One of the biggest data breaches in UK corporate history was closed with a whimper, not a bang by regulators. Today the Information Commissioner’s Office announced that British Airways will be fined £ 20 million ($ 25.8 million) for a data breach in which the personal information of more than 400,000 customers was leaked, after BA suffered a two month cyber attack and there was insufficient security to detect it and defend against it. The original plan was to fine BA nearly £ 184 million, but given the economic impact BA (like other airlines) faced as a result of COVID-19 and the work BA had been doing to address the issue , and the ICO learns more about the nature of the attack in a further investigation.
Despite the reduced sentence, the ICO sticks to its original conclusions:
“People have entrusted their personal information to BA and BA has failed to take reasonable steps to protect that information,” Information Commissioner Elizabeth Denham said in a statement. “Your inaction was unacceptable and affected hundreds of thousands of people, which may have created some fear and distress. Because of this, we fined BA £ 20million – our largest to date. When companies make bad decisions about people’s personal information, it can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security. “
BA responded with its own statement that it had complied with the investigation and recognized the reduced sentence.
“We informed customers when we learned of the criminal attack on our systems in 2018 and we regret that we did not meet our customers’ expectations,” a spokesman told TechCrunch. “We are pleased that the ICO recognizes that we have significantly improved the security of our systems since the attack and that we fully cooperated with the investigation.”
As far as we know, about £ 150 million of the cut was made when the ICO dismantled the events leading up to the attack and made BA less responsible than originally; an additional £ 6 million has been withdrawn based on BA’s response and an additional £ 4 million has been withdrawn as part of the ICO’s COVID-19 policy, reflecting the impact of the coronavirus pandemic on BA’s business.
This move underscores the impact of the coronavirus pandemic on regulations. In some cases, we’ve seen regulators try to respond more quickly to cases in order to address issues that could potentially affect business growth more quickly, and even put behind some previous reservations about green light activities, as in the case of E -Scooting.
But in the case of the BA fine, we see the other side of the COVID-19 impact: regulators have taken a less harsh line when it comes to fines when the company in question is already in trouble. This could change the impact and also set a precedent for how regulators respond to future cases of security and privacy neglect.
The original proposal to fine BA £ 184million represented 1.5% of BA’s 2018 calendar year revenue and was originally set in 2019. That was, of course, before the outbreak of the coronavirus pandemic that halted global travel and brought many airlines to their airlines’ knees. The original order was ironically associated with a lot of classic bureaucratic effort, which in this case worked in favor of the BA, as it included, in addition to the BA’s arguments, an assessment of the company’s position in the current market.
“In June 2019, the ICO issued a notification of the intention to impose a fine,” stated the ICO in its statement on the reduced fine. “As part of the regulatory process, the ICO considered both BA’s representations and the economic impact of COVID-19 on their business before determining a final penalty.”
Although the fine was lower, the main facts of the investigation remained the same: The ICO found that BA had “security weaknesses” that could have been prevented with security systems – procedures and software – available at the time.
As a result, data from 429,612 customers and employees was leaked, including “names, addresses, payment card numbers and CVV numbers of 244,000 BA customers,” the ICO said, adding that the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers were also considered part of the breach, as were the usernames and passwords of BA employee and administrator accounts and the usernames and PINs of up to 612 BA Executive Club accounts (the last two were also not fully verified), it seems).
In addition, BA never discovered the attack, it said: It was informed of the violation by a third party.
The ICO said its action was approved by other data protection authorities in the European Union: this is because the attack took place while the UK was still in the EU and therefore the investigation was carried out by the ICO on behalf of the EU authorities, said .
For BA, the airline, which is part of the International Airlines Group formed through mega-mergers and which also includes Iberia, Aer Lingus, Vueling and other brands and operators, has worked to invest in the security of their systems. It also offered “concerned customers” a 12 month membership in a credit check / management service.
In recent years, there have been a number of data breaches in the travel and hospitality sector that didn’t just affect other airlines (e.g. easyJet, which hit 9 million records last May; and Cathay Pacific, which was only fined by earlier this year £ 500,000 for a security breach that affected 9.5 million customers worldwide, including around 111,000 in the UK), but also hotels, with the largest being a Marriott phishing attack affecting an estimated 500 million people.
Updated with more details on the fine and also comment from BA.