The ICO has finally issued a fine to British Airways (BA) for a cyber security breach which saw the personal and financial details of more than 400,000 customers being accessed by attackers.
£20 million is a lot of money, even for British Airways, and especially in a global pandemic which has seen all airlines struggle financially. However it is a far cry from the original Notice of Intent, issued in issued in July 2018, for the sum of £183 Million.
But then again the smaller fine is no big surprise either.
On 31st July, IAG (British Airways parent company) issued its Interim Management Report which states:
“The exceptional charge of €22 million represents management’s best estimate of the amount of any penalty issued by the Information Commissioner’s Office (ICO) in the United Kingdom, relating to the theft of customer data at British Airways in 2018.
The process is ongoing and no final penalty notice has been issued“.
The Cyber Attack
The BA fine followed a cyber-attack during 2018, which remained undetected for more than two months. The attack involved diverting cardholder data from British Airways official website to one set up by the attacker.
The attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers. Other details thought to have been accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers. Usernames and passwords of BA employee and administrator accounts as well as usernames and PINs of up to 612 BA Executive Club accounts were also potentially accessed.
Failure to Prevent the Attack
According to the ICO, there were numerous measures BA could have used to mitigate or prevent the risk of an attacker being able to access the BA network. These include:
- limiting access to applications, data and tools to only that which are required to fulfil a user’s role
- undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems;
- protecting employee and third party accounts with multi-factor authentication.
Additional mitigating measures BA could have used are listed in the penalty notice.
None of these measures would have entailed excessive cost or technical barriers, with some available through the Microsoft Operating System used by BA. (You can read more about the causes of cyber security breaches in our recent blog post.)
It may well be that British Airways launches an appeal in which case its reasoning and actions when issuing fines under GDPR will be the subject of judicial scrutiny.
This will help GDPR Practitioners faced with similar ICO investigations.
It will also be interesting to see what happens to the other outstanding Notice of Intent, relating to Marriott Hotels for £99 Million, as well as the ICO’s investigation into the more recent EasyJet data breach. Interesting times ahead.