The Information Commissioner’s Office (ICO), Britain’s data-security watchdog, said that “poor security arrangements” at the company led to the exposure of personal information of those half-million customers. As a result of the investigation, the ICO assessed a £187 million fine ($230 million) on the airline—the largest fine ever doled out for a data breach and the first in GDPR’s history.
A Historic GDPR Fine
Before British Airways, the largest penalty that the ICO had ever given out was £500,000 imposed on Facebook for its role in the Cambridge Analytica scandal—the maximum allowed under the previous set of data-protection rules. In that incident, the data of up to 87 million users was improperly shared with third-party developers without proper consent.
The British Airways fine is a full 367 times larger than the one imposed on Facebook—this despite the BA hack affecting 1/174th as many people. The discrepancy owes to the immensely increased power that GDPR bestows on ICO and other national data-privacy bureaus. The GDPR grants regulatory agencies the freedom to impose fines of up to 4% of a company’s annual worldwide revenue (BA’s was levied at 1.5%). If the Facebook fine had fallen under GDPR, the ICO could have handed down a fine of up to £1.26 billion, 4% of Facebook’s worldwide revenue. If the ICO had sought the maximum fine of 4% of BA’s total revenue, the bill could have been £489 million.
This isn’t the first fine doled out since GDPR went live in May 2018, it’s just the biggest. In January 2019, French regulators fined Google 50 million euros (about $56 million) for not properly disclosing how data was collected across its services. Still, very few fines have been assessed since the GDPR went into effect, and the fine affecting British Airways is by far the biggest.
Assessing the Crime
Elizabeth Denham, head of the ICO, defended the severity of her office’s fine against BA:
“People’s personal data is just that—personal. When an organization fails to protect it from loss, damage, or theft it is more than an inconvenience. The law is clear, when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
Specifically, the British Airways breach affected the following information:
Login info (username and password)
Stored payment information (credit or debit cards on file with BA)
The ICO said the incident took place after users of British Airways' website were diverted to a fraudulent site, beginning on August 21, 2018, until the breach was discovered on September 5. The breach was disclosed to the public the next day.
British Airways’ Stance
The company’s leaders are vowing to fight the fine while downplaying BA’s culpability. British Airways’ chairman and chief executive Alex Cruz said that the company was “surprised and disappointed” by the ICO’s decision, and added that the company has found no evidence of fraudulent activity on accounts linked to the breach. The ICO notes that the company cooperated with its investigation, and has made security improvements since the breach was discovered.
Further angering hack victims was the reaction from IAG, the group that owns British Airways. Willie Walsh, chief executive of IAG, was quoted saying “We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.” IAG has refused to take responsibility for the breach, opting instead to apologize for any “inconvenience” caused while laying blame on the unidentified hackers.
What comes next?
British Airways still has the right to appeal the initial ICO ruling. The airline will likely argue against negligence, and point to the further data protections it has put in place since the breach. British Airways says it will put up a vigorous defense and has 28 days to make the appeal.
The ICO could also reduce the final amount. The regulator has a maximum of 16 weeks, from issuing the notice of a proposed fine to delivering its final verdict. The agency said it would “carefully consider” responses from the airline and others to its penalty before issuing a final decision.
Fines received by the ICO go back to the Treasury. However, the ICO is exploring other options, including earmarking part of the fine income to cover potential litigation costs to defend its decisions.
British Airways might take some solace in knowing it’s not the only global travel company to be hit by GDPR this month. The ICO also assessed a fine on American hotel chain Marriott as penalty for its own data breach in November 2018. The twin fines serve as poignant reminders of how companies must carefully guard consumer data. They are certain to be the first of many big fines handed out to companies for data breaches in coming years.
Europe’s experience is being watched closely by governments around the world, including in the United States, where state policymakers have pursued new privacy legislations that require companies to be more transparent about how data is collected and used. And while federal privacy regulation in the United States has gained momentum, it’s unlikely to be enacted anytime soon.
For any company—travel or otherwise—the best plan is to prepare for a data breach as if it’s going to happen. Putting controls in place, preparing breach response plans, automating processes, and keeping key personnel up-to-date before a breach occurs are monumental undertakings. LogicGate’s Audit and Controls Management software can help you stay on top of the checks-and-balances that keep your company on the right track and out of the headlines. LogicGate’s automated system will help you manage your company’s compliance standards, significantly reducing the risk of breaches and reputational damage.