ICO Fines British Airways £20 million for Data Breach

Following a major data breach, which affected 400,000 customers, the Information Commissioners Office has imposed a fine of £20 million on British Airways. This is one of the highest recorded fines in the United Kingdom to date for a data breach.

The ICO announced in the summer of 2019 that it would be imposing a high fine, that was set to be £183.39. However, in light of the current economic circumstances caused by the pandemic, and the representation made by BA executives about the ongoing damage to its business, it became clear over time that the fine would eventually be much lower than originally intended.

What are the facts of the case?

The case involves a cyber breach, in which a hacker accessed personal data of 429,612customers. Vast amounts of personal data about staff and customers was harvested, which included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers. Usernames and passwords of BA employee and administrator accounts, as well as usernames and PINs of up to 612 BA Executive Club accounts, were also potentially accessed.

An ICO investigation found the airline was processing a significant amount of personal data without adequate security measures in place.

BA failed to report the incident to the ICO for over two months, and the breach was eventually identified by a third party and reported to the ICO in September 2018. This involved in part website traffic being diverted to a fraudulent site.
Information Commissioner Elizabeth Denham said: “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure.

“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.
“When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”

Lessons learned

Although the penalty was significantly less than the original fine set to be imposed, this case still serves as an important lesson in the need to keep data safe. It demonstrates the ICO will intervene, even in current economic circumstances, when adequate systems are not in place to protect personal data. Some take away points are that organisations need to have top-level organisational and technical measures in place and do all that they can to stop data breaches. They must also have a clear strategy and adequate tools in place to respond quickly in incidents such as this as the lengthy delay in reporting combined with the need for third-party notification evidently impacted BA’s culpability and the fine imposed.