On 16 October 2020, in a long-awaited decision, the UK Information Commissioner’s Office (ICO) finally announced that it has fined British Airways (BA) £20 million for failing to protect the personal and financial details of over 400,000 customers. The ICO originally announced in July 2019 its intention to fine BA £183 million in respect of a security breach, meaning that the final amount of the fine was over 90% lower than the original suggested amount. Notwithstanding this, the BA fine is still the largest fine that the ICO has ever issued.
The fine relates to a cyber-incident which took place in June 2018, but which was not discovered for some months and then only because a third party alerted BA. The attacker is understood to have accessed personal data of almost 430,000 BA staff and customers, including (variously) names, addresses, payment card numbers, CVV numbers, usernames, passwords, PINs and various BA accounts. The ICO considered the breach to be serious due to the possible financial damage that could have ensued and the large numbers of individuals who were impacted.
ICO investigators discovered that BA was processing large quantities of personal information, but had not implemented appropriate security measures. The ICO found that there were many steps that BA could have taken to minimise the risks of attackers accessing the BA network (e.g. protecting employee and third party accounts with multi-factor authentication), none of which would have been prohibitively expensive or would have encountered technical barriers. The ICO held that tackling BA’s security issues would have prevented the cyber-attack. It is worth noting that BA has made considerable improvements to its IT security following the attack.
Following the issuing of the notice of intent to fine BA made representations to the ICO, which the ICO considered. The ICO also considered the economic impact of COVID-19 on BA’s business before deciding the final amount of the penalty.
In the light of today’s announcement, Elizabeth Denham, the UK Information Commissioner observed: “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure. Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20 million fine – our biggest to date.”
Today’s announcement allows both parties to claim victory – even if it may ultimately prove to be pyrrhic. BA negotiated a 90% reduction in the ICO’s proposed penalty of £183 million and in the process has provided a playbook for other organisations to follow when they receive substantial regulatory fines. For its part, the ICO can claim to have issued the fourth biggest GDPR fine to date whilst also putting companies on notice that it’s able to extract significant penalties for the type of event – large security breaches – that happen on a weekly, if not daily, basis in the UK.
Going forward, it will be particularly interesting to watch how this penalty impacts the related group litigation against BA in the UK High Court, given that the company has now admitted liability for its security failings. At the same time, will the ICO reflect on lessons learnt and propose penalties which it can stand behind? Given BA’s relative success in this case, the ICO will be keen to avoid a repeat of the bruising, 15-month saga that led to this announcement.