British Airways is receiving a fine for a data breach to the tune of £183.39m. The fine is being handed out by the UK’s Information Commissioner’s Office (ICO). The record penalty is being made public for the first time, under new rules implemented by the ICO. British Airways is owned by the International Airlines Group (IAG). The company was targeted by a sophisticated and malicious criminal attack. The attack took advantage of poor security arrangements at BA, to collect the sensitive personal data of people who visited BA online.
How the security breach occurred
Users of the British Airways website were diverted to a fraudulent website, due to malware on britishairways.com. During the period that users were diverted to the fraudulent website, it collected the details of approximately 500,000 people. On the 6th of September 2018, British Airways disclosed the incident to ICO. The security incident began in June 2018. BA first estimated that roughly 380,000 transactions were affected, before revising that figure upwards.
What data was stolen?
The personal data that was harvested did not include passport or actual travel details. The ICO watchdog highlighted what data it believed was compromised, including:
- Travel booking details
- Customer’s name
- Customer’s address
- Payment card
- Log in details
- Email addresses
- Credit card numbers
- Credit card expiry dates
- Three-digit CVV codes
Once the incident came to light, British Airways cooperated with the watchdog’s investigation. BA has since strengthened its security arrangements.
What action has been taken?
Data governance rules were introduced by the EU’s General Data Protection Regulation (GDPR), which is mirrored in the UK. The new rules came into force on 25th May 2018 and these were the largest change to data privacy in the past 20 years. GDPR makes it mandatory to report data and security breaches to the ICO. The ICO can administer penalties and these have been increased to up to 4% of a company’s annual turnover. The British Airways penalty equates to 1.5% of its 2017 worldwide turnover, so the fine could have been much higher.
Facebook previously had the largest fine, of £500,000, for its part in the Cambridge Analytica data scandal. This fine was the maximum penalty under the previous data and privacy rules upheld in the UK. The enormity of the fine makes it clear that cybersecurity is a responsibility that needs to be taken seriously. Security breaches can now not only destroy consumer trust but can be extremely costly.
British Airways can appeal the fine within 28 days. The airline has indicated that it will appeal the fine.
What is GDPR?
GDPR was created to give EU citizens greater control over their personal data. It brings into force new laws and obligations to protect the privacy, personal data, and consent of consumers.
GDPR affects any business or organisation that offers a service or sells a product to other businesses or customers who reside in the EU. GDPR also governs companies that are located outside of the EU, if their service is provided to EU residents.
To comply with GDPR, organisations must ensure personal data is collected legally and to strict conditions. Businesses must protect private data from exploitation and misuse and all companies should have a GDPR compliance strategy in place.
The key aspects of GDPR compliance include:
- An organisation must ask for explicit permission from the person, before processing any personal data
- Consent must be obtained and the specific purpose must be made known
- All data breaches must be reported to authorities
- People have the right to be forgotten
Since GDPR was introduced, 90,000 incidents have been received. More than 100 organisations have been fined for non-compliance.