British Airways Faces Record Fine for Data Breach

Today in Security: British Airways Faces Record Fine for Data Breach

After a breach of its security systems last year, British Airways is facing a fine of £183 million ($228.9 million) from the Information Commissioner’s Office—the biggest penalty the ICO has ever issued and the first it has made public under new GDPR rules.

The ICO said that the security incident took place after British Airways’ website users were diverted to a fraudulent site, which enabled hackers to harvest details of about 500,000 customers.

The incident was disclosed on 6 September 2018, but the ICO said the incident began in June 2018. According to the Verizon 2019 Data Breach Investigations Report, this timeframe is not unusual—while the time from an initial attack to a compromise is quite short, the time from compromise to discovery is likely to be months.

A variety of information was compromised, including login, payment card, and travel booking details, as well as name and address information, according to the BBC. The ICO noted that British Airways cooperated with the investigation and made improvements to its security arrangements.

Until this point, the largest penalty in the UK was £500,000—the maximum allowed under pre-GDPR data protection rules—imposed on Facebook for the Cambridge Analytica data scandal. The maximum penalty under GDPR is 4 percent of turnover, but the British Airways penalty amounts to 1.5 percent of its worldwide turnover in 2017.

British Airways has 28 days to appeal the decision, and the company’s chairman and chief executive Alex Cruz said the airline was “surprised and disappointed” in the ICO’s finding. “British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologize to our customers for any inconvenience this event caused,” he said.

Information Commissioner Elizabeth Denham said: “People’s personal data is just that—personal. When an organization fails to protect it from loss, damage, or theft, it is more than an inconvenience. That’s why the law is clear—when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

Read more about post-GDPR fines in this article from the May 2019 issue of Security Management.