British Airways (BA) faces a fine of more than £183 million from the UK's data protection authority over a security lapse that exposed personal data belonging to approximately 500,000 customers to hackers last year.
In September 2018, the airline reported that it had been a victim of a cybersecurity incident that saw personal and financial details of customers compromised. At the time, BA chief executive Alex Cruz described the incident as a "sophisticated, malicious criminal attack", which impacted on customers who had made bookings and changes on its website and app.
The Information Commissioner's Office (ICO) in the UK opened an investigation into the incident. According to the ICO, the hackers diverted BA's customers to a fake website designed to look like the company's official site where their data was then captured. The ICO said it had identified "poor security arrangements at the company", although it said BA had taken steps to improve security since the breach occurred.
However, the ICO said it believes BA was responsible for breaching the General Data Protection Regulation (GDPR) and it outlined its intention to fine the company £183.39m. It would be the first major fine issued by the ICO since the GDPR took effect in May 2018.
Information commissioner Elizabeth Denham said: "People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."
British Airways has the right to make representations to the ICO before the authority makes a final decision on whether to impose a fine and, if so, the level of penalty to issue. The company has said it will challenge the ICO's provisional findings.
Alex Cruz, British Airways chairman and chief executive, said: "We are surprised and disappointed in this initial finding from the ICO. British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused."
Willie Walsh, chief executive of International Airlines Group, the parent company of BA, said: "British Airways will be making representations to the ICO in relation to the proposed fine. We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals."
Cyber risk expert Ian Birdsey of Pinsent Masons, the law firm behind Out-Law, said big fines will be the new norm for major businesses under the GDPR. Fines of up to 4% of a business' annual global turnover or £20m, whichever is highest, can be levied by data protection authorities in the EU under the Regulation. In the case of BA, the proposed £183.39m fine would represent approximately 1.5% of the company's annual revenues, according to the BBC.
Birdsey said the ICO's proposed fine is consistent with the authority's regulatory action plan in which it has said it will take into account the public interest in pursuing enforcement to, for example, "provide an effective deterrent against future breaches".
In a statement, the ICO told Out-Law that its decision to publicise its intention to fine BA in this case followed a disclosure made to the London Stock Exchange which confirmed the authority's planned action.
Birdsey said that the case highlights the clash that exists between the rules governing public stock markets, requiring disclosure of significant events impacting shareholders, and what would be best for businesses facing regulatory action.
"It is unquestionably undesirable that details of the enforcement action facing businesses under data protection law are made public before those businesses have had an opportunity to make representations in response to the ICO's initial findings. It is not the first time that the ICO has gone public with a notice of intent. In such cases it arguably makes it harder for businesses to persuade the ICO to act in a different manner given the level of scrutiny that would apply should the ICO soften its approach in its final decision," he said.
Data protection law expert Claire Edwards of Pinsent Masons said that it will only be possible to understand the basis of the intended fine, including the specific alleged security failings and the justification for the level of penalty under Article 83 of the GDPR once any final monetary penalty notice is published by the ICO.
"It will also be interesting to see how the ICO has sought to comply with the European Data Protection Board’s guidance on setting administrative fines and, importantly, how the ICO has sought to ensure consistency in calculating the fine particularly against the background of the small number of fines which have been issued by other data protection regulators so far under the GDPR," Edwards said.
Birdsey said that the case could also bring to the fore the question of insurability of fines, and that it is also likely to be the first of a number of fines announced by the ICO under the GDPR – something that Elizabeth Denham has confirmed can be expected soon.