The British Airways Data Breach Fine

isaac-struna-rjPs8EffHwA-unsplash

The ICO has finally issued a fine to British Airways (BA) for a cyber security breach which saw the personal and financial details of more than 400,000 customers being accessed by attackers.  

£20 million is a lot of money, even for British Airways, and especially in a global pandemic which has seen all airlines struggle financially. However it is a far cry from the original Notice of Intent, issued in issued in July 2018, for the sum of £183 Million.
But then again the smaller fine is no big surprise either.  

On 31st July, IAG (British Airways parent company) issued its Interim Management Report which states: 

The exceptional charge of €22 million represents management’s best estimate of the amount of any penalty issued by the Information Commissioner’s Office (ICO) in the United Kingdom, relating to the theft of customer data at British Airways in 2018.
The process is ongoing and no final penalty notice has been issued“. 

The Cyber Attack 

The BA fine followed a cyber-attack during 2018, which remained undetected for more than two months. The attack involved diverting cardholder data from British Airways official website to one set up by the attacker.  

The attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers. Other details thought to have been accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers. Usernames and passwords of BA employee and administrator accounts as well as usernames and PINs of up to 612 BA Executive Club accounts were also potentially accessed. 

Failure to Prevent the Attack 

According to the ICO, there were numerous measures BA could have used to mitigate or prevent the risk of an attacker being able to access the BA network. These include: 

  • limiting access to applications, data and tools to only that which are required to fulfil a user’s role 
  • undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems; 
  • protecting employee and third party accounts with multi-factor authentication. 

Additional mitigating measures BA could have used are listed in the penalty notice.
None of these measures would have entailed excessive cost or technical barriers, with some available through the Microsoft Operating System used by BA. (You can read more about the causes of cyber security breaches in our recent blog post.) 

It may well be that British Airways launches an appeal in which case its reasoning and  actions when issuing fines under GDPR will be the subject of judicial scrutiny.
This will help GDPR Practitioners faced with similar ICO investigations.  

It will also be interesting to see what happens to the other outstanding Notice of Intent, relating to Marriott Hotels for £99 Million, as well as the ICO’s investigation into the more recent EasyJet data breach. Interesting times ahead. 

We have some places available on our Cyber Security for DPOs workshop in November. This and other GDPR developments will be covered in our new  online GDPR update workshop. 

About actnowtraining

Act Now Training Ltd specialise in information law. We have been providing training and consultancy services globally for over 17 years. We have an extensive GDPR and FOI course programme from live and recorded webinars, accredited foundation through to higher level certificate courses delivered throughout the country or at your premises.
This entry was posted in Uncategorized. Bookmark the permalink.

4 Responses to The British Airways Data Breach Fine

  1. Pingback: Cyber Security and GDPR Compliance | Blog Now

  2. Pingback: The Marriott Data Breach Fine | Blog Now

  3. Pingback: Ticketmaster Fined £1.25m Over Cyber Attack | Blog Now

  4. Pingback: Act Now 2021 Course Programme Now Live | Blog Now

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s