The UK’s data protection regulator, the Information Commissioner’s Office (ICO) has announced its decision to fine British Airways (BA) £20 million for breach of the General Data Protection Regulation (GDPR). The fine relates to a cyber-attack which occurred in 2018 and led to over 400,000 BA customer’s and staff’s personal and credit card data being compromised.
The ICO had initially announced their intention to fine BA £183.39 million in 2019, however after a full assessment, they have now issued a considerably lower penalty. Although this may be a significant reduction to the initial figure, this is still the largest fine issued by the ICO to date.
The 2018 data breach was a result of a cyber-attack by criminal hackers on BA’s systems. The malicious hacker gained access to BA’s network using compromised credentials from a Citrix remote access gateway. The hacker was then able to access BA’s wider network and made edits to BA’s systems to enable customer card-holder information to be transferred from BA’s website to an external third-party domain. The data which was subject of the attack included the names, email addresses, credit card details and CVV security code numbers of customers and employees.
The ICO found that BA had inadequate security measures in place at the time of the breach. It noted that BA had failed to process the personal data of its customers in a manner that ensured the appropriate security of the data, including failing to have measures in place that protect against unauthorised processing and against accidental loss and destruction or damage, as required by Article 5(1)(f) GDPR. BA have since implemented a number of measures to prevent such cyber-attacks happening in the future. If you would like a detailed recap on the case, a link to our last year’s blog on the topic can be found here.
Under the GDPR, fines for a data protection breach can be up to a maximum of 4% of annual global revenue. In 2018, the ICO’s initial notice of intent to fine quoted £83.39 million. This amounted to 1.5% of BA’s revenues in the 2017 calendar year. However, following a number of representations from BA and after taking into account mitigating factors, including the impact of the Covids-19 crisis on BA’s finances, the ICO reduced the total fine to £20 million.
As part of the mitigation the ICO recognised that BA had acted promptly in notifying the data subjects affected after the breach was discovered, therefore minimising any more damage. BA were reported to have co-operated with the ICO during the investigation and the ICO took into account that since the attack, BA have made significant improvements to their security systems. These factors resulted in a total reduction of the fine by £6 million. The ICO also considered the negative financial implications that the Covid-19 pandemic had on BA’s business. However this only accounted for a reduction of £4 million as the ICO noted that the fine would not affect BA’s financial position in the long-term.
Until now, the largest penalty by the ICO was imposed on Facebook for their role in the Cambridge Analytica data scandal which amounted to a fine of £500,000. In the BA case, the ICO found that having regard to all of the circumstances and the GDPR, BA’s infringements constituting a serious failure to comply with the GDPR and for that reason, imposing the £20 million penalty was appropriate. The penalty was issued under the Data Protection Act 2018 for infringements of GDPR. Section 115 and Schedule 16 of the Data Protection Act 2018 provides the ICO the power to impose administrative fines.
The ICO outlined the following reasons as their justification of the fine:
- The data breach could have been prevented if BA had adequate security measures in place in the first instance.
- A significant amount of customers and staff data was leaked; as mentioned, over 400,000 customer and staff data was accessed.
- BA discovered the data breach over two months after the cyber-attack took place. The attack took place in June 2018 however it was not reported to the ICO until September 2018. By this time a considerable amount of data had already been compromised. The ICO noted that if the breach was discovered earlier, it could have been prevented and as such, result in significantly less damage to BA customers and staff data privacy.
- BA did not discover the breach through their own data security systems, rather they were notified of the breach by a third party.
After considering BA’s submissions, representations and relevant correspondence the ICO concluded that BA failed to have in place appropriate technical or organisational measures to protect against personal data being processed on systems, as required by the GDPR.
The Information Commissioner, Elizabeth Denham, said,
“People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure. Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date. When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”
The ICO listed the following steps that BA could have taken, but did not, to mitigate or prevent the cyber-attack to BA systems:
- Limited access to applications, data and tools to only that which are required.
- Undertook more rigorous testing methods, in the form of simulating a cyber-attack on BA systems.
- Multi-factor authentication to protect employee and third-party accounts.
In the ICO’s view such measures would not have involved significant excess costs or technical barriers and some of the measures were already available through BA’s own systems.
BA does have the right to appeal the penalty notice under Section 162(1) of the Data Protection Act 2018 to the First-tier Tribunal (Information Rights). It is not currently clear whether BA will pursue an appeal.
Whilst the ICO’s fine is significantly lower than both its initial notice of intent, and the maximum fine available to it of 4% of BA’s turnover, the decision highlights that the ICO has adopted a strict approach in dealing with data security breaches. It underlines the extreme importance of businesses prioritising adequate data security measures. It also illustrates the value of making well thought out and considered representations in the event that a security breach does occur.
If you aren’t receiving our legal updates directly to your mailbox, please sign up now
Please note that this blog is provided for general information only. It is not intended to amount to advice on which you should rely. You must obtain professional or specialist advice before taking, or refraining from, any action on the basis of the content of this blog.
Edwin Coe LLP is a Limited Liability Partnership, registered in England & Wales (No.OC326366). The Firm is authorised and regulated by the Solicitors Regulation Authority. A list of members of the LLP is available for inspection at our registered office address: 2 Stone Buildings, Lincoln’s Inn, London, WC2A 3TH. “Partner” denotes a member of the LLP or an employee or consultant with the equivalent standing.