aggravating factors to use to increase the penalty, nor did it consider it necessary to increase the penalty in order to be “dissuasive”.

Regarding a possible downward revision, the ICO deemed a downward revision of 20% (£ 6m) appropriate, taking into account several mitigating factors including:

  • The immediate steps to mitigate and minimize harm to affected individuals;
  • Immediate notification by BA of the violation to data subjects and the responsible supervisory authorities;
  • The wide coverage in the press as a result of the enclosed information should have sensitized other responsible parties to potential risks. and
  • The adverse impact on BA’s brand and reputation.

Finally, the ICO also explicitly acknowledged that the impact of COVID-19 on British Airways was factored in when setting the size of the final fine, although that only resulted in another downward revision of £ 4m and therefore does not have the huge impact Majority of the reduction.

Details of the violations of the GDPR

In its final criminal complaint, the ICO focused on BS’s violation of Article 5 (1) (f) GDPR – the principle of integrity and confidentiality – and Article 32 GDPR – security of processing. The previous letter of intent also stated that BA violated Article 25 GDPR – data protection by design and standard – but this was removed from the final criminal complaint.

From a criminal perspective, it is also interesting that the ICO rejected BA’s allegations that the maximum fine should be 2%, as there is a violation between Article 5 (maximum 4% fine) and Article 32 (maximum 2% fine), that the principle of lex specialis should apply with the specific provision of Article 32 overriding the general provision of Article 5. The ICO instead noted that even if they overlapped, the two provisions were different, although it is fair to note in terms of the size of the final fine (which was well below 4% and 2% of annual global sales, respectively ) it made no difference.

In relation to its security commitments, the ICO found that British Airways had “security flaws” that could have been prevented with the security systems, procedures and software available at the time. None of the measures would have created excessive costs or technical barriers for British Airways, with some being available through the Microsoft operating system used by British Airways. The many steps British Airways could have taken to reduce or prevent the risk of attack include:

  • Restricting access to applications, data and tools to only what is necessary to fulfill the user role;
  • Carrying out rigorous tests simulating a cyber attack on corporate systems; and
  • Protection of employee and third-party accounts through multi-factor authentication, whitelist for external public IP addresses and IPSec VPN.

The attack path that the ICO believed the hackers were using revealed a number of flaws on the part of British Airways. The hackers were able to access an internal British Airways application using compromised credentials for a Citrix Remote Access Gateway. The hackers were then able to break out of the Citrix environment and gain broader access to the broader British Airways network. There the attacker was able to move sideways across the network, which led to the editing of a Javascript file on the British Airway website. This allowed the attacker to intercept cardholder data from the British Airway website and filter it to an external third-party domain that was controlled by the attacker.

A particular focus of the ICO was British Airway’s practice of storing credentials in batch scripts. The ICO did not accept British Airway’s claims that this was “assisted functionality” or “standard practice” and maintained that it was unacceptable and that there were other safe ways to achieve the same goals.

As a result, the ICO was “convinced that the BA had not taken any suitable technical or organizational measures to protect the personal data processed on its systems, as required by the GDPR”.

What’s next?

British Airways must pay the fine to the ICO or exercise its right to appeal to the First Tier Tribunal in the General Regulatory Chamber within 28 days of the complaint being filed. Interestingly, the criminal complaint does not relate to the availability of another discount for immediate payment, which discount is usually lost when the fine is appealed. This can usually indicate that BA has agreed to an agreement with the ICO, although it is clear in the criminal complaint that BA does not accept liability for violations of the GDPR.

There is also the potential for British Airways to face a fine or reprimand under the Payment Card Industry Data Security Standard (PCI-DSS) in relation to the collection and processing of payment card data. PCI-DSS compliance is required of all organizations that accept, process, store and / or transmit debit and credit cards. However, if a PCI-DSS fine is imposed on British Airways, fines under PCI-DSS are not publicly available, so it is unlikely that it would become public knowledge.

In summary, this may not be the first “mega-fine” or tough enforcement of GDPR by the ICO that commenters anticipated, but it’s still a step in that direction and with some interesting guidance on how the ICO will operate The calculation could address fines (and general enforcement) in the future.

Recent articles

Crypto exchanges struggle as El Salvador adopts Bitcoin

Today, Bitcoin is becoming an official currency in El Salvador, and the markets and crypto exchanges seem to be struggling. On...

Schools are back – and time to comply with the ICO’s Age Appropriate Design Code

As of September 2, 2021, the United Kingdom's Information Commissioner's Office ("ICO") expects organizations to use their Age Appropriate Design Code ("AADC"). The...

the ICO wants input on when personal data goes international

You don't have to be a data-focused IT service provider to realize that the UK was lucky enough to receive an adequacy decision from...