British Airways has dodged a £183M GDPR bullet after the fine issued to the airline after a wide scale data breach would be lowered due to the financial impact of the COVID-19 pandemic.
In 2018, British Airways was hit by a wide-sprawling data breach that impacted the personal information of hundreds of thousands of its customers. To make things worse, the airline was reportedly unaware of the breach for as much as two months before eventually detecting it.
All up, it’s believed that outside threat actors were able to obtain the personal information and data of up to 429,000 British Airways staff and customers, which included addresses, names, credit card information and CVV information of up to nearly a quarter of a million.
“People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure.” Information Commissioner, Elizabeth Denham
This led the UK’s Information Commissioner’s Office, (ICO) to hand British Airways an intent to fine of £183M, for what it said was a systematic failure to adequately protect customer data that culminated in an avoidable data breach.
The ICO’s initial intent to fine – handed to British Airways in July, 2019 – included an extension up until March, 2020. Now, however, that £183 million fine has been lowered to £20 million by the ICO, who says that it is more suitable considering British Airways’ inability to operate at normal levels due to the COVID-19 pandemic.
Elizabeth Denham, the UK’s Information Commissioner has confirmed that since the breach and the intent to fine have been issued, British Airways has made significant investments in consolidating its information security practices.
Ms Denham said that “people entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure.”
“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20 million fine – our biggest to date.”
In the data breach, hackers were able to access the username and password information of 612 members of British Airways Executive Club,
Under GDPR laws, a company can be fined as much as 4% of its annual turnover for mismanagement of customer data leading to a subsequent breach and violation of customer privacy.
Managing Director of the UK’s Data and Marketing Association, Rachel Aldighieri has issued a statement saying “Brexit and coronavirus have put businesses under immense financial strain and a fine of this magnitude will get the attention of board members of organisations across the UK. They will certainly not want to risk receiving similar disciplinary action from the ICO.”
“This is the largest fine issued by the ICO to date under the new GDPR laws, highlighting the importance all businesses should place on the security of customers’ data and the need to build in safeguards to protect it,” she said.
Earlier this year, we reported on the potential £18 billion fine that EasyJet could be facing after a data breach and subsequent leak of passenger information hit the budget air carrier. This illustrates the severity in which the ICO will hand out fines to companies found to be in violation of the GDPR’s strict information security mandates.
Peter Wilson of Huntsman Security has told InformationSecurity Magazine that “whether this was a result of clever bargaining by BA, the investigation process uncovering mitigating factors, an acknowledgment of the ravages of COVID-19 on the airline industry or the ICO deliberately setting a high initial target with a more realistic goal in mind, it could give the message that fines will not be as severe as businesses and some in the security and privacy industry expect.”
That same report quotes Vanessa Barnett of Keystone Law who says that “in the grand scheme of things, it’s important that the punishment fits the wrongdoing: whilst the GDPR certainly has teeth and can really bite quite hard, it’s great to see the ICO continuing with its attitude of proportionality that existed pre-GDPR… Don’t forget that before the GDPR, the statutory limit was £500,000.”
“£500,000 to £20m is a big jump, and will still very much focus the compliance minds. The ICO may have felt some moral pressure not to whack BA even more in the midst of a global pandemic which is affecting it hugely and lucky its enforcement framework allows this,” she said.