British Airways has been served with a record fine of £183.39m by the Information Commissioner’s Office (ICO) for infringements of the General Data Protection Regulation relating to last year’s breach of its security systems.
The airline’s chief executive Alex Cruz said he was “surprised and disappointed” by the ICO’s decision. He went on to say “British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft…We apologise to our customers for any inconvenience this event caused”.
The proposed fine relates to a cyber incident notified to the ICO by British Airways in September 2018. According to the ICO’s press release, “(t)his incident in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018.”
Though the attack was carried out by malicious actors, the ICO’s investigation found that a variety of information was compromised by “poor security arrangements” at British Airways. The information compromised included log in, payment card, and travel booking details as well as name and address information.
Commenting on the fine, the Information Commissioner Elizabeth Denham said: “(p)eople’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
The penalty imposed on British Airways is the biggest ever. Previously, the record was the £500,000 imposed on Facebook for its role in the Cambridge Analytica data scandal. The reason for the significant jump is due to recent changes in data protection law. Facebook were fined under the old legislation, the Data Protection Act 1998 (DPA 98), where the maximum fine was £500,000.
The DPA 98 was replaced by the Data Protection Act 2018 (which implemented GDPR in the UK) in May last year. Amongst other things, the new data protection act significantly increases the maximum penalty to 4% of global turnover. British Airways are one of the first companies fined under the new law, though the ICO didn’t levy the maximum possible, with the total amounting to 1.5% of global turnover in 2017.
The response to the fine has, predictably, been one of shock. Adding to Alex Cruz’s comments, Willie Walsh, chief executive officer of IAG, British Airways’ parent organisation said that the company “will be making representations to the ICO in relation to the proposed fine. We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals”.
Whether or not any appeal is successful (and BA have 28 days to lodge such) remains to be seen. But what commentators agree on is that this fine sends a clear message – that the introduction of GDPR has ushered in a new regulatory era. Nils Pratley, the Guardian’s financial editor remarked that the GDPR has turned the ICO into “a regulator to be feared”. This view was echoed by the BBC’s technology correspondent Rory Cellan-Jones, who wrote that the size of the fine “will send a shiver down the spine of anyone responsible for cybersecurity at a major corporation”.
Learn more about Cyber Security & Compliance here!
If you would like to assess your company’s GDPR risk in a matter of minutes, please click here to start a trial.Get started