Yesterday the Information Commissioner’s Office (the “ICO”) – the regulator responsible for enforcing data protection law in the UK – confirmed its intention to impose a staggering fine of £183.39m on British Airways as a result of BA’s infringement of the General Data Protection Regulation (“GDPR”).
Whilst the technical details of the alleged infringement have not been fully disclosed, the ICO has confirmed that the fine relates to a major cyber security incident during which personal data of approximately 500,000 of BA’s customers was compromised by hackers. According to the ICO, user traffic was diverted from the BA website to a fraudulent site through which hackers were able to obtain customers’ details, including names, addresses, log-in details and payment card details. The comprised data also included customers’ CVV codes. The breach was first reported to the ICO by BA in September 2018, but it is suspected the attack may have begun as early as June 2018.
Commentators have suggested that the attackers may have used malicious script on the BA website or app to divert the customers to a third party site – known as a “supply chain attack”. Supply chain attacks are increasingly concerning for website operators that use embed code from third party suppliers, such as those who provide payment authorisation or publish adverts.
Ultimately, the ICO confirmed that BA failed to implement proper security measures to protect customers’ personal data.
The headline-grabbing fine is the largest ever imposed on a business by the ICO. Until now, the biggest penalty was £500,000 levied on Facebook in relation to the Cambridge Analytica scandal (albeit under the Data Protection Act 1998, as the breach had occurred before the GDPR came into force).
However, it is worth noting that the fine could have been worse for BA. Under the GDPR, the ICO has the power to fine up to 4% of a business’ global turnover, whereas £183.39m represents around 1.5% of BA’s 2017 global turnover. That said, this is unlikely to offer any real comfort to BA, with many suggesting that the fine will significantly impact on profits.
There are two things that will be particularly concerning to businesses upon hearing news of the BA fine. Firstly, prior to the implementation of the GDPR in May 2018, the ICO made a concerted effort to assure businesses that it would not impose disproportionate or punitive fines (the Information Commissioner, Elizabeth Denham, having previously stated that “fines are not our go-to tool”). For the ICO to impose a fine that is around 367 times higher than the previous record, at the first time of asking, suggests that to the contrary the ICO will be using all power available to it.
Secondly, it does not seem that BA has been given any credit for co-operating and improving security arrangements since the breach. By all accounts, BA responded quickly and effectively to the breach and claim that no fraudulent transactions have occurred as a result. BA may have been forgiven for thinking that this would be taken into account as a mitigating factor, but it appears that the ICO do not share this view.
Many businesses will now be watching on carefully as BA confirmed its intention to appeal the fine. It remains to be seen whether the ICO will reconsider the astounding amount of the fine, or if it will stick to its guns.
In any event, it is a timely reminder that the ICO will treat data breaches with the upmost severity and that non-compliance with the GDPR will not be underestimated.
Note: The content of this article is for general information only and does not constitute legal advice. Specific legal advice should be taken in any specific circumstance.