Following an extensive investigation, the UK’s data privacy authority announced that it intends to impose its largest ever fine against airline British Airways (BA), for infringements of the General Data Protection Regulation (GDPR).

The proposed fine — 1.5 per cent of British Airways’ worldwide turnover for the financial year ended 31 December 2017 — is the highest-ever that the Information Commissioner’s Office (ICO) has leveled at a company over a data breach: the airline will have to pay £183.39 million (204 million euros) for failing to protect its customers’ data.

At the beginning of September 2018, British Airways was hit by a cyber-attack following a computer failure: the cyber-incident, as notified to the ICO, in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers: the object of the attack was the financial data of the flights between the end of August and the beginning of September, involving 380,000 credit cards. At the end of October, the company had specified that of these, 244,000 had actually been copied. The stolen information was related to the name, address, travel booking details, customer’s email address and in particular the credit card data, i.e. the number, expiration date and three-digit security code.

Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

“We are surprised and disappointed in this initial finding from the ICO” British Airways chairman and chief executive Alex Cruz, said in a statement to the London Stock Exchange. “British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. “We apologize to our customers for any inconvenience this event caused.” And Willie Walsh, International Airlines Group chief executive, said: “British Airways will be making representations to the ICO in relation to the proposed fine. We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”

The ICO has been investigating this case as lead supervisory authority on behalf of other EU Member State data protection authorities: under the GDPR ‘one stop shop’ provision, the authorities whose residents have been affected will have the chance to comment on the ICO’s findings. So before it takes its final decision, the ICO will consider carefully the representations made both by the company and the other concerned data protection authorities.

Indeed this case is one of first truly high-profile data breaches suffered by a large company since the instigation of the GDPR, therefore many organizations will be considering the kind of fine that they can expect if they were to suffer something similar – a test case for the new regulations and how they are enforced.

Author: Sergio Guida (Independent Researcher)


 

Keywords: UK Information Commissioner’s Office, privacy authority, GDPR fine, data breach, cyber-attack, theft of financial data.

Source: ICO (Information Commissioner’s Office), the UK’s independent authority set up to uphold information rights in the public interest, promoting data privacy for individuals.)