British Airways receive £20million fine for data breach

The ICO has fined British Airways (“BA”) £20million following a data security breach in 2018.

Background 

In July 2019, the ICO notified BA of its intention to issue it with a £183.39million fine. This followed a data security breach between 22 June 2018 and 5 September 2018. Hackers diverted user traffic to British Airways’ website and mobile app to a fraudulent site. On this false site, attackers harvested customers’ information. The attack compromised the data of around 429,612 people, including:

• Names, addresses, payment card numbers and CVV numbers of 244,000 BA customers
• The combined card and CVV numbers of 77,000 customers
• Card numbers only for 108,000 customers
• Usernames and passwords of BA employee and administrator accounts and
• Usernames and PINs of up to 612 BA Executive Club accounts

Fine

After receiving written representations from BA, the ICO finalised its fine. It fined BA £20million, finding its data security measures inadequate. It suggested BA should have taken the following measures to mitigate or prevent the risk of an attacker being able to access the BA network:

• Limiting access to applications, data and tools to those required to fulfil a user’s role
• Undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems and
• Protecting employee and third-party accounts with multi-factor authentication

The ICO noted BA’s security measures have improved significantly since the attack.

The ICO considered both representations from BA and the economic impact of Covid-19 before finalising the penalty.

Comment

This is the ICO’s biggest fine to date. However, it is significantly lower than the initial proposed fine. BA cooperated with the ICO in the investigations and notified the ICO promptly upon discovering the security breach. However, this was not enough to escape a penalty. £20million reflects the importance of customer data and the need to safeguard it properly. 

The day after the notice of intent to British Airways, the ICO had proposed a £99.2million fine to Marriott Group. We now wait to see if this fine will be similarly reduced.