The ICO has finally imposed a fine (its highest so far) on British Airways (BA) of £20 million for a major data breach that affected 400,000 of its customers. This matter had been significantly delayed (as we wrote about here https://www.corderycompliance.com/is-ba-fine-in-departure-lounge/) and is a very significant climbdown from the original intention that the ICO had of imposing a fine of £183.39 million (which we wrote about here https://www.corderycompliance.com/uk-dpa-to-fine-ba-for-data-breach/). Despite the reduction the case is still a salutary lesson of the need to keep data safe.
What’s the case about?
The fine relates to a cyber incident which was undetected for over two months (it was identified by a third party) before being notified to the ICO by BA in September 2018. This involved in part website traffic being diverted to a fraudulent site.
It is believed that the attacker potentially accessed the personal data of 429,612 customers and staff, which included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers. Usernames and passwords of BA employee and administrator accounts as well as usernames and PINs of up to 612 BA Executive Club accounts were also potentially accessed.
The ICO announced in the summer of 2019 that it would be imposing a high fine but action on this was repeatedly delayed and it became clear over time that the fine would eventually be much lower than originally intended in light of representations made by BA to the ICO including about the economic impact of COVID-19 on BA’s business.
What did the ICO decide?
The ICO concluded that BA ought to have identified weaknesses in its security and resolved them with security measures that were available at the time. The ICO decided that these security measures would have prevented the 2018 cyber-attack being carried out, although the ICO also stated that it was “not clear whether or when BA would have identified the attack themselves”.
According to the ICO there were a number of measures BA could have used to mitigate or prevent the risk of an attacker being able to access the BA network, including:
- Limiting access to applications, data and tools to only that which are required to fulfil a user’s role;
- Undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems;
- Protecting employee and third party accounts with multi-factor authentication (MFA).
The ICO said that “[n]one of these measures would have entailed excessive cost or technical barriers, with some available through the Microsoft Operating System used by BA.”
Information Commissioner Elizabeth Denham said: “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure. Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result.[…]. When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives.”
Because the breach occurred before the UK left the EU, the ICO investigated on behalf of all other EU DPAs as so-called “lead supervisory authority” under GDPR. Accordingly, through that process the other EU DPAs have approved both the ICO’s action and the fine.
It barely needs repeating that in order to keep personal data secure organisations need to have top level organisational and technical measures (TOMs) in place and do all that they can to stop data breaches. They also need to make sure they can react to data breaches quickly when they happen. Although this was an incident where criminals focused on BA’s website the ICO decided that organisations must nevertheless do all that they can to protect their systems, including their websites. Any organisation can be the target for this type of attack. They must have a first-rate strategy and proper tools in place for responding quickly when these incidents do happen. Those processes and procedures should be tested regularly – for example in a simulation exercise like Cordery’s Data Breach Academy – https://www.corderycompliance.com/cordery-data-breach-academy-2-2/. Although the fact that BA got a much lower fine than originally announced may send out a mixed message this should not deter organisations from taking data security seriously, and, further, organisations should also bear in mind that class-actions for compensation may yet add to the final bill in cases like this one.
There are more tips on dealing with data breaches here https://www.corderycompliance.com/dealing-with-a-breach/ together with a short film on the topic here https://www.corderycompliance.com/dealing-with-a-data-breach/.
Cordery’s GDPR Navigator includes resources to help deal with data protection compliance. GDPR Navigator includes:
- Detailed guidance on the security aspects of GDPR in paper and on film;
- A template data breach log;
- A template data breach plan; and,
- A template data breach reporting form.
We report about data protection issues here: http://www.corderycompliance.com/category/data-protection-privacy/. For more about GDPR please also see our GDPR FAQs which can be found here: http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/ and our Data Protection Glossary which can be found here: http://www.corderycompliance.com/?s=glossary.
The ICO’s decision in the case can be found here: https://ico.org.uk/action-weve-taken/enforcement/british-airways/.
For more information please contact André Bywater or Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|
Image courtesy of BA