The fine against British Airways for GDPR failings has been reduced to £20m from the original £183m intent to fine issued last July.
An ICO investigation found the airline was processing a significant amount of personal data without adequate security measures in place, leading to a cyber-attack during 2018, which it did not detect for more than two months. It said the amount to be fined (£20m) was considered with both representation from BA and the economic impact of COVID-19 on the business.
The ICO also said, as the breach happened in June 2018, before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR. The penalty and action have been approved by the other EU DPAs through the GDPR’s cooperation process.
According to the penalty notice, a proposed penalty of £183.39m was issued on July 4 2019 with a extension till March 21 2020 agreed in December. On April 3 2020, the ICO wrote to BA requesting information regarding the impact of COVID-19 on its financial position, and having considered BA’s representations, both BA and the ICO “agreed to a series of further extensions of the statutory deadline to 30 September.
Rachel Aldighieri, managing director of the Data & Marketing Association (DMA), said: “Brexit and coronavirus have put businesses under immense financial strain and a fine of this magnitude will get the attention of board members of organizations across the UK. They will certainly not want to risk receiving similar disciplinary action from the ICO.
“This is the largest fine issued by the ICO to date under the new GDPR laws, highlighting the importance all businesses should place on the security of customers’ data and the need to build in safeguards to protect it.”
In the attack, an attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers. Other details thought to have been accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers.
Usernames and passwords of BA employee and administrator accounts as well as usernames and PINs of up to 612 BA Executive Club accounts were also potentially accessed.
The ICO said that since the attack BA has made considerable improvements to its IT security. Information Commissioner Elizabeth Denham said: “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure.
“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.”
Piers Wilson, head of product management at Huntsman Security, said: “Whether this was a result of clever bargaining by BA, the investigation process uncovering mitigating factors, an acknowledgement of the ravages of COVID-19 on the airline industry or the ICO deliberately setting a high initial target with a more realistic goal in mind, it could give the message that fines will not be as severe as businesses and some in the security and privacy industry expect.”
Vanessa Barnett, commercial and IP partner at Keystone Law, added: “In the grand scheme of things, it’s important that the punishment fits the wrongdoing: whilst the GDPR certainly has teeth and can really bite quite hard, it’s great to see the ICO continuing with its attitude of proportionality that existed pre-GDPR. Don’t forget that before GDPR the statutory limit was £500,000.
“£500,000 to £20m is a big jump and will still very much focus the (compliance) minds! The ICO may have felt some moral pressure not to whack BA even more in the midst of a global pandemic which is affecting it hugely and luckily, its enforcement framework allows that.”