The Information Commissioner’s Office (ICO) has fined British Airways (BA) £20m for a data breach of 2018 – well below the £180m suggested last year by the UK data protection regulator.
The ICO says it found the airline was processing a significant amount of personal data without adequate security measures. This failure broke data protection law and, the regulator says, BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months.
ICO found BA ought to have identified weaknesses in its security and resolved them with security measures that were available at the time. Addressing these security issues would have prevented the 2018 cyber-attack being carried out in this way, investigators concluded.
Information Commissioner Elizabeth Denham said: “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure. Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.
“When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”
Because the BA breach happened in June 2018, before the UK left the European Union, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR (EU-wide general data protection regulation). The penalty and action have been approved by the other EU DPAs.
In June 2019 the ICO issued BA with a notice of intent to fine. As part of the regulatory process the ICO says that it considered representations from BA and the economic impact of Covid-19 on their business before setting a final (that is, very much lower than earlier stated) penalty.
Comment
Aman Johal, Lawyer and Director of a consumer action law firm Your Lawyers, which is representing some of the 400,000 victims of the BA data breach said it was concerning that the ICO made a significant climb down from its provisional intention to fine the airline £183m. “A reduction of £163m – almost 90pc – means the final fine is a drop in the ocean for BA.
“The fact that this agreed fine is a clear admission of liability from BA now cannot be ignored. There is now no excuse in BA defending the compensation action any longer, and they must agree to compensation settlements immediately. More delays in doing the right thing serves only to further damage the BA brand following numerous scandals in recent years. The change in CEO is an opportunity for the airline to show proper leadership and get a hold of BA’s dwindling reputation. Resolving the compensation action is a key part of this.
“The ICO’s earlier record intention to fine was a landmark moment. It set the standard as a candid warning that is so desperately needed at a time when large scale data breaches are rampant. I am concerned that such a significant climb down undermines the GDPR and its ability to act as a credible deterrent to big business by sending the message that they can orchestrate their way out of paying substantial financial penalties. If this is to be a trend, the only real deterrent against large corporations breaching the GDPR will be the pursuit of large group action claims for compensation, like the one against British Airways.
“At Your Lawyers, we will not be climbing down and, whilst we understand the challenges faced by the aviation industry from COVID 19, our legal action is now even more significant in making sure that the airline is held to account.”
Darren Wray, co-founder and CTO at the DSAR (Data Subject Access Request) product company Guardum said the £20m was ‘a massive turnaround for the ICO’. “Yet did the ICO really have any choice? After all British Airways’ (along with every other airline) fortunes have changed significantly since the beginning of the COVID-19 pandemic. What does this mean though for the millions of people whose personal information (including credit card numbers) were breached back in 2018? I imagine many will feel their data and their fight to recover any financial losses resulting from the airline’s inability to keep their data safe has been somewhat marginalised.
“This can only strengthen the case of the group pursuing a class action case against British Airways. The GDPR and the UK DPA 2018 do after all allow for such action and if the regulator isn’t seen as enforcing the rules strongly enough, it leaves those whose data was lost few alternative options.”
Picture by Mark Rowe; Heathrow perimeter.
