On October 17, 2020, the UK Information Commissioner’s Office (“ICO”) announced the imposition of a £20 million fine (approximately $26 million) on British Airways plc, pursuant to section 155 and schedule 16 of the Data Protection Act 2018, for infringements of the European General Data Protection Regulation.
As described in the Enforcement Notice, BA’s computer systems were penetrated by a malicious actor between June and September of 2018. The hacker was able to obtain access to the stored, unencrypted username and password of a domain administrator account, and eventually succeeded in accessing payment card information of approximately 108,000 users, and exporting payment card details and personal information of new users during a fifteen day period. According to the ICO, once BA discovered the breach, the company contained the vulnerability and reported the incident to the ICOin a timely manner, and within two days had notified acquirer banks, payment schemes, and 536,116 affected customers. The ICO also indicated that BA has cooperated with the investigation throughout.
However, the ICO found that BA failed to take appropriate measures to ensure the security of its customers’ data. Specifically, the ICO determined that BA had not taken into account the level of risk when implementing programs to protect customer data against unauthorized or unlawful processing, had not used appropriate technical and organizational measures in order to pseudonymize and encrypt the data, and had not developed a system for testing, assessing and evaluating the effectiveness of the company’s data security measures. The ICO concluded that BA had failed to comply with its obligations under Article 5(1)(f) and Article 32 GDPR.
In assessing the penalty, the ICO took into account the serious concerns raised by BA’s failures, including the availability of security measures that BA could have taken to protect customer data, the duration of undetected access by a malicious actor (BA in fact did not detect the breach; the company was alerted to the exfiltration of personal data by a third party), and the number of individuals affected. The £20 million penalty is the largest ever imposed by the ICO, though it is significantly lower than the £230 million originally proposed – a delta that, according to ICO, results from consideration of several mitigating factors, including the impact of COVID-19 on BA’s business. In the Information Commissioner’s words, the penalty must be “effective, proportionate, and dissuasive.”