BA argues ICO data breach fine down to £20m

British Airways (BA) has been fined a total of £20m by the Information Commissioner’s Office (ICO) over a data breach that compromised the personal and financial details of hundreds of thousands of customers who made bookings and changes to their itineraries on its website in the summer of 2018.

The ICO had originally proposed to fine BA £183m, which would have been the largest fine yet levied under the General Data Protection Regulation (GDPR), but after a series of appeals and representations, and taking into account a number of factors including the impact of the Covid-19 pandemic on the airline’s finances, this total has been slashed.

The ICO’s subsequent investigation found that BA was processing a significant amount of personal data without having adequate security measures in place, a breach of data protection law, after which it fell victim to a cyber attack that it did not detect, or discover the full extent of, for some time.

The watchdog said BA should have identified weaknesses in its security and resolved them with appropriate measures to prevent the cyber attack from being effective.

“People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure,” said information commissioner Elizabeth Denham.

“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.”

Denham added: “When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”

The cyber criminals behind the attack on BA are now thought to have accessed the personal data of 429,612 customers and staff, including the names, addresses, payment card numbers and CVV numbers of 244,000.

They also stole the combined card and CVV numbers of 77,000, the card numbers only of 108,000, alongside the usernames and personal identification numbers (PINs) of 612 members of the airline’s Executive Club, and usernames and passwords for BA employee and administrator accounts.

In its final judgment, the ICO said BA should have taken steps including: limiting access to internal IT applications, data and tools to only what was needed to fulfil a user’s role; undertaking penetration testing exercises and incident simulations; and implementing multi-factor authentication to protect employee and customer accounts.

It said that none of these measures would have entailed excessive costs or technical barriers – some of them merely needed to be switched on in the Microsoft operating systems used by BA.

It also took into consideration the fact that BA did not detect the initial attack on 22 June 2018 but was alerted to it in early September after the damage had been done. The ICO said it was unclear whether or not, or when, BA would have noticed the attack had a third party not stepped in, which it considered a severe failing because it meant the number of customers affected could have been much higher.

It did, however, note that once BA became aware of the problem, it acted swiftly, appropriately and in accordance with the GDPR, and it has since made “considerable” improvements to its security posture. The airline also offered all those affected 12 months’ membership of a credit checking and management service.

A BA spokesperson said: “We alerted customers as soon as we became aware of the criminal attack on our systems in 2018 and are sorry we fell short of our customers’ expectations.

“We are pleased the ICO recognises that we have made considerable improvements to the security of our systems since the attack and that we fully cooperated with its investigation.”

Francis Gaffney, director of threat intelligence and response at Mimecast, commented: “Regulations are not just something that organisations have to comply with, they should encourage improved behaviours and best practice. Too often, regulation is viewed as a burden, but organisations should start to view it through the lens of their customers, partners or employees. If a customer trusts you with their data, you owe it to them to protect it and ensure it is safe.

“Many organisations are having to pay financial penalties for such data breaches and it is only afterwards that the cost of a breach now outweighs the potential savings from not investing in security and data management solutions.”

Gaffney added: “It is often the case that the damage to the organisation’s reputation and branding dwarfs the fine imposed. This breach is particularly worrying, as it went undetected for a number of months and a lot of personal data could have been exposed.”