Today the Information Commissioner’s Office (ICO) has released a statement of its intention to fine British Airways £183,390,000 for its breach of the General Data Protection Regulation (GDPR) in September 2018.
The ICO’s findings are a result of a “sophisticated, malicious criminal attack” on the British Airways website which reportedly diverted its users to a fraudulent website in a “Magecart-style card skimming attack”, harvesting around 500,000 customers’ personal details.
British Airways first notified the ICO of the breach on 6 September 2018, stating that approximately 380,000 customers had been affected but that the breach did not include travel or passport details. Following an extensive investigation, the ICO reports that the incident appeared to have begun in June 2018, and as a result of poor security arrangements, a variety of information was compromised such as log in, payment card, travel booking details, name and address information. This included email addresses, credit card numbers, expiration dates and the three-digit CVV codes found on the back of credit cards.
How is the fine calculated?
The fine, if confirmed, will be the biggest penalty handed out by the ICO so far, and it is the first to be made public under the new GDPR rules which came into force in May 2018. Previously, the ICO’s largest fine of £500,000 was imposed on Facebook for its involvement in the Cambridge Analytica scandal, amounting to the maximum penalty allowed under the old data protection rules.
Under the GDPR and the UK’s Data Protection Act 2018, the ICO is able to impose fines of up to 4% of an undertaking’s worldwide turnover, depending on the nature and severity of the data breach. The proposed fine of £183million is reported to amount to 1.5% of British Airways’ worldwide turnover in 2017.
Whilst the ICO has not yet released its full investigations and findings, it is likely that in reaching this figure, the ICO would have taken into account the number of customers affected, the security measures taken by British Airways to protect personal data in the first instance and the company’s level of cooperation with the ICO investigation.
What next for British Airways?
British Airways now has the opportunity to respond to the ICO’s proposed findings and sanctions. It has 28 days to appeal the ICO decision and Willie Walsh, chief executive of International Airlines Group (IAG) (owner of British Airways), has said that it would be making representations to the ICO.
In the ICO’s statement, the Information Commissioner Elizabeth Denham commented that “[w]hen an organisation fails to protect [personal data] from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from [the ICO] to check they have taken appropriate steps to protect fundamental privacy rights”.
This decision should be a warning to all companies dealing with personal data. If companies have not done so already, the proposed fine against British Airways should encourage all to focus on their data protection processes to make sure that they are GDPR compliant and more importantly, that they are secure.
In light of the increasing threat of cyber attacks, companies should also make cyber security a priority to prevent such data breaches. Businesses should consider obtaining appropriate insurance; taking specialist legal advice on risk mitigation of a cyber security attack; and doing all that they can to keep company software patched and up to date.
If you would like any further information on data protection legislation or if you would like any advice on ensuring cyber security and GDPR compliance, please get in touch.
“[w]hen an organisation fails to protect [personal data] from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from [the ICO] to check they have taken appropriate steps to protect fundamental privacy rights