GDPR Law Hits British Airways For 2018 Data Breach

This week, the UK Information Commissioner’s Office issued a notice of intention to fine British Airways £183.39M for a 2018 data breach. The Commissioner’s office issued a report outlining BA’s infringements under the EU’s General Data Protection Regulation (GDPR law).

The data breach came in a cyber incident against British Airways, which the company reported to the ICO in September 2018. As part of the attack, which began in June 2018, traffic to the British Airways website diverted to a fraudulent site controlled by the attackers. After visitors were direct to the impersonating site, the attackers harvested personal details from BA customers. Approximately 500,000 customers had their private information compromised in the incident.

The Commissioner’s investigation blamed poor security arrangements at British Airways for the loss of customer information. The ICO said the company failed to protect at least five types of information, including login, name and address, payment card, and travel booking details.

Elizabeth Denham, the Information Commissioner, said, “When an organisation fails to protect [personal data] from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

GDPR Law - British Airways
GDPR law British Airways. Image by NewsBlaze.

After reporting the incident to the Commissioner, British Airways cooperated with the investigation and made improvements to its security.

The next step for the company is to make representations to the ICO regarding their findings and the proposed sanction.

ICO was the lead supervisory authority in the investigation and liaised with other regulators on behalf of other EU Member State data protection authorities. Under the GDPR ‘one-stop-shop’ provisions, the data protection authorities in the EU whose residents have been affected have a chance to comment on the ICO’s findings.

The ICO stated that it would carefully consider the company’s representations, as well as submissions from other data protection authorities before making a final decision.

Responding to the ICO statement, British Airways said it was “surprised and disappointed” by the size of fine, amounting to 1.4% of its annual turnover. The company expects to appeal against the Commissioner’s findings and the proposed fine.

Security organisations blamed the “Magecart” criminal group for the attack.

British Airways reported that the exploit lasted from 22:58 GMT August 21, 2018, and 21:45 GMT September 5, 2018. They noted “no evidence of fraudulent activity on accounts linked to the theft.”

Record Fine

The proposed record fine is four times the fine levied against Google. It is the first heavy penalty issued against a multi-national corporation due to a criminal cyberattack that compromised customer information.

This should be a warning for any company or website that receives or holds customer information that must comply with the wide-ranging GDPR.

Alan Gray
Alan Gray is the Publisher and Editor-in-Chief of NewsBlaze Daily News and other online newspapers. He prefers to edit, rather than write, but sometimes an issue rears it's head and makes him start hammering away on the keyboard.

Content Expertise

Alan has been on the internet since it first started. He loves to use his expertise in content and digital marketing to help businesses grow, through managed content services. After living in the United States for 15 years, he is now in South Australia. To learn more about how Alan can help you with content marketing and managed content services, contact him by email.

Technical Expertise

Alan is also a techie. His father was a British soldier in the 4th Indian Division in WWII, with Sikhs and Gurkhas. He was a sergeant in signals and after that, he was a printer who typeset magazines and books on his linotype machine. Those skills were passed on to Alan and his brothers, who all worked for Telecom Australia, on more advanced signals (communications). After studying electronics, communications, and computing at college, and building and repairing all kinds of electronics, Alan switched to programming and team building and management.He has a fascination with shooting video footage and video editing, so watch out if he points his Canon 7d in your direction.