A soft landing? The ICO issues a much reduced fine for the British Airways data breach

The Information Commissioner’s Office (ICO) announced last week that it has issued its long-awaited fine against British Airways plc (BA) for BA’s data breach following a significant cyber-attack in 2018. While the fine of £20m is the largest penalty ever issued by the ICO for infringements of the General Data Protection Regulation (GDPR), it represents a mere fraction of the original fine proposed by the ICO in 2019 of £183.39m.

What happened in 2018?  

In September 2018, BA became aware of a cyber-security incident and subsequently notified the ICO. It emerged that a fraudulent website had been created, diverting users from the BA website and capturing data input by BA’s customers. The fraudulent website was operational for two months before BA was made aware of the breach by an external security researcher. All in all, roughly 429,000 customers were affected and stolen data included login, payment card, travel and booking details, as well as names and addresses. 

As part of its findings ICO commented that it was unclear if or when BA would have identified the attack but for the external security researcher. This was considered to be a severe failing due to the number of affected individuals and because the potential impact on customers could have been even more significant.

ICO investigators found that BA had processed significant amounts of sensitive data without adequate security measures in place and in its findings ICO stressed that BA ought to have identified security vulnerabilities and resolved them using available measures such as multi-factor authentication. The investigation concluded that resolving these security issues would have prevented this type of cyber-attack.

Why was the fine lowered?

The ICO issued its notice of intent to fine last year, setting out the reasoning for the proposed £183.39m fine. In response to the notice, BA made a number of arguments and representations. For example, BA challenged how the penalty was calculated, argued that the proposed fine was high in the context of other fines issued by European regulators and questioned both the assessment of the level of actual harm caused by the breach and the ICO’s interpretation of its enforcement powers.

It is particularly interesting to note that the largest reduction in the fine appears to have come as a result of the ICO reversing the decision to calculate the fine in line with turnover-based ‘bands’ set out in its internal procedure and which BA claimed had no statutory basis.

Earlier this month the ICO launched a public consultation, titled "Statutory guidance on our regulation policy", involving proposals that the starting point for all fine calculations should be turnover-based. Once the guidance is adopted, it is possible that the ICO could impose similar fines to those originally envisaged in connection with the BA data breach.

The ICO also took into account a number of mitigating factors which played a major part in reducing the fine. These included BA’s prompt reporting of the data breach to the relevant authorities and data subjects, its full cooperation with regulatory and governmental bodies and its efforts to mitigate harm to affected data subjects (including offering to reimburse financial loss and providing free credit monitoring). The ICO further noted that BA had made considerable improvements to its security since the breach and also took into consideration the economic effect of the Covid-19 pandemic on the airline industry, leading to a further reduction of £4m. 

What can we learn?

The penalty notice includes a number of helpful points for organisations to assess and improve their own security practices. In BA’s case, possible mitigation measures would have been:  

  • limiting user access to only the applications, data and tools required for the relevant user role;
  • carrying out rigorous testing by simulating a cyber-attack, on the business’ systems; and/or
  • protecting employee and third party accounts with multi-factor authentication.

The ICO noted that none of these measures would have entailed excessive cost or technical barriers, indeed some were available through the Microsoft Operating System used by BA. 

The initial access to BA’s network was gained by using the compromised credentials of a representative of a third-party supplier to BA, who was accessing BA’s network remotely - known as a “supply chain attack”.  

Guidance exists in relation to the steps organisations should take to mitigate this kind of attack (The Centre for the Protection of National Infrastructure’s Good Practice Guide in 2015 entitled “Mitigating Security Risk in the National Infrastructure Supply Chain” which has been supplemented by more recent advice by the National Cyber Security Council in January 2018, which can be found here).

The ICO also said that organisations should have a Security Risk Implementation Plan in place to mitigate risk from third parties in supply chains, which would include:

  • risk scoring contracts to link in with existing risk assessments;
  • due diligence, accreditation, assurance of existing suppliers and the adoption, through contracts, of proportionate and appropriate measures designed to mitigate risk;
  • audit arrangements and compliance monitoring;
  • comprehensive mapping of all tiers of upstream and downstream supply chains to the level of individual contracts; and
  • contract exit arrangements.

While many at BA may be breathing a sigh of relief, organisations should remember that future fines calculated on the basis of the new statutory guidance (if adopted) may not result in such a lenient decision.

Finally, as with any data breach, the financial implications extend beyond regulatory fines, as affected data subjects may bring claims. This means that ultimately the true cost to BA of the events in 2018 is still to be determined.

Latest updates from @MacRoberts

  • Our award-winning Family Law team can help you and your partner through difficult situations by providing support w… https://t.co/sOwEmv13fP 27/07/2021
  • To celebrate the Olympic Games in Tokyo, we're delighted to launch our latest sporting challenge in support of our… https://t.co/Y8IEq3eT53 23/07/2021
  • MacRoberts is recruiting! We are currently looking for a Real Estate Planning Solicitor to join the MacRoberts tea… https://t.co/ioGQaF2hQc 23/07/2021
  • The countdown is on! With just 100 days to go, we’re looking forward to #COP26 in Glasgow! ♻️ As a firm accredite… https://t.co/Ooldhmo8tW 22/07/2021
  • Has lockdown led you to consider a move to the countryside? From discussing a possible purchase to obtaining the… https://t.co/patbF42pjk 22/07/2021
  • Have you seen our latest vacancies? 💼 We currently have opportunities in various departments across the firm. Fin… https://t.co/NpiWs2sphg 21/07/2021
  • Acas has published new guidance for employers with helpful information on #flexibleworking & #hybridworking. With t… https://t.co/SoX87hFkko 20/07/2021
  • Busting the myth that a career in law is only for the privileged few: @marikaflawyer is speaking at this morning’s… https://t.co/awfcub4cw0 19/07/2021
  • MacRoberts is recruiting! We are currently looking for a Support Services Assistant to join our team in Edinburgh.… https://t.co/DJ27fRmmdb 16/07/2021
  • MacRoberts is pleased to have been part of the team advising @HV_Systems in its £5m capital boost from Beehive Equi… https://t.co/BxcwjCgIVk 15/07/2021
  • MacRoberts is recruiting! We are currently looking for a NQ Solicitor to join our Conveyancing & Private Client te… https://t.co/zubGY4zo0D 14/07/2021
  • For the last of our IGTV mini-series, we hear from Katie MacLeod. She will be giving an insight into what it’s like… https://t.co/0v2nNQ9zzZ 14/07/2021
  • RT @marikaflawyer: Exciting opportunity for Associate in our award winning Family Law team #familylaw #LegalCareer https://t.co/z3WEtfFJUo 14/07/2021
  • MacRoberts is recruiting! We are currently looking for an Associate to join our Family Law team in Edinburgh or Gl… https://t.co/CaitiMeVBs 14/07/2021
  • Last week, the UK Government took the decision to relax the rules on the length of time lorry drivers can work as a… https://t.co/o559McerYg 13/07/2021