In summer 2019, the Information Commissioner’s Office (ICO) issued a notice of intent to fine British Airways (BA) more than £183m for a breach of the General Data Protection Regulation (GDPR). The fine was calculated by reference to BA’s total global turnover and was an example of the ICO wielding the additional powers conferred on it by the GDPR.
The ICO has now announced that, having considered representations from BA and the significant economic impact of COVID-19 on its business, the fine will be reduced to £20m. This remains the largest fine that the ICO has ever imposed.
What Happened in the BA GDPR Breach?
Between late June and early September 2018, hackers were able to gain entry to BA’s internal systems and it is believed that during this time the attacker accessed the personal data of over 400,000 customers and staff. This included the names, addresses and card details of 244,000 BA’s customers. Over 180,000 customers also had at least part of their card details accessed.
While BA moved quickly upon discovering the attack, the ICO investigation found that the attackers were operating undetected for over two months, and BA only became aware of the breach when alerted by a third party. This was considered a severe failing by BA as it is not clear whether they would have eventually detected the attack itself, meaning an even more significant number of people could potentially have been affected.
The ICO concluded that BA had not taken sufficient measures to mitigate or prevent an attack from occurring. This included simple, inexpensive measures such as implementing multi-factor authentication, limiting user access to only necessary data and conducting rigorous testing of its systems. Since the attack, the ICO noted that BA has taken steps to considerably improve its IT security.
Why Such a Sizeable Reduction?
Under the GDPR, there are different levels of fines that can be levied for breaches depending on their severity. For less severe infringements, the fine can be the higher of up to €10m, or 2% of the organisation’s total worldwide turnover. More severe breaches can lead to a fine of up to €20m, or 4% of the organisation’s total worldwide turnover – again whichever is higher.
The ICO’s initial intention to fine BA £183m was based on the fact that BA held such a significant amount of personal data, and had failed to take appropriate steps to protect it. This was compounded by the failure to detect the attack.
In reducing the fine, the ICO noted that BA had taken steps to minimise the damage to individuals, and had co-operated with the ICO throughout its investigations. The ICO also noted that the case had received significant media attention, which it hopes will act to increase the awareness of other organisations to have sufficient measures in place to prevent and mitigate attacks, and the damage they can cause.
The ICO also considered the fact that the airline industry has been one of the worst hit sectors during the COVID-19 pandemic, and that situation is persisting. BA has reported a loss of close to £4 billion and the ICO therefore decided to reduce the fine further so as not to compound this position.
While the ICO may have significantly reduced the original amount of the fine, the £20m issued to BA is still the ICO’s biggest ever imposed fine. The case serves as an important reminder to businesses of the need to ensure that appropriate measures are in place to protect personal data – and the potential impact, both financial and reputational, of failing to do so.