British Airways airline company has been fined the “biggest to date” sum of £20 Million, by the Information Commissioner’s Office (ICO) for failing to protect the personal data of data subjects which resulted in a security breach.
In June 2018, a cyber-attack was carried out on the company that lay undetected for more than two months. During the attack, it was believed that details belonging to over 400,000 customers and staff were accessed. The types of personal data compromised included; addresses, names, credit/debit card details such as CVV numbers, many account details such as usernames and passwords of employees belonging to British Airways, and passenger travel information.
Due to the nature of the security breach, the ICO launched an investigation. They came to the verdict that there was a significant amount of personal data being processed without adequate security measures in place, and therefore breached UK/EU data protection law. Specifically, it was noted that:
- Although features such as multi-factor authentication were available, they were not in place at the time of the security breach. This allowed the criminals to exploit vulnerable repositories of data.
- Access to applications, data, and tools was not limited to the minimum number of people that required it.
- More rigorous testing was needed, such as simulated cyber-attacks on the businesses’ systems.
- There was a distinct lack of awareness of the breach. It was only noticed by a third-party who notified BA two months after the attack was carried out. It is unclear how or when BA would have recognised the cyber-attack took place without this third-party contact.
On a more positive note, it was recognised that BA co-operated fully throughout the investigation and significant improvements have been implemented since the incident. Additionally, it was observed that BA communicated effectively to affected data subjects.
What can we learn from this?
The key takeaways are:
- Although it has been two years since the incident, BA were eventually punished. This shows that the ICO are being very meticulous in their approach to incidents like these. They are determined to get the decision right.
- The fine is still heavy. With the original estimated sum of £183 million being reduced due to the current economic strain in a Covid-19 environment, the fine remains a painful takeaway of BA’s negligence, who’s profits are already being hammered due to travel restrictions. This outlines how much importance is being given to the safeguarding of personal data by companies and should act as a warning sign of things to come if data subjects are not protected. By far the bigger punishment for BA is the huge amounts of negative press which they have received.
- The cost and implementation of measures to safeguard data is insignificant to the staggering costs that an organisation can face for failing to adhere to the GDPR. It pays to be due diligent.
It’s too late for BA to change what has happened but for other companies there is still a chance to obtain GDPR Compliance Peace of Mind. Using an external organisation such as Tacita to provide an outside perspective of the organisation’s GDPR standing without the fear of receiving a fine is the perfect opportunity to highlight areas of risk before they become fully fledged security breaches.