The Information Commissioner’s Office (ICO) has fined British Airways (BA) £20m for failing to protect the personal and financial details of more than 400,000 of its customers.
An ICO investigation found the airline was processing a significant amount of personal data without adequate security measures in place. This failure broke data protection law and, subsequently, BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months.
ICO investigators found BA ought to have identified weaknesses in its security and resolved them with security measures that were available at the time.
Addressing these security issues would have prevented the 2018 cyber-attack being carried out in this way, investigators concluded.
Information Commissioner Elizabeth Denham said: “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure.
“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.
“When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”
Because the BA breach happened in June 2018, before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR. The penalty and action have been approved by the other EU DPAs through the GDPR’s cooperation process.
In June 2019 the ICO issued BA with a notice of intent to fine. As part of the regulatory process the ICO considered both representations from BA and the economic impact of COVID-19 on their business before setting a final penalty.
Details of the cyber attack
The attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.
Other details thought to have been accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers.
Usernames and passwords of BA employee and administrator accounts as well as usernames and PINs of up to 612 BA Executive Club accounts were also potentially accessed.
Failure to prevent the attack
There were numerous measures BA could have used to mitigate or prevent the risk of an attacker being able to access the BA network. These include:
- limiting access to applications, data and tools to only that which are required to fulfil a user’s role
- undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems;
- protecting employee and third party accounts with multi-factor authentication.
Additional mitigating measures BA could have used are listed in the penalty notice.
None of these measures would have entailed excessive cost or technical barriers, with some available through the Microsoft Operating System used by BA.
Since the attack, BA has made considerable improvements to its IT security.
Lack of awareness of the attack
ICO investigators found that BA did not detect the attack on 22 June 2018 themselves but were alerted by a third party more than two months afterwards on 5 September. Once they became aware BA acted promptly and notified the ICO.
It is not clear whether or when BA would have identified the attack themselves. This was considered to be a severe failing because of the number of people affected and because any potential financial harm could have been more significant.
Notes to Editors
- The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 2018, the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
- This penalty was issued under the Data Protection Act 2018 for infringements of the GDPR.
- The GDPR sets out six basic principles organisations must comply with in processing personal data. These are: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; security; accountability. This penalty deals with failures by BA regarding the security and accountability principles.
- The ICO’s investigation involved various exchanges with BA and considered detailed submissions and evidence. The penalty process involved issuing BA with a Notice of Intent indicating an intention to impose a penalty and offering BA the chance to submit representations.
- BA announced the Notice of Intent on the London Stock Exchange and the ICO responded with a statement.
- The ICO applied the legislative framework in conjunction with the ICO’s Regulatory Action Policy, which states that before issuing fines we take into account economic impact and affordability. The RAP is currently under review as part of the ICO’s consultation on its Statutory Guidance.
- Where, as here, the processing in issue is cross-border, Article 56 of the GDPR makes provision for the designation of a lead supervisory authority. In this case, the ICO acted as the lead supervisory authority.
- The ICO completed the Article 60 process prior to the issuing of the penalty. Article 60 of the GDPR provides that the lead supervisory authority shall cooperate with the other supervisory authorities concerned in an endeavour to reach consensus. This includes submitting a draft decision to the other supervisory authorities concerned for their opinion and taking due account of their views.
- Any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by the ICO.
- To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.