The record-breaking British Airways fine announced today by the Information Commissioner’s Office (ICO) has seen the airline become a guinea pig for GDPR, according to cybersecurity experts.
Prior to today’s announcement, which sees British Airways slapped with a £183m fine for a breach disclosed in September 2018, the ICO had not issued any fines under the new law.
As a result, whichever company came first was always going to be something of a test case, and British Airways, which took 16 days to uncover the breach involving the payment data of some 380,000 customers, has drawn the short straw.
“There was always going to be a hefty guinea pig fine from the ICO to mean business showing that GDPR fines are not just talked about. Incredibly, this still isn’t the maximum fine they could have been handed either,” said Jake Moore, Cybersecurity Specialist at ESET.
“However, the amount of data compromised was huge and it is without doubt that it would have ended up in criminal hands so therefore it should not be taken lightly.”
BA the first case to be fined under GDPR
General Data Protection Regulation (GDPR), is an EU-wide law that came into effect on 25 May 2018.
It was designed to update existing security legislation to place a far greater responsibility on companies for keeping customer data safe.
Under the law, businesses are required to report all security breaches to their country’s regulatory body – in the UK’s case, the ICO – within 72 hours of their discovery, as well following far more stringent rules on data handling than were previously required.
Most notable, however, is the level of fines associated with data handling failures.
Companies now face fines of up to €20m, or 4% of their global annual turnover – whichever is higher, making such a fine a devastating blow for any company. By contrast, previous maximum fines were seen as a relative slap on the wrist, meaning they could be easily ignored by companies that considered compliance too expensive.
Despite the law having come into effect over a year ago, British Airways has become the first company to be fined under GDPR in the UK because of the length of time it takes for the ICO to build a case.
The breach, which is believed to have begun in June 2018, saw customer login and payment details accessed by hackers. This included credit card numbers and expiry dates, although not the three-digit CVV codes found on the back of cards.
Hackers managed this by redirecting users of the airline’s website to a bogus site. According to the ICO, this allowed the details of some 500,000 customers to be accessed.
As the incident occurred after 25 May, it was subject to the new, more rigorous legislation.
The ICO determined the fine was valid as it believes the breach was the result of poor security practices, which made it easier for hackers to gain access to the company’s systems than would otherwise have been the case,
British Airways has, according to the ICO, cooperated with the organisation and improved its security since the attack, but still warrants a fine due to its lax practices at the time.
The airline, however, has said it intends to appeal the fine, and has 28 days to do so.
British Airways fine still not close to maximum under GDPR
While the British Airways fine is undoubtedly significant – and is set to have a dramatic impact on the airline’s profits for this year – it is not even half of what the ICO was legally permitted to issue.
Under GDPR, the ICO could have issued a fine equivalent to 4% of the company’s annual global turnover, but the £183m represents just 1.5%.
As a result, the fine is being seen as a wakeup call about quite how devastating a GDPR fine can be.
“The total proposed fine of £183.39m, equivalent to 1.5% of BA’s global turnover for the financial year ending December 31, dwarfs the previous highest fine of £500,000 doled out to Facebook for serious breaches of data protection law in 2018,” said Tony Pepper, CEO of Egress.
“This fine not only puts pay to any thoughts that the ICO lacked teeth in its pursuit of organisations putting customer data at risk, but also serves as a reminder to any company suffering from a complacent attitude to compliance that the handling, processing and storing of customer data should be its number one priority.
“This could very well be the first of many large fines issued by the ICO and will most definitely serve as a wakeup call to organisations that offer goods or services to, or monitor the behaviour of, EU data subjects.”
Harsh GDPR reminder for businesses
British Airways has reacted negatively to the news of the fine, saying it is “surprised and disappointed”, according to the BBC. But for other European businesses the decision is a reminder of just how important cybersecurity now is.
“This punitive measure against British Airways – the record issued in the UK by the Information Commissioner’s Office – serves another reminder to IT security leaders to review their data handling and security processes regularly, ensuring policies and processes put in place prior to the GDPR deadline are still being carried out properly,” said John O’Keeffe, VP of EMEA at Looker.
“Organisations seeking to achieve GDPR compliance may have tackled this issue prior to the deadline, but they’ll need to ensure the right strategies, processes and technologies are in place to maintain this position moving forwards.”
The fallout continues
The British Airways fine is likely to be the most devastating impact of the breach for the airline, however it is possible that it will face additional legal action.
“The £183m fine does not really terminate legal ramifications of BA related to their website hack, other parties may still have valid claims against BA. It is now important to determine whose negligence or misconduct ultimately caused or facilitated the breach,” said Ilia Kolochenko, founder and CEO of ImmuniWeb.
“If BA was relying only on automated vulnerability scanning for a business critical application, a cybersecurity supplier who suggested such a reckless strategy – may be liable under certain circumstances and BA may crossclaim the damages.”
For those impacted by the breach, there may also be continuing problems.
“The sort of data taken could have been used for card fraud or even identity theft and with as many as 380,000 transactions skimmed, this is an immense amount of information personally identifiable,” said Moore.