British regulators have finalized the fine against British Airways for the 2018 data breach that exposed the personal information of about 430,000 customers. The final amount may be the largest ever, but it is far lower than what had been expected.
The United Kingdom Information Commissioner's Office said British Airways would be fined £20 million ($25 million, €22 million) for infringing on the European Union's General Data Protection Regulation. Even though the privacy watchdog touted the "record" fine, it is far lower than the £183 million fine originally proposed in July 2019. The ICO reduced the fine after considering the impact the pandemic of COVID-19 had on the global economy.
"As part of the regulatory process the ICO considered both representations from BA and the economic impact of Covid-19 on their business before setting a final penalty," the UK ICO said.
British Airways, hit hard by the reduced demand for air travel, had decided to lay off permanently more than a quarter of its 42,000 workforce and to cut the pay of many remaining staff members.
The fact that the final fine was reduced from the initial proposed fine is "of interest," especially since the ICO had announced a proposed fine of £99 million for Marriott International in July 2019, Roisin Cregan, a solicitor with Macfarlanes, wrote on Lexology.
GDPR Violations
British Airways did not have the proper security protocols in place to protect the large amount of personal information it had processed and stored on its customers. Nearly 430,000 customers and staff were potentially affected by the breach, with 244,000 possibly having their names , addresses, payment card numbers, and CVVs stolen. Some employee login credentials and British Airways Executive Club account information were also exposed. Usernames and passwords of employee and administrator accounts were also exposed, as well as usernames and PINs of up to 612 BA Executive Club accounts
"People entrusted their personal details to BA, and BA failed to take adequate measures to keep those details secure. Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result," said ICO Commissioner Elizabeth Denham.
RiskIQ had previously linked the British Airways breach to the Magecart group, which refers to attackers who have been inserting JavaScript skimmers into the checkout pages of e-commerce systems to scrape customer payment data.
The breach went undetected for two months. British Airways was informed of the June 22, 2018 breach by a third-party on Sept. 5. While the ICO acknowledged that BA acted quickly and notified customers after it learned of the breach, BA should have identified weaknesses in its security and resolved them as part of its general compliance activities. If BA had taken steps to implement those controls, it could have prevented the breach.
It is not clear whether or when BA would have identified the attack themselves," the ICO report said. "This was considered to be a severe failing because of the number of people affected and because any potential financial harm could have been more significant.
The attackers were able to succeed with the breach because of the deficiencies in BA’s systems. BA did not have user authentication in place, and did not limit access to applications and systems to just what the user needed, the ICO said.
"This is a serious reminder of the importance of having robust compliance and review measures in place to ensure systems are up to date and not waiting to respond to a breach," Cregan said.
The breach happened in June 2018, before the United Kingdom left the European Union. This is why the ICO investigated the breach on behalf of the European Union as the lead supervisory authority. Under GDPR, organizations can face potential fines of up to €20 million euros ($23 million) or 4 of annual global revenue, whichever is greater.
The ICO initially proposed a fine in July 2019. Since then, the regulators worked with other privacy authorities in the EU and the company to finalize the details, consider mitigating factors, and apply discounts. The discounts consider things like the fact that British Airways cooperated with the investigation, notified customers promptly, and has since then improved its security compliance. It's worth noting, that the "discount" because of the impact of COVID-19 on the company's finances amounted only to £4 million.
Despite the size of the breach and impact on victims, the BA fine turned out to be significantly less than the maximum possible. For many companies who have been watching the British Airways case unfold, it seems clear that it is worth pushing back on the ICO after the investigation to see the fine can be reduced.
"Whilst the ICO strongly defended its original assessment, actions and processes, it seems that making a challenge to an ICO enforcement notice or notice of intent is certainly commercially worthwhile." said Claire Edwards, a data protection law specialist at Pinsent Masons.