It’s taken the UK Information Commissioners Office a while but finally we have the first significant GDPR fine and it is British Airways on the receiving end. The airline suffered a serious data breach last year, telling customers it had lost personal and payment details including the CVV code from payment cards.
Despite cooperating in full with the ICO, British Airways has now been hit with a record fine under the provisions of the GDPR. The fine of £183 million equates to around 1.4% of its global turnover for 2018. The company has said it intends to appeal against the size of the fine.
In September 2018, British Airways customers found themselves the victim of an Internet fraud. Customers looking to book tickets were directed to a fake site which harvested data from 500,000 customers.
According to the initial British Airways warning, the attackers managed to steal: “names, email addresses and credit card details including card numbers, expiry dates and three-digit CVV codes were stolen by the hackers.” However, the company insisted that no travel details or passport data was stolen. The ICO now says that travel details were stolen but has not stated whether that includes passport details.
British Airways also claimed that the attack occurred between August and September 2018. The ICO investigation also shows that this was inaccurate. It has said that the attack started in June 2018. This means it will have caught many families booking holidays and business users booking travel in advance for the Autumn conference season.
The ICO has also pointed the finger at British Airways for the attack. It says that poor security and processes used by the company were part of the reason the attack was successful. Those failures range from problems with how login’s were handled to the way payment data was gathered and held.
What else did the ICO say?
The ICO did say that British Airways had cooperated fully with its investigation. It also says that the company has improved its security arrangements since the events were reported.
A statement from Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
Is this a reasonable fine?
No, says the airline. However, setting the size of the fine is a complex matter.
Diane Yarrow, partner and commercial solicitor at award winning law firm, Gardner Leader solicitors commented: “The penalty is substantial. There are various factors considered when setting the level of the fine which include; the number of people affected and the level of damage suffered, negligent character of the infringement, degree of responsibility of the controller and the categories of personal data affected by the infringement amongst other things. Evidently, given the vast number of customers affected and the details compromised, the ICO deemed it fit to order a substantial penalty sending a strong message to all data controllers
“This first large fine would always be hotly contested and in the next 28 days, we should learn more details of the basis on which BA will appeal the ICO’s decision, together with the ICO’s response to the appeal. The ICO will have to take into account; any action taken by BA to mitigate the damage suffered by data subjects, the degree of cooperation with the supervising authority and any other mitigating factors.
“Given the current GDPR guidelines it can be reasonably expected that any decision by the ICO will set a strong precedent for future large scale data breaches. Anyone who has not yet taken steps to ensure that they comply with GDPR should revisit what they need to do in the context of their business.”
What happens next?
British Airways will appeal. It believes that its swift cooperation and response should have resulted in a lower fine. There is a feeling that it has been harshly treated and made an example of as a warning to other companies. It may be right but it is a hard thing to prove.
The fine does not just go to the UK government. The ICO led this investigation and it is likely that the size of the fine will have been discussed with other regulators. The fine will be split between several regulators around Europe. Customers, will now need to contact British Airways to see what compensation, if any, they will receive.
It seems that every year, the airline has some major IT malfunction. Previous meltdowns have led it to offer Executive Club members protected status for a few years. It has also paid out millions in compensation under EU flight rules. The failure of its data centre in 2017 cost it over £80 million in costs and compensation.
How much this will cost beyond the ICO fine is anyone’s guess. So far, apart from the public statement about the attack, there has been no contact from British Airways to customers about what it intends to do. In fact, many of those who booked flights during that period are unaware if their details were stolen or not.
What do the experts say?
As in all high profile cases, there are lots of people with something to say. The comments we have received include:
Jake Moore, Cybersecurity Specialist at ESET: “There was always going to be a hefty guinea pig fine from the ICO to mean business showing that GDPR fines are not just talked about. Incredibly, this still isn’t the maximum fine they could have been handled either.
“However, the amount of data compromised was huge and it is without doubt that it would have ended up in criminal hands so therefore it should not be taken lightly. The sort of data taken could have been used for card fraud or even identity theft and with as many as 380,000 transactions skimmed, this is an immense amount of information personally identifiable.”
Egress CEO, Tony Pepper: “This fine not only puts pay to any thoughts that the ICO lacked teeth in its pursuit of organisations putting customer data at risk, but also serves as a reminder to any company suffering from a complacent attitude to compliance that the handling, processing and storing of customer data should be its number one priority.
“This could very well be the first of many large fines issued by the ICO and will most definitely serve as a wakeup call to organisations that offer goods or services to, or monitor the behaviour of, EU data subjects.”
Ilia Kolochenko, founder and CEO of web security company ImmuniWeb commented: “This is a gloomy reminder that web and mobile application security is essentially important, and if negligently disregarded – may cost hundreds of millions. Prompt reaction, investigation and rapid notice won’t be good enough to avoid formidable fines. Prevention is much better than cure from financial, reputational and operations standpoints.”
Enterprise Times: What does this mean
British Airways has suffered from numerous IT problems over the last decade. Each of these has cost it money and reputation. The latter has also taken a significant hit through moves to reduce costs by making customer pay for seat assignments and refreshments in Economy seats on European flights. Customers will now wait and see what the airline does in terms of compensation and apology.
Now the regulators have weighed in with a whopping big fine. For many, this will be seen as a major success for GDPR. However, until the appeals process is complete, we won’t know what the final fine will be. That said, there will be a lot of companies out there who are now very nervous.
Over the past year, many have backdated their data breaches to before GDPR came into force. This limited the fines that could be awarded. That grace period is over and it will be interesting to see if the various European ICOs now start to consistently set high levels of fines.