Not All Plane Sailing: British Airways fined £20m for data breach involving thousands of customers

October 28, 2020

3 min read

Sign up to our mailing list! 👇

What's going on here?

The Information Commissioner’s Office (ICO) has fined British Airways £20m for a data breach in September 2018 involving over 400,000 customers.

What does this mean?

In 2018, British Airways (BA) fell victim to cyberhackers, who gained access to the names, addresses, flight details and card information of over 400,000 British Airways customers and employees. This was done through accessing the company’s systems and making modifications to harvest customer details as they were entered. The ICO was informed of the data breach in September 2018, a worrying two months after the cyber attackers are believed to have begun. What makes matters worse is that BA failed to notice the hack, which was identified by a third-party security researcher. This raised concerns that the airline may have remained unaware without outside intervention.

The investigation that ensued found that BA failed to adequately protect themselves from a preventable attack, breaching data protection law, and endangering the personal information of hundreds of thousands of customers. The company had not implemented proper security protocols, and were missing features such as multi-factor authentication, which requires presenting at least two types of evidence to gain access to a system or account. Although BA has since made improvements to its security measures, the ICO has issued them with a hefty £20m fine, albeit a £163m reprieve from last year’s proposed penalty of £183m.

What's the big picture effect?

This is hugely significant for the General Data Protection Regulation (GDPR), which became enforceable in May 2018, mere months before the airline became aware of the breach. The new laws aimed to give people more control over their personal data, allowing companies to be fined up to 4% of their worldwide turnover. As the first major fine under new regulations, the decision was looked at to set a precedent, particularly with these kinds of cyber-attacks on the rise.

However, the ICO’s originally intended £183m was rethought, taking into account the economic impact of the pandemic, and settling on £20m. This came as a welcome reduction, as the airline industry suffered the effects of a summer of seaside staycations due to travel restrictions. Nonetheless, the fine is still the largest penalty issued by the ICO to date, much higher than the maximum of £500,000 under the previous data regulation, showing the seriousness of the new laws.

While it is good news that data protection is being taken more seriously, this may pose issues for many companies. Law firms, in particular, rely heavily on technology to store corporate and personal data, both of which may be sensitive, so could face damaging consequences if not properly protected. This risk is further heightened, as the shift to working from home has seen record-levels of cyber-attacks due to the reduced level of cyber protection at employees’ homes.

So, while a £20m fine amid a global pandemic and declining economy is far from ideal for British Airways, the penalty proves that the ICO means business. The protection of our personal data is becoming increasingly important, with Information Commissioner Elizabeth Denham stating that these laws help to encourage businesses to make better decisions regarding our data.  However, it is likely we will see much larger fines in a post-pandemic world, and with up to 4% of their turnover potentially on the line, companies are likely to be much more careful with our personal data going forward.

Report written by Lotanna Okaro

Share this now!

Check out our recent reports!