British Airways Fined €22m by ICO for GDPR Breach Impacting Over 400,000 Customers

In the United Kingdom a €22m (£20m) fine has been sanctioned against British Airways in relation to a breach of the European Union’s General Data Protection Regulation (GDPR) that impacted the personal and financial details of over 400,000 individuals.

The Information Commissioner’s Office (ICO) in the UK began an investigation when the breach was first discovered and, as reported here, it was estimated that the fine could have been higher than €200m if the data protection authority applied the highest level penalty of 4% of the previous year’s global revenue earned by the airline. However, having considered representations from BA and the economic impact of COVID-19 it is believed that the lower level of penalty was settled upon.

The results of the investigation that followed discovery of the breached revealed that British Airways did not have the required security measures in place for the massive amounts of personal data it was processing for customers. This resulted in a cyber attack remaining unnoticed for a two-month duration during 2018. ICO investigators ruled that the airline should have spotted, and addressed, the vulnerabilities before the cyber attack was allowed to take place. This, they said, would have meant that there was no breach and the private data of BA customers would have remained safe at all times.

In relation the the penalty being sanctioned, Information Commissioner Elizabeth Denham said: “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure. Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.

She continued: “When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”

The breach occurred when BA customers were redirected away from the official British Airways by cybercriminals. They were then presented with a fraudulent web page that included malware and tracking cookies where browsers had their private data illegally obtained. The hackers are thought to have had access to the private data of around 429,612 BA customers and staff. The breached data included names, addresses, payment card numbers and CVV numbers. Additionally there was access to the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers. usernames and passwords of BA employee and administrator accounts as well as usernames and PINs of up to 612 BA Executive Club accounts were also potentially accessed.

When the breach was first revealed British Airways apologized. BA chairperson Alex Cruz issued a statement that said: “We are surprised and disappointed in this initial finding from the ICO. British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.”