British Airways could face record £183 million fine for data breach

“Surprised” and “disappointed” is how British Airways (BA) responded to yesterday’s news that the Information Commissioner’s Office (ICO) intended to fine the airline £183.39 million for a serious data breach that began in June last year.

It’s not hard to see why the airline feels aggrieved. The penalty is a record for the ICO, which had previously only been able to levy a maximum fine of £500,000 for the worst breaches. Facebook received the ICO maximum when the Cambridge Analytics scandal hit the headlines in early 2018.

However, the Facebook incident occurred prior to the introduction of GDPR on May 25th, 2018. BA wasn’t so lucky. That said, the airline can perhaps take some solace from the fact that the ICO doesn’t appear to have slapped the firm with the maximum possible penalty under GDPR.

 

It’s not entirely clear at this stage which elements of GDPR BA is accused of violating, but the most serious data breaches under the regulation come with a fine of €20 million euros or 4% of annual revenues, whichever figure is higher.

The airline recorded revenues of just over £13 billion in 2018, so incurring the full wrath of the ICO could have led to a fine of more than £650 million if the infractions fell under the most egregious examples of GDPR contraventions. Instead, the £183.39 million fine represents approximately 1.4% of the company’s revenues.  

Why was BA fined?

The penalty relates to a cyber incident in which the personal data of approximately 500,000 customers was harvested. BA first notified the ICO of the event in September last year.

Hackers managed to divert visitors to the company’s website to a fraudulent site, where numerous pieces of information were subsequently compromised, including log-in details, payment cards, names, addresses and travel booking confirmations.

Unfortunately for BA and its customers, credit card numbers, expiry dates and the three-digit CVV code on the back of cards were potentially among the details revealed in tens of thousands of cases.

The ICO blamed “poor security arrangements” for the breach, with Information Commissioner Elizabeth Denham claiming her office will take appropriate steps to punish organisations that fail in their data privacy obligations.

“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience,” she explained.

“That’s why the law is clear: when you are entrusted with personal data you must look after it.”

In mitigation, the ICO confirmed BA had fully co-operated with its investigation and the airline had since improved its security arrangements.

How has BA responded?

While the fine doesn’t represent the maximum punishment BA could have received, company Chairman and Chief Executive Alex Cruz felt the airline had done as much as could be expected given the circumstances.

“BA responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft,” he stated.

“We are surprised and disappointed in this initial finding from the ICO.”

BA is part of the International Airlines Group, (IAG) which owns a number of well-known brands, including Aer Lingus, Iberia, Avios and Vueling. Chief Executive of IAG Willie Walsh said BA will make representations to the ICO in an effort to reduce the fine.

“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals,” he stated.

What happens next?

The £183.39 million figure isn’t quite set in stone yet. The ICO has instead issued BA with a notice of intention to fine the airline for that amount for GDPR infringements.

During the course of the investigation, the ICO liaised with other regulators across Europe. Other data protection authorities across the continent whose residents have been affected by the breach will have an opportunity to comment on the findings.

Meanwhile, BA has a chance to appeal against the size of the fine, which it is likely to do, before a final ICO decision is made.

George Salmon, an analyst at Hargreaves Lansdown, admitted the £183.39 million figure would make a “pretty big dent” in the airline’s profits for next year.

“But IAG should be able to withstand its impact as it is less than 10% of expected net profits and could yet be reduced on appeal,” he told the Guardian.

“The fine serves as a reminder that while one might think of data risks as more relevant to the likes of Google, Facebook and other tech giants, the new rules cover any business with customer data on board.”

No doubt other organisations will be keeping a keen eye on the final outcome of the investigation and the resulting appeals. At the very least, the ICO has shown it is more than willing to hand out multimillion-pound fines for serious GDPR breaches.

Our 2019 Market Report combines our review of the prevailing conditions in the security & resilience recruitment market with the results of our latest employer and candidate surveys.

Image credit: Francois Van via Unsplash