ICO looks to fine BA a record £183m under GDPR
Written by Deborah Ritchie
The Information Commissioner’s Office this morning announced its intention to fine British Airways £183.39m for infringements of the General Data Protection Regulation (GDPR) following a cyber incident notified by the airline in September 2018. Legal experts say the unprecedented penalty sets the tone for future breaches.
Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018. The incident in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers. The ICO’s investigation uncovered how various data were compromised by “poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.”
Information commissioner, Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
Reacting to the news, partner and commercial solicitor at Gardner Leader solicitors, Diane Yarrow, said the record will set a strong precedent for future large scale data breaches.
“Not long after the first anniversary of GDPR coming into force, the ICO has issued the largest ever fine to British Airways for a data breach relating to 500,000 customers.
“Under Article 5 of the GDPR rules, personal data shall be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes…and…processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisation measures (‘integrity and confidentiality).”
“The compromised information in the BA cyber incident included log in, payment card, travel booking, name and addresses. Clearly, BA breached the above Article and the wider GDPR as it failed to properly safeguard personal data that it was entrusted with.
“BA has been issued with a fine amounting to 1.5% of its worldwide turnover in 2017, which far surpasses the previous record fine of £500,000 which Facebook was ordered to pay in the Cambridge Analytica data scandal. The difference in the fines is owed to the change of law between the incidents namely the arrival of GDPR, which allows a maximum fine of up to 4% of annual turnover."
The ICO issued a statement explaining that British Airways had cooperated with its investigation and has subsequently made improvements to its security arrangements. The company will now have opportunity to make representations to the ICO as to the proposed findings and sanction, before the watchdog takes its final decision.
Yarrow said this first large fine under GDPR was always going to be hotly contested. “In the next 28 days, we should learn more details of the basis on which BA will appeal the ICO’s decision, together with the ICO’s response to the appeal,” she explained. “The ICO will have to take into account; any action taken by BA to mitigate the damage suffered by data subjects, the degree of cooperation with the supervising authority and any other mitigating factors.”