Airline slapped with record penalty by ICO – albeit one that is grossly reduced on the regulator’s original intention

Credit: MI News/NurPhoto/PA Images

The Information Commissioner’s Office has fined British Airways £20m for breaching data-protection law.

Although the penalty is by far the biggest imposed in the UK since the introduction of the EU General Data Protection Regulation in 2018, it is vastly reduced from the £183m that the ICO announced in June 2019 that it intended to levy.

The firm expressed its disappointment in the decision at the time, and announced that it would appeal. Having completed this process, the regulator said that it had “considered both representations from BA and the economic impact of Covid-19 on their business before setting a final penalty”.

The punishment relates to a cyberattack in which some visitors to the British Airways website were instead diverted to a site perpetrating fraud. Attackers were able to access the names, addresses, and payment card details – including CVV numbers – of 244,000 BA customers. 

A further 185,000 customers and staff saw their data compromised to some extent, including the breach of “usernames and passwords of BA employee and administrator accounts”.

Related content

• Privacy Shield: government working with ICO to ‘update guidance as soon as possible’
• GDPR: how did we get here, and what on earth happens next?
• Whitehall departments reported 500 personal data breaches to ICO in FY20

The attack began on 22 June 2018 and went undetected for more than two months. When it was finally spotted, on 5 September, it was a third party that alerted the airline – which then notified the data watchdog.

“It is not clear whether or when BA would have identified the attack themselves,” the regulator said. “This was considered to be a severe failing because of the number of people affected and because any potential financial harm could have been more significant.”

Before the attack took place, the ICO’s investigatory team found that “BA ought to have identified weaknesses in its security and resolved them with security measures that were available at the time”. 

Such measures – which, according to the regulator, could have prevented the attack from ever having taken place – include limiting the use of data and systems based on employees’ roles, better testing and simulation exercises, and the use of multi-factor authentication.

“None of these measures would have entailed excessive cost or technical barriers, with some available through the Microsoft operating system used by BA,” the ICO said. “Since the attack, BA has made considerable improvements to its IT security.”

According to information commissioner Elizabeth Denham, BA’s failures of prevention and detection were deserving of the biggest financial penalty ever issued by the regulator.

“People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure,” she said. “Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date. When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”

Although £20m is a fortyfold increase on the maximum penalties of £500,000 that were available to the ICO before May 2018, it is still a long way short of the amount it could have chosen to fine the airline. 

GDPR, and the UK Data Protection Act that has replaced it now the UK has left the European Union, allows for penalties of €20m or 4% of the global turnover of the organisation in question – whichever figure is the larger.

In BA’s case, this would have equated to a sum of more than £500m.