The fine imposed on British Airways (BA) by the Information Commissioners’ Office (ICO) has sent a strong message to businesses across the UK – a cyber-attack is no excuse for a data breach if you’ve not done enough to protect the data you hold.
British Airways was fined after a data breach affecting 400,000 customers was found by an external consultant in June 2018. They noticed that a cyber-attack two months earlier was to blame.
After the consultant raised the alarm, the ICO investigated and found BA were processing significant amounts of personal data without adequate security measures in place, one of the key principles of the
The personal data of BA customers found to have been hacked was:
- 244,000: names, addresses, payment card numbers, CVV numbers
- 77,000: card and CVV numbers
- 108,000: card numbers
The ICO announced in June 2018 it intended to fine BA £138 million. However, in October 2020, they reduced this to £20 million, still the largest fine ever imposed by the ICO – remember the maximum penalty under the previous Data Protection Act 1998 was £500,000.
Knowledge Hub: GDPR Checklist for SMEs
The reason for the large fine was down to breach of Article 5.1.f of the GDPR. This requires data to be processed in a manner that ensures appropriate security of the personal data. i.e. appropriate technical and organisational measures that prevent or minimise the effects in the case of a data breach.
BA were using systems that offered security measures such as multi-factor authentication when logging on, but the ICO found these features had not been activated.
Furthermore, failure to undertake regular simulated cyber-attacks, and also not restricting data access only to employees who needed it to fulfil their roles added to the breach of legislation.
The reason for the fine reduction was due to BA’s cooperation with the ICO and significant improvements made to their systems, and the impacts of COVID-19, before the ICO settled on a final penalty.
However, this fine sends a significant message to businesses who don’t take data protection seriously – the ICO will take action to uphold data protection legislation, and businesses are responsible for their own houses.
While £20 million or 4% of the total annual worldwide turnover in the preceding year (whichever is higher), is the higher amount maximum the ICO can fine a business, the standard amount (£10 million or 2% of the total annual worldwide turnover in the preceding financial year (whichever is higher), could still have a significant impact on your finances. Simply put. Take data protection seriously.
Follow the legislation and make sure you are operating compliantly under GPDR or, after Brexit, the Data Protection Act 2018. If you don’t you risk an investigation and the potential of hefty enforcement action. The ICO take data protection extremely seriously – you must prove it is a priority for your business also.