08 July, 2019
British Airways (BA) has been issued a notice by the Information Commissioner's Office (ICO) regarding its intention to fine the airline £183.39 million for violation of the General Data Protection Regulation (EU) 2016/679 (the GDPR).
What did they do wrong?
The violation in question relates to a cyber-attack suffered by BA starting in June 2018. By September 2018, the airline informed the ICO that it had become aware that customer and user traffic from its own website had been fraudulently diverted to a fake site set up by the attackers. Through this method, around 500,000 customer details were breached, including payment information, names, addresses and travel details.
After a significant investigation, the ICO has reported in their findings that BA's poor security procedures directly led to the breach being able to occur. BA has stated that it cooperated with the ICO investigation, implementing numerous changes and improvements to its security systems in response to the attack.
Why is the fine so high?
The total fine of £183,390,000 equates to 1.5% of BA's global turnover for the year ending 31 December 2017. This falls short of the maximum fine that the ICO could have issued, 4% of global turnover, however the scale of the fine should be seen as reflective of not only the size of BA itself, but the magnitude of the failings found by the ICO.
Information Commissioner Elizabeth Denham said: "People's personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That's why the law is clear - when you are entrusted with personal data you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."
This proposed fine is clear evidence of the ICO flexing its new powers under the GDPR, with it now able to levy fines far higher than the previous £500,000 cap. With that in mind, it is important to remember that the majority of organisations handling personal data would face fines far lower for breaching data protection regulations. As stated above, fines are relative to the size of the organisation and the scale of the breach (number of individuals involved, types of data breached etc.) therefore this news should not cause undue distress for those looking to ensure their GDPR compliance.
Appeals and class actions
In response to the ICO notice the chief executive of BA parent organisation the International Airlines Group (IAG), Willie Walsh, stated the airline would discuss the decision with the ICO and potentially lodge an appeal. The ICO itself has confirmed that it will consider carefully BA's representations, as well as representations from other concerned data protection authorities before it takes its final decision.
There remains the chance that a class action may be pursued by the victims of the attack themselves against BA, however the airline is adamant that no fraud or fraudulent activity has been linked to the affected accounts as a result of the breach.
For more information contact Bethany Paliga in our Governance, Procurement & Information department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.