More than two years after British Airways disclosed a data breach affecting 500,000 customers, the ICO (Information Commissioner’s Office) has confirmed that the airline will receive a £20 million fine.
That’s substantially less than the £183.4 million penalty that was initially announced in October 2019, but it’s still the largest ever fine handed out by the ICO for a GDPR (General Data Protection Regulation) violation.
Why was the fine reduced?
Few details emerged when the breach was originally disclosed in September 2018, with British Airways simply stating that it had been subject to a “sophisticated, malicious criminal attack” that compromised the personal and financial details of visitors to its website and mobile app.
A cyber security firm claimed that criminal hackers had injected malicious code into British Airways’ website, diverting traffic to a fraudulent replica.
This would mean that customers were handing their information to fraudsters as they entered their login details, payment card information, address and travel booking information into the bogus site.
The ICO’s investigation confirmed this, as well as discovering that the breach was more extensive than British Airways thought.
The incident began in June 2018, rather than September, as the airline claimed, which meant that the estimate of 380,000 affected customers was at least 100,000 short of the actual figure.
The ICO also learned that the airline had not implemented data protection by design and default as required by Article 25 of the GDPR – hence the £183.4 million fine.
This represented 1.5% of British Airways’ 2017 annual turnover, which many still considered lenient at the time, given that the GDPR gives regulators the authority to issue fines of up to 4% of annual global turnover.
However, after reviewing testimony from British Airways and taking account of the economic damaged caused by COVID-19, the ICO reduced the penalty by almost 90%.
A landmark GDPR case
British Airways can consider itself very fortunate to be paying a fraction of the original fine, but the finalised penalty shouldn’t be considered a slap on the wrist.
Consider that the ICO’s previous record penalty (assuming that Marriott International, which was notified last year that it would be fined £99 million, will be afforded similar leniency) was the £500,000 fine handed out to Facebook.
At the time, that was the maximum fine that the ICO could issue under the Data Protection Act 1998 – so even a £20 million fine demonstrates a major increase in enforcement powers.
That’s not to say the aim of the GDPR is to cripple organisations financially. That would only make things worse: regulators want organisations to invest in information security, and if they have to fork out huge sums in penalties, they’ll have less to spend on defence mechanisms.
However, fines must be big enough to act as a deterrent, and with the GDPR that’s finally the case for everybody.
After all, it’s not just huge corporations that need to worry; every organisation faces cyber security risks and the majority of incidents that the ICO investigates relate to SMEs.
Now that GDPR fines are being finalised, a steady stream will follow. They won’t all be as astronomical as the British Airways one, but they will all be significant relative to the organisation’s size.
If you had any doubt that the GDPR wasn’t something you need to worry about, this is the time to face the facts.
Data protection and privacy have become crucial issues in modern business, and organisations must address them if they are to avoid data breaches and unhappy customers.
A version of this blog was originally published on 9 July 2019.