The Information Commissioner’s Office (the ICO) today issued notice of its intention to serve a penalty notice (a fine) on British Airways (BA). The ICO intend to fine BA £183.39 million following last year’s personal data breach where “a variety of information was compromised by poor security arrangements” which led to log-in, payment card and travel booking details as well as name and address information of 429,000 online customers being exposed.
Why a Notice of Intention?
Why has the ICO said that it “intends” to issue this fine, rather than simply go ahead and issue it?
Under the UK’s Data Protection Act 2018, the ICO is required to provide a notice of intention, giving the details of the proposed fine and the circumstances as to why the ICO seeks to issue it (in this case BA’s personal data breach).
So, BA have not been fined – well, not yet.
BA now has a minimum of 21 days to make written representations to the ICO on the proposed fine. All information at present would point to BA making such representations, with IAG Group (BA’s holding company) chief executive Willie Walsh stating they would “vigorously” defend BA’s position, including making any appeals.
It won’t, however, just be BA making those representations; as the personal data breach was not limited to just the UK - other European data protection authorities have an interest (under the One Stop Shop mechanism), and can also make comment on the ICO’s investigation.
What does the fine relate to?
The proposed fine has been imposed following a cyber security incident that BA notified the ICO about in September 2018. In simple terms, a false website was created, diverting users from the BA website on to the fraudulent website, allowing the website to gather the data of around 429,000 customers. A number of our readers were caught up in the incident, including the author of this update.
What did the ICO investigation find?
Following their notification, the ICO, as lead supervisory authority, carried out an investigation into the incident. The ICO said the incident is thought to have begun in June 2018 when the fake website is believed to have become operational. The stolen data relates to the personal and financial data of customers who booked directly with BA over a two-week period in August/early September. The data stolen through the fraudulent website includes payment card information such as the card number, expiry date and CCV. BA also believe those who made bookings through its Avios scheme between April 2018 and July 2018 could be at risk.
The ICO investigation uncovered that BA had “poor security arrangements at the company”, and consequently a variety of customer information was exposed. Elizabeth Denham emphasised the personal nature of the breach, given that it was the personal data of customers. Denham stated, “That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
In September 2018, BA chief executive Alex Cruz said it was a “sophisticated, malicious criminal attack” (although no mention of this is made on the ICO’s press statement today). Whilst BA did cooperate throughout the ICO’s investigation, they have expressed their surprise and disappointment at the proposed fine. Since the incident was uncovered, BA have improved their cyber security arrangements and stated that they responded quickly and no evidence of any fraudulent activity was found on accounts that were linked to the incident. For those caught up in the incident, BA offered to reimburse its customers for financial loss suffered and to provide access to a credit checking service.
BA can now make representations to the ICO regarding the investigation’s findings and the proposed fine. The ICO will consider both BA’s representations and those of other data protection authorities before the final decision is issued.
With shares in IAG (BA’s holding company) dropping 1% this morning, BA will be hoping that its representations will be heard and the penalty notice reduced.*
The proposed fine
The fine of £183.39 million is the largest penalty ever issued by the ICO and is the first UK GDPR fine. The penalty amounts to 1.5% of BA’s worldwide annual turnover in 2017, less than the maximum penalty of 4%. Before this, the largest fine issued by the ICO was the £500,000 fine Facebook received following the Cambridge Analytica scandal (under the old data protection regime). BA’s total revenue for 2017 was £12.2 billion, meaning the maximum fine under GDPR that the ICO could have imposed was £488 million. To put the fine into perspective for BA, it is around £4 for each passenger who is likely to fly with BA in 2019.
When the fine is issued, BA will have the right to appeal the decision to the Information Tribunal where the fine can be reduced or even removed.
What can we do?
If you don’t need to collect personal data – then don’t. Unfortunately, most businesses do have to collect personal data and it is clear that good security arrangements will play a critical role in personal data breach prevention.
One of the fundamental principles of the GDPR is the security principle, and organisations are required to ensure appropriate security of the personal data it holds.
Organisations need to know what data it holds and where - without that, it cannot identify its risks. Only once you know what data you hold and where can you apply appropriate controls and measures to mitigate against those risks. The implementation of robust policies and procedures (with training) to ensure access is restricted and that your control measures are consistently applied and tested across your organisation will provide you with the basis upon which to build your data security compliance framework.
Throughout this investigation, the ICO have made it clear that they will not be tolerant of poor security procedures. The ICO have demonstrated that they will impose larger and more substantial fines under GDPR on companies that have experienced data breaches, especially those that could have been prevented by simple steps such as improved security measures.