British Airways faces record data breach fine in UK

British Airways is set to receive the largest ever fine for a data breach. The proposed £183.39m (€200m) fine surrounds breaches of its security systems for customers’ data.

The UK Information Commissioner’s Office (“ICO”) confirmed its intention to fine British Airways on 8 July. This is the first publicised fine from the ICO under the GDPR.

The breach arose following sophisticated hackers attacking British Airways’ website. User traffic to its website and mobile app was diverted to a fraudulent site. On this false site, attackers harvested customers’ information. Various customer details were compromised, including login details, payment card details and travel arrangements. 

British Airways disclosed the incident to the ICO on 6 September 2018. The ICO’s findings suggest that data had been compromised since around June 2018. 

Under the GDPR, the maximum penalty is €20m or 4% of annual global turnover (whichever is higher). £183m is around 1.5% of British Airways’ global turnover in 2017. 

British Airways now has 28 days to appeal and make representations before the sanction is finalised. 

Comment

We have seen the ICO flex its muscles more in recent months when issuing fines. However, until now these fines have been under the UK Data Protection Act 1998 (where the maximum fine was £500,000). This is the first time we have seen the ICO set to utilise new higher penalties under GDPR.

Earlier this year we saw the French data regulator CNIL hit Google with a €50 million fine. This shows how data regulators across Europe are willing to utilise their increased powers if required. 

Since the GDPR’s introduction, the number of complaints (by individuals) and reported security breaches (by organisations) to the ICO have increased significantly. The ICO‘s workload has therefore increased and we can expect it to publish more decisions under GDPR. 

While the penalty imposed on British Airways was less than the maximum available (and at 1.5% of annual global turnover is less than half the maximum), it demonstrates that organisations can face huge fines for data security breaches. In its report, the ICO noted that British Airways had cooperated with the investigations and made improvements to its security systems. However, this was not enough to escape a substantial fine. 

British Airways also faced high media attention when it notified the security breach in September, which shows how brand reputation is also a key factor. 

Organisations need to continually monitor their security mechanisms. Compliance is an ongoing process, so even if they took measures in preparation for 25 May 2018, they need to keep these under review. This latest notice should act as a wake-up call to organisations to ensure their systems are up to date in order to avoid these increased penalties. 

Organisations need to continually monitor their security mechanisms. Compliance is an ongoing process, so even if they took measures in preparation for 25 May 2018, they need to keep these under review. This latest notice should act as a wake-up call to organisations to ensure their systems are up to date in order to avoid these increased penalties. 

Published here by Doyle Clayton