In a move that is likely to shock corporations in Europe and beyond, the Information Commissioner’s Office (ICO) has fined British Airways (BA) just over £183 million, due to a 2018 data breach in which personal data belonging to 500,000 of its’ customers was compromised. The move marks the first large fine handed down to a company since the General Data Protection Regulation (GDPR) took effect in May of last year and, shockingly, was less than 50% of the maximum fine that the ICO could have set for BA.
The largest fine handed down to a company in Europe prior to this was Facebook’s £500,00 fine over its role in the Cambridge Analytica scandal, however the definition of large has drastically changed since then. Under pre-GDPR data protection rules, £500,000 was the maximum fine a company could receive, despite the fact that over 87 million customers’ data was exposed by Facebook. They escaped a much larger fine as the breach itself had occurred before the GDPR had come into full effect.
The Information Commissioner Elizabeth Denham has said that “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience.”
“That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
The ICO stated that the breach at British Airways was caused by “poor security arrangements”, and made the landmark decision to fine them 1.5% of their turnover for the year, meaning that the full force of the law could have cost BA approximately £500 million instead.
Looking further into how the BA data was compromised, an article on Wired.com notes that leading analysts at RiskIQ (a cyber security company in California) suspect hackers took advantage of weaknesses in the coding of BA webpages to inject their own malicious code. This captured the payment and personal details of passengers booking flights via the web and/or the BA mobile app. RiskIQ noted “the prevalence of tiny website vulnerabilities that can quickly turn into huge exposures”.
British Airways have said that they are “surprised and disappointed” by the ICO’s findings, with CEO Alex Cruz further stating “British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused.”
BA now has 28 days to appeal the fine, which may lead to it being reduced somewhat if they are successful. However, the message is clear; any business that deals in EU citizen data should fiercely protect it, lest they feel the full wrath of the GDPR and its vastly increased fine structure.
The GDPR was the biggest shakeup to global data protection in 20 years, affecting organisations of all sizes, prompting many of them to review their data protection policies and increase their cyber security protection.
Previously, the ICO have stated that the level of preparedness within an organisation and their response will be examined when deciding how much of a fine should be levied against them. Not having the correct security in place, from a technical and organisational stance, will be a big red flag for the ICO and other data protection authorities, and would likely lead to harsher penalties.
So what can we learn from this? For starters, company owners need to ensure their in-house developers have developer specific security training so they know how to avoid creating these vulnerabilities when building websites. All companies that have websites which take personal and payment data (regardless of whether they have in-house or outsourced development) should have their website code-tested for vulnerabilities by a website security company. Proactive security training and testing would significantly reduce any fines that companies might face should their websites be hacked.
Documentation is a crucial tenet of the GDPR, with the burden resting squarely on the organisation to not only protect their customer data and comply with the regulation, but have to means to prove this to the relevant data protection authority if audited or in the event of a breach.