British Airways has been fined £20 million by the Information Commissioner’s Office (“ICO”) – the biggest confirmed fine to date – as a result of its failure to protect the personal and financial details of more than 400,000 customers in accordance with the General Data Protection Regulations (“GDPR”).
The amount of the fine has been significantly reduced since the ICO released its notice of intention to fine British Airways £183.39 million in July 2019, and it is understood that this is as a result of British Airways’ representations and the economic impact of COVID-19 on the business.
In June 2018, British Airways suffered a cyber-attack which led to the personal data of approximately 429,612 customers and staff being unlawfully accessed by the attacker, including names, addresses, payment card numbers and CVV numbers of customers and usernames and passwords of employee and administrator accounts (see our previous commentary on the breach here). The attack was not realised by British Airways until it was notified of the breach by a third party more than two months later.
The ICO investigation found that British Airways was processing a significant amount of customer and employee personal data without adequate security measures in place. The lack of security measures was in breach of the GDPR and UK data protection legislation, and the weaknesses in the system enabled the cyber-attack to take place. ICO investigators found that British Airways ought to have identified the weaknesses in its security and resolved them with security measures that were available at the time, and concluded that “[a]ddressing these security issues would have prevented the 2018 cyber-attack being carried out in this way”.
Information Commissioner Elizabeth Denham said: “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure.
“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.
“When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”
This £20 million fine, whilst not quite the anticipated £183.39 million, is the biggest penalty handed out by the ICO so far. It highlights that the ICO is prepared to take action against businesses for non-compliance with the data protection legislation and highlights the need for businesses to take steps to prevent and mitigate the risk of cyber-attack. Businesses should take note and ensure that their cybersecurity and review processes are up-to-date and that they are effective in practice and are regularly tested. Cyber security and data protection training should be rolled out to all staff, and the monitoring and security of IT network systems should be a top priority.
If you have any questions or require any assistance in relation to data protection matters, please get in touch with a member of our Commercial team.
