British Airways first fined under GDPR, faces £183m fine for 2018 data breach

The ICO has proposed a £183 million data-breach penalty on British Airways; the biggest fine ever handed out by the ICO and the first to be proposed under GDPR

British Airways (BA) may have to shell out £183 million as the penalty for the breach of its security systems in 2018. The Information Commissioner’s Office (ICO), UK, has announced the penalty proposal after its investigation found that a "variety of information" was compromised by poor security arrangements at the company.

"The ICO will consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision," said the announcement. This is the biggest fine ever handed out by the ICO, and the first to be proposed under the new General Data Protection Regulation (GDPR), reported the BBC. 

The BA penalty announcement comes weeks after Asian peer Cathay Pacific was indicted for a data breach affecting 9.4 million passengers. Hong Kong’s Privacy Commissioner found the airline guilty of a low regard for data privacy and delay in disclosing the 2018 breach.

The BA breach 

The BA penalty announcement said personal data of approximately 500,000 customers -- including log in, payment card, and travel booking details as well as name and address information -- were compromised in this incident, which is believed to have begun in June 2018.

According to BA, the data theft happened between 21 August and 5 September, 2018. "No passport or travel details were stolen. Only customers who made bookings between these dates are affected. Names, billing address, email address and all bank card details were all at risk," the company said in its acknowledgement of the breach.

"Action on BA was inevitable," said Amanda Finch, CEO of the Chartered Institute of Information Security Professionals (CIISP). "While we don’t yet know the final size of any fine, this is a clear warning shot – not only for BA but for the security industry as a whole." 

The data theft happened close on the heels of an IT disaster, when a power surge in the control centre near Heathrow caused a global flight interruption. Holding company IAG’s shares fell after that incident in May 2017, cutting the value of the airline group by £170 million.

The scope

The £183.4 million fine is equivalent to 1.5 percent of British Airways’ 2018 worldwide turnover of £11.6 billion. 

The GDPR has broadened the investigation ambit as well as the penalty amount. The ICO has been probing the case as the lead supervisory authority on behalf of other European Union member state data protection authorities. "Under the GDPR ‘one stop shop’ provisions the data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings," said the penalty announcement.

"With GDPR in place, it’s important to remember that the fine is usually dictated by the size of the data breach in terms of how critical the stolen information can be for the user," said Liviu Arsene, senior e-threat analyst from Bitdefender. 

However, this still is not the maximum fine ICO could impose, said Jake Moore, cyber-security specialist at ESET. "The amount of data compromised was huge and it is without doubt that it would have ended up in criminal hands. Therefore, it (the breach) should not be taken lightly." 

The data obtained by the hackers could have been used for card fraud or even identity theft, he noted. "With as many as 380,000 transactions skimmed, this is an immense amount of information personally identifiable.".

"People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience," said Information Commissioner Elizabeth Denham in the penalty announcement. 

"That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."

The future

The troubles for BA do not end with the million-pound fine, said Ilia Kolochenko, founder and CEO of ImmuniWeb. "It is now important to determine whose negligence or misconduct ultimately caused or facilitated the breach. If BA was relying only on automated vulnerability scanning for a business critical application, a cyber-security supplier who suggested such a reckless strategy - may be liable under certain circumstances and BA may crossclaim the damages."

The ICO has not given any significant information on how the breach was perpetrated by the hackers, although some reports pointed towards a vulnerability in payment systems, said Philip Greaves, director and GDPR lead at Protiviti. 

"Given the risk profile of British Airways and previous attacks over the last few years, British Airways clearly needs to be investing heavily in driving stronger cyber- controls. The Regulators are not expecting attacks to stop happening, only that organisations have sufficient controls in place to limit the risk to data subjects," he said.

"This could very well be the first of many large fines issued by the ICO and will most definitely serve as a wakeup call to organisations that offer goods or services to, or monitor the behaviour of, EU data subjects," said Tony Pepper, CEO of Egress.

"The industry needs to understand not only how to prevent, but how to react to large breaches if it is to avoid major action. Businesses need not only the technical skills that help make the organisation secure, but the "soft" interpersonal skills that help create a security-minded culture across the company," said Finch. 

"IT security is in the middle of a long-overdue period of professionalisation – standardising approaches and skills to ensure best practice at all times. Events like these show that it can’t happen quickly enough," she added. 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews