British Airways fined £20m over GDPR breach

The cyber attack took place in 2018 and prompted an investigation by the Information Commissioner's Office (ICO). The ICO last year issued a notice of intent to fine BA more than £183m in relation to the incident under the General Data Protection Regulation (GDPR). However, the ICO has now announced it has imposed a lower penalty – albeit the largest it has imposed under the GDPR to-date – after it narrowed the focus of its enforcement action, considered mitigating factors and applied discounts, including for the purpose of reflecting the economic pressures on the company stemming from the coronavirus crisis.

Cyber risk specialist David McIlwaine of Pinsent Masons, the law firm behind Out-Law, said: "Whilst the fine has reduced from £183m, as outlined in the notice of intent, to £20m, only £4m of that reduction has been specifically attributed to Covid-19. It is hard to think of an industry that has been affected more by the pandemic than the airline industry, so clearly organisations should not expect significant leniency during these times."

Data protection law specialist Claire Edwards, also of Pinsent Masons, said the approach the ICO had taken in the BA case, as well as in the case of the Marriott data breach, had been controversial and that the outcomes would be of interest to all businesses given the heightened cyber risk they face.

Edwards said: "The reduction in the fine is certainly interesting from a number of angles with BA challenging the way the ICO originally calculated the figures, the way the ICO had interpreted its enforcement powers, how the fine compared to other fines issues by European supervisory authorities where lower amounts were imposed for bigger breaches, and the assessment of the level of actual harm caused. Whilst the ICO strongly defended its original assessment, actions and processes, it seems that making a challenge to an ICO enforcement notice or notice of intent is certainly commercially worthwhile."

"Clearly there will be interest in the future of the Marriott penalty which is still pending and should this, as expected, be significantly reduced from the original estimate of £99 million then the question is whether we have a pragmatic regulator ready to listen and apply penalties which act as a proportionate deterrent or whether the ICO will capitulate from original proposed penalties that cannot be justified," she said.

In its monetary penalty notice, the ICO explained that it had dropped initial plans to impose a fine on BA over a failure to implement data protection by design and default, which is a requirement enshrined in Article 25 of the GDPR.

BA had challenged the plans on the basis that its systems for data processing had been designed prior to the GDPR taking effect. However, while the ICO rejected the basis of BA's argument, and stressed that Article 25 "'applies at the time of the processing itself' as well as at the point at which the system is designed", it decided only to make findings of infringement in relation to data security obligations under Article 5(f) and Article 32 of the GDPR.

The ICO said it was "satisfied that BA failed to put in place appropriate technical or organisational measures to protect the personal data being processed on its systems, as required by the GDPR".

According to the ICO, the attacker had gained initial access to BA's network using compromised credentials of a user within a third party supplier who was accessing the BA network remotely. The attacker was then able to "breakout" from the remote access systems into the wider network BA operated, despite the availability of guidance which, if followed, could have minimised this risk, the authority said.

Customers' names, addresses, payment card numbers and 'CVV' security numbers were among the details compromised in the attack. The ICO said BA appeared to have breached requirements of payment card information data security standards (PCI DSS) in relation to its storage of payment card data.

"It is noteworthy that one of the preventative actions that the ICO noted that BA might have undertaken was 'rigorous testing, in the form of simulating a cyber-attack, on the business’ systems'," said McIlwaine. "This reinforces the need for businesses to prepare a written cyber-response, and to practise that response by way of a desktop exercise or otherwise."

McIlwaine said the ICO had applied its regulatory action policy strictly in considering the penalty to impose on BA for its failings.

After considering the representations made by BA, the ICO revised its proposed fine down from £183.39m to £30m and then applied an additional £10m of discounts. Of this figure, £6m, or 20% of the proposed new base fine, reflected the ICO's account for mitigating factors, which included the company's cooperation with its investigation, the action it took in the aftermath of the breach to promptly notify the data subjects affected and minimise any damage stemming from the breach. The remaining £4m discount was awarded in response to BA's claims of "financial hardship" arising from the impact the Covid-19 pandemic has had on its business.

UK information commissioner Elizabeth Denham said: "People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure. Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date."

"When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security," she said.