ICO Use GDPR To Potentially Fine British Airways £183 Million

The Information Commissioner’s Office (ICO) intends to fine British Airways (BA) £183.39 million for breaching General Data Protection Regulation (GDPR).

The fine relates to a cyber attack on the airline in September 2018 where BA’s legitimate website was directed to a fraudulent equivalent.

Once directed to the fake site, fraudsters harvested vast amounts of sensitive customer data including payment card details, log ins, names, addresses and travel booking details.

The ICO confirmed that BA had cooperated with the investigation and had already made improvements to their digital security policies following the attacks in 2018.

The airline will now have time to make representations to the ICO as to the amount they have been charged and sanctioned.

The hackers experienced the holiday of a lifetime as 380,000 payment details were stolen over a period of two weeks last year. The dates between August 21st and September 5th were identified as the main times of vulnerability.

Following an extensive internal investigation, BA announced that they had endured a second website breach, taking place months before the reported attack, which compromised more than 185,000 customers’ bank card details including card-security codes. Again, the victims were caught out by a website compromise that had gone undetected for months.

BA only found the second attack while they were investigating a breach of their website in September, which affected 380,000 transactions.

The two cyber attacks on BA meant that in excess of 565,000 customer accounts had been compromised altogether.

Investigators into the attacks firmly believed the breaches were linked and carried out by the same group or gang, with BA owner IAG claiming:

“The investigation [of the August-September breach] has shown the hackers may have stolen additional personal data.”

Elizabeth Denham, Information Commissioner, said:

“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

Whilst the proposed fine is a significant amount and will make BA consider their cyber security more in the future, a fine alone will not be an effective enough deterrent for long-term change. If avoiding a fine is the only driving force, then businesses will become adept at finding ways to avoid fines. Instead, as BA have already highlighted, remaining trusted by organisations you work with and the customers using the service is a vital consideration in creating meaningful cyber security changes. BA have cooperation with investigations and have used the findings to change their approaches to ensure they are able to promote a trusted brand.