The Information
Commissioner’s Office (ICO) has fined British Airways £20 million for “failing
to protect the personal and financial details of more than 400,000 of its
customers”. However, one law firm says that the fine represents a climbdown by
the ICO, which had originally called for a £183 million penalty.
An ICO
investigation found the airline was processing a significant amount of personal
data without adequate security measures in place which broke data protection
laws.
The airline was
subject to a cyber-attack in 2018, which it did not detect for more than two
months. The ICO says BA ought to have identified weaknesses in its security and
resolved them with security measures that were available at the time which would
have prevented the attack being carried out in this way.
The attacker is
believed to have potentially accessed the personal data of approximately
429,612 customers and staff. This included names, addresses, payment card
numbers and CVV numbers of 244,000 BA customers.
Other details
thought to have been accessed include the combined card and CVV numbers of
77,000 customers and card numbers only for 108,000 customers.
Usernames and
passwords of BA employee and administrator accounts as well as usernames and
PINs of up to 612 BA Executive Club accounts were also potentially accessed.
Information commissioner
Elizabeth Denham said: “People entrusted their personal details to BA and BA
failed to take adequate measures to keep those details secure.
“Their failure to
act was unacceptable and affected hundreds of thousands of people, which may
have caused some anxiety and distress as a result. That’s why we have issued BA
with a £20m fine – our biggest to date.”
“When organisations
take poor decisions around people’s personal data, that can have a real impact
on people’s lives. The law now gives us the tools to encourage businesses to
make better decisions about data, including investing in up-to-date security,” she
said.
The ICO said that since
the attack, BA has made considerable improvements to its IT security.
As part of the
regulatory process the ICO has considered representations from BA and the
economic impact of Covid-19 on their business before setting a final penalty.
One law firm says that even though the
fine is huge, it represents a significant climbdown by the ICO.
Jon Baines, data protection officer at
Mishcon de Reya, said: "A £20 million
fine is by far the largest ever issued by the ICO, and only the second fine
issued by the ICO under the General Data Protection Regulations. However, given
that the original intention was to
fine BA £183 million, this may be seen as a climbdown by the ICO.”
He added: “The fact that the actual
notice is 114 pages long, referring to multiple and robust arguments from BA's
lawyers, suggests there may be an appeal – and more developments to come. This
is likely to cost ICO and BA heavily in terms of legal fees, at a time when
both will have a whole host of Brexit-related and Covid-related matters on
their rosters."