By James Simons-
The Information Commissioner’s Office(ICO)-the UK’s data watchdog, has reduced its fine against British Airways from £184m to£20m ($25.8 million) for a data breach in which the personal details of more than 400,000 customers were leaked after BA suffered a two-month cyberattack . The breach occurred because it lacked adequate security to detect and defend itself against it.
It’s initial planned fine against BA was close to £184 million, but it reduced the penalty in light of the economic impact that BA (like other airlines) has faced as a result of the pandemic which has ravaged businesses across the globe. The ICO also took into account work BA had undertaken to address the issue.
Over £150 million of the reduction has now been made as the ICO put less blame on BA than it had originally made. Another £6 million was also knocked off based on BA’s response, and a further £4 million was taken off as part of the ICO’s Covid-19 policy, reflecting the impact the coronavirus pandemic has had on BA’s business.
The ICO said in a statement:
“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20 million fine – our biggest to date. When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”
BA responded with a statement saying:
“We alerted customers as soon as we became aware of the criminal attack on our systems in 2018 and are sorry we fell short of our customers’ expectations,” a spokesperson said . “We are pleased the ICO recognises that we have made considerable improvements to the security of our systems since the attack and that we fully co-operated with its investigation.”
Pandemic Effect
The reviewed fine reflects the effect the coronavirus pandemic is having on regulations. In some cases, in order to more quickly address issues that potentially impact business growth, we’ve seen regulators try to speed up their responsiveness to casework and even leave behind some previous reservations to green light activities, as in the case of e-scooters.
The reviewed fine sets a new standard on how regulators respond to future cases of security and data protection neglect
The ICO’s conclusion that BA had “weaknesses in its security” that could have been prevented with security systems — procedures and software — that were available at the time was the explanation provided for the hefty fine.
As a result, data from 429,612 customers and staff was leaked, including “names, addresses, payment card numbers and CVV numbers of 244,000 BA customers,” the ICO said, adding that the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers were also believed to be a part of the breach.
This included the usernames and passwords of BA employee and administrator accounts, and the usernames and PINs of up to 612 BA Executive Club accounts (these last two were also not completely verified, it seems).
On top of that, BA never detected the attack, it said: it was notified of the breach by a third party.
For BA’s part, the airline, which is part of the International Airlines Group — formed through mega mergers, it also includes Iberia, Aer Lingus, Vueling and other brands and operators — has been working to reinvest in the security of its systems. It’s also offered “concerned customers” 12 months membership to a credit check/management service.