Categories: Data BreachGDPR

Why was British Airways fined so much?

Last year, British Airways suffered a data breach that resulted to the details of hundreds of thousands of its online user’s details being stolen, including email details and credit card details including the 3-digit security code from the back.

First big ICO fine.

The fine was imposed by the UK data protection agency, the Information Commissioner’s Office, under the General Data Protection Regulations.

Information Commissioner Elizabeth Denham told the BBC “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

The fine, £183,000,000 is about 1.5% of British Airways worldwide turnover (in 2017) Under the GDPR, the ICO could fine a company upto 4% of it’s worldwide turnover.

The Fine against Facebook for the Cambridge Analytica data breach was issued under the old Data Protection Act which was capped at £500,000. This fine against British Airways is the first large fine to be issued under the GDPR.

It’s likely the ICO set this fine so high not only because of the number of individuals whose data was stolen in the breach, but also because of the data that was taken; credit card information along with the CVV 3-digit code off the back of the card.

The CVV code should not be stored by organisations, it needs to be processed at the point of payment but not saved. It’s not clear if this was the case here, some suggestions to the type of breach B.A. suffered suggest the information was scraped from the screen as users entered the information, and not a breach of any backend database.

Will British Airways have to pay up?

British Airways have 28 days to appeal the fine. IAG, the owners of British Airways, have said they will be appealing the fine.

“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”

“British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.
We apologise to our customers for any inconvenience this event caused.”

Willie Walsh, chief executive of IAG & Alex Cruz, British Airways’ chairman and chief executive

The ICO believe the data was stolen from June 2018, BA first made people aware of the breach in September 2018.

The ICO said that poor security, especially around the login and payment areas of the website and BA mobile app meant the data stolen held key personally identifiable information. This meant users had to cancel cards and change security settings, and monitor their accounts for fraudulent transactions.

It’s likely that 3rd party code on their website was compromised, which resulted in the breach. Teh code could have been from an advertising provider or a feature provider such as online chat tools. Either way, the GDPR state that British Airways is the Data Controller and responsible for vetting any third party access to users data.

What happens to the fine?

If the fine is upheld, the money will be divided up between all the EU Data authorities. The UK’s portion of that will go direct to the Treasury.

The ICO said that B.A. have made improvements to it’s security.

Individuals who want to claim compensation from B.A. will need to contact the company independently, B.A. have not given any information on weather any payments have been made to individuals yet.

Data Security

The ICO made it clear that the security of individuals data is the responsibility of the Data Controller.

If your organisation processes personally identifiable information, either from customers, users, employees or suppliers or any other information that identifies individuals, you need to be compliant with the GDPR.

Failure to be compliant is a breach of the GDPR, and could result in a large fine from the ICO.


General Data Protection Regulations

Data Protection Act 2018

The GDPR UK implementation and the UK Data Protection Act 2018 govern how organisations can process personally identifying information.

If your organisation needs to process personal information, it needs to be registered on the ICO database, and have a Data Protection Policy in place detailing the use of personal information.

Personal Information is any information that can identify an individual, such as employee names, customer id’s or CCTV footage.

If you need help assessing your GDPR compliance, contact us immediately for a GDPR review.

Share
Leave a Comment