General Data Protection Regulation (GDPR) , Governance & Risk Management , Privacy

British Airways' GDPR Fine Dramatically Reduced

Fined $26 Million in Connection With 2018 Breach
British Airways' GDPR Fine Dramatically Reduced

Britain's Information Commissioner's Office announced this week a dramatic reduction in its fine against British Airways for violating the EU's General Data Protection Regulation.

See Also: Restructuring Your Third-Party Risk Management Program

The ICO finalized a fine of nearly £20 million ($26 million) in connection with a 2018 data breach that exposed the personal information of about 430,000 customers. It had announced in July 2019 that it intended to impose a penalty of £184 million ($238 million) on British Airways, which is owned by the Madrid-based International Airlines Group (see: British Airways Faces Record-Setting $230 Million GDPR Fine).

"As part of the regulatory process, the ICO considered both representations from BA and the economic impact of COVID-19 on their business before setting a final penalty," the ICO said this week.

Lack of Security Protocols

At the time of the breach, British Airways did not have the proper security protocols in place to protect the large amount of personal data it processes and stores, the ICO says. The breach, which exposed credit card information and employee login credentials, went undetected for two months, according to the agency.

"People entrusted their personal details to BA, and BA failed to take adequate measures to keep those details secure. Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That's why we have issued BA a £20m fine - our biggest to date," says ICO Commissioner Elizabeth Denham.

A British Airways spokesperson tells Information Security Media Group: "We alerted customers as soon as we became aware of the criminal attack on our systems in 2018 and are sorry we fell short of our customers' expectations. We are pleased the ICO recognizes that we have made considerable improvements to the security of our systems since the attack and that we fully cooperated with its investigation."

André Bywater, a partner at London-based law firm Cordery, says the reduced fine imposed on British Airways "should not deter organizations from taking data security seriously. Further, organizations should also bear in mind that class-action [lawsuits] for compensation may yet add to the final bill in cases like this one."

Breach Detection Delay

ICO expressed concern that the airline failed to detect the breach and was informed of it by a third party more than two months after the attack.

"It is not clear whether or when BA would have identified the attack themselves," the ICO report states. "This was considered to be a severe failing because of the number of people affected and because any potential financial harm could have been more significant."

Bywater says companies must have top-level organizational and technical measures in place to defend against breaches.

"They must have a first-rate strategy and proper tools in place for responding quickly when these incidents do happen. Those processes and procedures should be tested regularly," he says.

Magecart Suspected

Immediately after British Airways announced the breach in 2018, security firm RiskIQ reported it was likely a Magecart-style attack, which involves placing a JavaScript skimmer in the target's e-commerce checkout system to scrape customer payment data as it's entered (see: RiskIQ: British Airways Breach Ties to Cybercrime Group).

Groups under the Magecart umbrella are thought to be responsible for dozens of attacks over the last five years, including those targeting Macy's, Wawa and Newegg.

The ICO estimates nearly 430,000 British Airways' customers and staff were potentially affected by the breach, with 244,000 possibly having their names, addresses, payment card numbers and CVVs compromised.

Usernames and passwords of employee and administrator accounts were also exposed, as well as usernames and PINs of up to 612 BA Executive Club accounts.


About the Author

Doug Olenick

Doug Olenick

News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to joining ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to Forbes.com, TheStreet and Mainstreet.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing gdpr.inforisktoday.com, you agree to our use of cookies.