British Airways – ICO’s biggest fine yet

The anticipated fine for British Airways has now been confirmed, albeit much lower than originally contemplated.

On 8 July 2019, the Information Commissioner's Office (ICO) published its intention to fine British Airways £183.39m (an equivalent to 1.5% of BA’s global turnover) under the General Data Protection Regulation for a breach of almost 500,000 individuals’ personal data. However, a combination of mitigating factors and an impact of the pandemic led the ICO to review the level of the fine and concluded to issue ‘only’ a £20m penalty.

The GDPR sets two tiers of fines. For less severe infringements organisations can be fined up to €10m, or 2% of its total worldwide turnover of the preceding financial year, whichever is higher. The more severe infringements could result in a fine of up to €20m, or 4% of its total worldwide turnover of the preceding financial year, whichever is higher.

What has happened?

In September 2018, BA issued an apology for a breach of the company’s security systems which resulted in a cyber attack and a disclosure of personal data of nearly 500,000 individuals. Specifically:

• 244,000 individuals had their name, address, card number, and CVV number disclosed;
• 77,000 individuals had their card number and CVV only disclosed;
• 108,000 individuals had their card number only disclosed;
• approximately 612 BA Executive Club accounts’ usernames and pin numbers were disclosed; and
• usernames and passwords of BA employees and administrator accounts were disclosed.

The breach occurred as a result of attackers gaining access to an internal BA application and the wider network where they were able to exploit a JavaScript file on the BA’s website. This resulted in data being exfiltrated from the BA’s website (britishairways.com) to an external domain (BAways.com). The copying and redirecting of payment card data took place between 21 August to 5 September 2018 without interrupting the usual BA booking and payment procedure.

In its investigation, the ICO concluded that BA failed to comply with its GDPR obligations under Article 5(1)(f) Integrity and confidentiality principle and Article 32 Security of processing. It determined that BA processed a “significant amount of personal data without adequate security measures in place”. The failure to resolve its security weaknesses and detect the cyber attack for more than two months has also been criticised. Questions were raised as to whether BA would have detected the breach themselves at all, given that they were informed about the issue by a third party.

Mitigating factors

The ICO has taken into consideration the mitigating factors in its assessment of the appropriate fine. In particular, it considered that BA took immediate steps to minimise any damage suffered by the affected individuals and implemented remedial measures. BA also cooperated with the ICO and other enforcement agencies as well as promptly informed the affected individuals. The ICO considered that the media attention this breach has received was likely to increase the awareness of other organisations to the risks posed by cyber incidents and mobilise them to take preventative actions. In addition, the cyber attack and the regulatory action is likely to impact BA’s brand and reputation. The mitigating factors also include the ability to pay the fine i.e. financial hardship.

Having considered the representations submitted by BA, the ICO decided to lower the fine to £30m. Subsequently, having considered the mitigating factors, it also decided to apply 20% reduction, lowering the fine to £24m.

The impact of the pandemic

The aviation industry is one of most impacted sectors by the ongoing COVID-19 pandemic. With the passenger demand plunging by 98%, global air transport industry is said to have lost around $84.5bn in 2020 due to the virus, with IAG which owns British Airways, reporting a loss of £3.8bn.

The ICO has taken into consideration the impact of the pandemic on BA in its assessment of the fine and decided to decrease it by £4m, issuing the fine of £20m.

Points to note

In its original Notice of Intent to fine BA, alongside Articles 5(1)(f) and 32, the ICO provisionally found BA to be in breach of Article 25 of the GDPR, Data protection by design and by default. Following BA’s representation in which BA claimed that the ICO misapplied Article 25, as it was not in force at the time when BA designed the relevant data processing system (or it should not be relied on, as in this context it simply replicates the obligations under Article 32), the ICO decided to make findings of infringement in respect of Articles 5 and 32 only. The ICO disagreed with BA’s interpretation of Article 25, which it stated applies “at the time of the processing itself” as well as at the point at which the system is designed. This means that it is crucial that organisations monitor its processing and ensure that old systems have been appropriately assessed taking into consideration the requirements of Article 25.

It is also important to ensure that technical and organisational measures are in place as required by the GDPR. The fines are likely to be higher where an investigation finds that an organisation has not taken appropriate steps to prevent unauthorised access to personal data. The lessons that can be derived from the BA’s breach is that organisations should:

• ensure that access to applications is controlled and only given to those who need it to carry out their duties
• undertake a monitoring of the domain administrator’s accounts as a vital element of a system security (the attackers were able to gain access to the administrator’s account which enabled them further network access)
• protect log in details by a multifactor authentication (such as a combination of a password and a code sent to a mobile device)
• not collect or store data unless it is necessary (BA collected and stored credit card security numbers (CVV) for 95 days in an unencrypted format, as a result of a human error)
• ensure that staff receive a regular data protection and information security training
• carry out a data protection impact assessment prior to any new applications or website roll out
• have effective IT governance monitoring in place; use appropriate standards and tools and undertake regular security updates and vulnerability testing which should extend to third-party applications

One thing is certain – implementing and maintaining an appropriate IT infrastructure and having appropriate technical and organisational measures in place is an investment. But in light of significant fines, it is an investment that is likely to protect organisations and minimise the risk of much more expensive fines.