This week, the UK Information Commissioner’s Office issued a notice of intention to fine British Airways £183.39M for a 2018 data breach. The Commissioner’s office issued a report outlining BA’s infringements under the EU’s General Data Protection Regulation (GDPR law).
The data breach came in a cyber incident against British Airways, which the company reported to the ICO in September 2018. As part of the attack, which began in June 2018, traffic to the British Airways website diverted to a fraudulent site controlled by the attackers. After visitors were direct to the impersonating site, the attackers harvested personal details from BA customers. Approximately 500,000 customers had their private information compromised in the incident.
The Commissioner’s investigation blamed poor security arrangements at British Airways for the loss of customer information. The ICO said the company failed to protect at least five types of information, including login, name and address, payment card, and travel booking details.
Elizabeth Denham, the Information Commissioner, said, “When an organisation fails to protect [personal data] from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
After reporting the incident to the Commissioner, British Airways cooperated with the investigation and made improvements to its security.
The next step for the company is to make representations to the ICO regarding their findings and the proposed sanction.
ICO was the lead supervisory authority in the investigation and liaised with other regulators on behalf of other EU Member State data protection authorities. Under the GDPR ‘one-stop-shop’ provisions, the data protection authorities in the EU whose residents have been affected have a chance to comment on the ICO’s findings.
The ICO stated that it would carefully consider the company’s representations, as well as submissions from other data protection authorities before making a final decision.
Responding to the ICO statement, British Airways said it was “surprised and disappointed” by the size of fine, amounting to 1.4% of its annual turnover. The company expects to appeal against the Commissioner’s findings and the proposed fine.
Security organisations blamed the “Magecart” criminal group for the attack.
British Airways reported that the exploit lasted from 22:58 GMT August 21, 2018, and 21:45 GMT September 5, 2018. They noted “no evidence of fraudulent activity on accounts linked to the theft.”
The proposed record fine is four times the fine levied against Google. It is the first heavy penalty issued against a multi-national corporation due to a criminal cyberattack that compromised customer information.
This should be a warning for any company or website that receives or holds customer information that must comply with the wide-ranging GDPR.