The Information Commissioner’s Office (ICO) announced last week that it has issued its long-awaited fine against British Airways plc (BA) for BA’s data breach following a significant cyber-attack in 2018. While the fine of £20m is the largest penalty ever issued by the ICO for infringements of the General Data Protection Regulation (GDPR), it represents a mere fraction of the original fine proposed by the ICO in 2019 of £183.39m.
What happened in 2018?
In September 2018, BA became aware of a cyber-security incident and subsequently notified the ICO. It emerged that a fraudulent website had been created, diverting users from the BA website and capturing data input by BA’s customers. The fraudulent website was operational for two months before BA was made aware of the breach by an external security researcher. All in all, roughly 429,000 customers were affected and stolen data included login, payment card, travel and booking details, as well as names and addresses.
As part of its findings ICO commented that it was unclear if or when BA would have identified the attack but for the external security researcher. This was considered to be a severe failing due to the number of affected individuals and because the potential impact on customers could have been even more significant.
ICO investigators found that BA had processed significant amounts of sensitive data without adequate security measures in place and in its findings ICO stressed that BA ought to have identified security vulnerabilities and resolved them using available measures such as multi-factor authentication. The investigation concluded that resolving these security issues would have prevented this type of cyber-attack.
Why was the fine lowered?
The ICO issued its notice of intent to fine last year, setting out the reasoning for the proposed £183.39m fine. In response to the notice, BA made a number of arguments and representations. For example, BA challenged how the penalty was calculated, argued that the proposed fine was high in the context of other fines issued by European regulators and questioned both the assessment of the level of actual harm caused by the breach and the ICO’s interpretation of its enforcement powers.
It is particularly interesting to note that the largest reduction in the fine appears to have come as a result of the ICO reversing the decision to calculate the fine in line with turnover-based ‘bands’ set out in its internal procedure and which BA claimed had no statutory basis.
Earlier this month the ICO launched a public consultation, titled "Statutory guidance on our regulation policy", involving proposals that the starting point for all fine calculations should be turnover-based. Once the guidance is adopted, it is possible that the ICO could impose similar fines to those originally envisaged in connection with the BA data breach.
The ICO also took into account a number of mitigating factors which played a major part in reducing the fine. These included BA’s prompt reporting of the data breach to the relevant authorities and data subjects, its full cooperation with regulatory and governmental bodies and its efforts to mitigate harm to affected data subjects (including offering to reimburse financial loss and providing free credit monitoring). The ICO further noted that BA had made considerable improvements to its security since the breach and also took into consideration the economic effect of the Covid-19 pandemic on the airline industry, leading to a further reduction of £4m.
What can we learn?
The penalty notice includes a number of helpful points for organisations to assess and improve their own security practices. In BA’s case, possible mitigation measures would have been:
- limiting user access to only the applications, data and tools required for the relevant user role;
- carrying out rigorous testing by simulating a cyber-attack, on the business’ systems; and/or
- protecting employee and third party accounts with multi-factor authentication.
The ICO noted that none of these measures would have entailed excessive cost or technical barriers, indeed some were available through the Microsoft Operating System used by BA.
The initial access to BA’s network was gained by using the compromised credentials of a representative of a third-party supplier to BA, who was accessing BA’s network remotely - known as a “supply chain attack”.
Guidance exists in relation to the steps organisations should take to mitigate this kind of attack (The Centre for the Protection of National Infrastructure’s Good Practice Guide in 2015 entitled “Mitigating Security Risk in the National Infrastructure Supply Chain” which has been supplemented by more recent advice by the National Cyber Security Council in January 2018, which can be found here).
The ICO also said that organisations should have a Security Risk Implementation Plan in place to mitigate risk from third parties in supply chains, which would include:
- risk scoring contracts to link in with existing risk assessments;
- due diligence, accreditation, assurance of existing suppliers and the adoption, through contracts, of proportionate and appropriate measures designed to mitigate risk;
- audit arrangements and compliance monitoring;
- comprehensive mapping of all tiers of upstream and downstream supply chains to the level of individual contracts; and
- contract exit arrangements.
While many at BA may be breathing a sigh of relief, organisations should remember that future fines calculated on the basis of the new statutory guidance (if adopted) may not result in such a lenient decision.
Finally, as with any data breach, the financial implications extend beyond regulatory fines, as affected data subjects may bring claims. This means that ultimately the true cost to BA of the events in 2018 is still to be determined.