British Airways face record GDPR find of £183.4m

Following an extensive investigation, the Information Commissioner’s Office has issued a notice of its intention to fine British Airways £183.39m for infringements of the General Data Protection Regulation (GDPR).

The proposed fine relates to a cyber incident that hit British Airways back in September 2018.

The incident, in part, involved user traffic to the British Airways website being diverted to a fraudulent site.

Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018.

The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including login, payment card, and travel booking details as well name and address information.

Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

British Airways has cooperated with the ICO investigation and has made improvements to its security arrangements since these events came to light. The company will now have opportunity to make representations to the ICO as to the proposed findings and sanction.

Industry comment

Jonathan Compton, Partner at DMH Stallard

The ICO has issued a Notice of Intention to fine British Airways £183.4m. The Notice follows an investigation arising out of a date breach notified to it by BA last September. In effect visitors to the BA website were being diverted to a fraudulent site. Data belonging to half a million people were compromised.

What perhaps caused the Information Commissioner most concern was:

(i) that the hack started in June 2018 and was not reported until September, and
(ii) what she felt was poor cybersecurity measures in place, and
(iii) the breach included credit card details.

Information Commissioner Elizabeth Denham said: “the law is clear – when you are entrusted with personal data you must look after it…”

BA will be able to make representations to the ICO, the Notice of Intention is not a final decision. In any event, whilst BA described the Notice as “disappointing”, the fact remains that if you are processing peoples’ personal data including credit cards, you must have the security measures in place to avoid a hack.

What is interesting about this investigation is the increased co-operation between European Data protection agencies. In this case, the ICO was the lead investigator for concerns raised in other EU countries. Whether this co-operation will continue post-Brexit is not a matter that can be taken for granted.

Dianne Yarrow, partner and commercial solicitor at law firm, Gardner Leader

Not long after the first anniversary of GDPR coming into force, the ICO has issued the largest ever fine to British Airways for a data breach relating to 500,000 customers.

Under Article 5 of the GDPR rules, personal data shall be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes…and…processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisation measures (‘integrity and confidentiality).

The compromised information in the BA cyber incident included log in, payment card, travel booking, name and addresses. Clearly, BA breached the above Article and the wider GDPR as it failed to properly safeguard personal data that it was entrusted with.

BA has been issued with a fine amounting to 1.5% of its worldwide turnover in 2017, which far surpasses the previous record fine of £500,000 which Facebook was ordered to pay in the Cambridge Analytica data scandal. The difference in the fines is owed to the change of law between the incidents namely the arrival of GDPR, which allows a maximum fine of up to 4% of annual turnover.

The penalty is substantial. There are various factors considered when setting the level of the fine which include; the number of people affected and the level of damage suffered, negligent character of the infringement, degree of responsibility of the controller and the categories of personal data affected by the infringement amongst other things. Evidently, given the vast number of customers affected and the details compromised, the ICO deemed it fit to order a substantial penalty sending a strong message to all data controllers.

This first large fine would always be hotly contested and in the next 28 days, we should learn more details of the basis on which BA will appeal the ICO’s decision, together with the ICO’s response to the appeal. The ICO will have to take into account; any action taken by BA to mitigate the damage suffered by data subjects, the degree of cooperation with the supervising authority and any other mitigating factors.

Given the current GDPR guidelines it can be reasonably expected that any decision by the ICO will set a strong precedent for future large scale data breaches. Anyone who has not yet taken steps to ensure that they comply with GDPR should revisit what they need to do in the context of their business.