- ICO fines British Airways £20 million
ICO fines British Airways £20 million
ICO fines British Airways £20 million22nd October 2020 - Published by Kuits commercial team
British Airways data breach
On 16 October 2020, the ICO issued its long-awaited penalty notice relating to the British Airways (BA) data breach that took place in August/September 2018; confirming its decision to issue a penalty of £20 million to BA (significantly reduced from its initial intended fine of £183.39 million).
Brief background to the data breach
The well-publicised data breach, caused by lax security measures, affected 429,612 individuals and led to the compromise of their names, addresses, payment card numbers and CVV numbers. The penalty notice itself provides a detailed summary of the events that took place and can be briefly summarised as follows:
- An attacker obtained access to remote login details of a subcontractor and used these to gain access to BA’s remote systems;
- The attacker was able to “breakout” of the remote system and access the wider BA network;
- The attacker was subsequently able to configure the BA website such that customers inputting card details were redirected to another (non-BA) site where the attacker was able to access their payment card numbers.
BA only became aware that this attack had taken place when it was notified by a third party.
The ICO’s decision
The ICO was very clear in its decision that, notwithstanding the fact that BA had carried out an extensive data protection compliance project, the security measures it had in place to protect personal data were inadequate.
The decision provides some helpful guidance to businesses in respect of security measures BA could and should have taken to avoid this breach, which will be helpful to all business; particularly during this period where home working brings additional security risks, these include:
- Carrying out risks assessments in respect of additional risks posed by home testing;
- Segregating systems and limiting user access appropriately to only those that need access to that part of the system;
- Penetration testing; and
- Multi-factor authentication (particularly for those users who have system admin rights).
The level of the fine
The substantial reduction in the fine from that originally intended appears to be due to further detailed representations provided by BA following the ICO’s initial notice of intention, with the reduction applied due to the impact of the COVID-19 pandemic being only £4 million.
In the coming months, it will be interesting to see the ICO’s final penalty notices in respect of other high profile breaches, including the Marriot case, and whether these also include substantial reductions in the proposed fines. In the meantime, BA remains subject to a number of group actions in respect of the breach which could, as a collective, be more costly than the ICO fine itself.
Get in touch with a commercial solicitor in Manchester
If you would like any advice on how to make sure your business is compliant within ICO guidelines, please contact associate Rebecca Bainbridge on 0161 838 7986 or email firstname.lastname@example.org