Fined $26 Million in Connection With 2018 Breach
Britain’s Information Commissioner’s Office announced this week a dramatic reduction in its fine against British Airways for violating the EU’s General Data Protection Regulation.
The ICO finalized a fine of nearly 20 million pounds ($26 million) in connection with a 2018 data breach that exposed the personal information of about 430,000 customers. It had announced in July 2019 that it intended to impose a penalty of 184 million pounds ($238 million) on British Airways, which is owned by the Madrid-based International Airlines Group (see: British Airways Faces Record-Setting $230 Million GDPR Fine).
“As part of the regulatory process, the ICO considered both representations from BA and the economic impact of COVID-19 on their business before setting a final penalty,” the ICO said this week.
Lack of Security Protocols
At the time of the breach, British Airways did not have the proper security protocols in place to protect the large amount of personal data it processes and stores, the ICO says. The breach, which exposed credit card information and employee login credentials, went undetected for two months, according to the agency.
“People entrusted their personal details to BA, and BA failed to take adequate measures to keep those details secure. Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA a £20m fine – our biggest to date,” says ICO Commissioner Elizabeth Denham.
We have fined British Airways £20 million for failing to protect the personal and financial details of more than 400,000 of its customers.
— ICO (@ICOnews) October 16, 2020
A British Airways spokesperson tells Information Security Media Group: “We alerted customers as soon as we became aware of the criminal attack on our systems in 2018 and are sorry we fell short of our customers’ expectations. We are pleased the ICO recognizes that we have made considerable improvements to the security of our systems since the attack and that we fully cooperated with its investigation.”
André Bywater, a partner at London-based law firm Cordery, says the reduced fine imposed on British Airways “should not deter organizations from taking data security seriously. Further, organizations should also bear in mind that class-action [lawsuits] for compensation may yet add to the final bill in cases like this one.”
Breach Detection Delay
ICO expressed concern that the airline failed to detect the breach and was informed of it by a third party more than two months after the attack.
“It is not clear whether or when BA would have identified the attack themselves,” the ICO report states. “This was considered to be a severe failing because of the number of people affected and because any potential financial harm could have been more significant.”
Bywater says companies must have top-level organizational and technical measures in place to defend against breaches.
“They must have a first-rate strategy and proper tools in place for responding quickly when these incidents do happen. Those processes and procedures should be tested regularly,” he says.
Groups under the Magecart umbrella are thought to be responsible for dozens of attacks over the last five years, including those targeting Macy’s, Wawa and Newegg.
The ICO estimates nearly 430,000 British Airways’ customers and staff were potentially affected by the breach, with 244,000 possibly having their names, addresses, payment card numbers and CVVs compromised.
Usernames and passwords of employee and administrator accounts were also exposed, as well as usernames and PINs of up to 612 BA Executive Club accounts.