British Airways (BA) has been let off a possible £183 million data breach fine due to the economic disruption caused by the coronavirus.
The Information Commissioner’s Office (ICO) will now fine BA the smaller sum of £20 million, after taking into account appeals from the airline and also the economic fallout from the pandemic.
The original fine was approximately 1.5 per cent of the company’s annual turnover in adherence with guidelines set out in the European General Data Protection Regulation.
But £20m is still a significant sum. It’s the highest fine to date imposed by ICO. It serves as a warning to companies of all sizes about what can happen when customers’ personal data is not appropriately protected.
In 2018 more than 400,000 personal details and banking, information of BA’s customers was stolen including login, payment card and travel booking details as well as names and addresses. In a second incident, a further 185,000 customers who used the airline’s Avios rewards system also had personal data exposed.
ICO said BA failed to take necessary actions to protect customer data. This failure included a lack of multi-factor authentication across at least 13 critical applications. Many essential security measures were available free through Microsoft Windows, but BA didn’t use these.
The airline was only alerted to the data breach when a third party raised the issue more than two months after it occurred. ICO said there was little evidence the airline would have ever been able to identify the attack itself.
ICO’s lower fine also reflects the fact that the airline fully co-operated with its investigation and has since made significant improvements to the security of its systems.
The final fine is lower than the £50 million fine issued by French regulator, CNIL, against Google in 2019 but that was clearly before the economic disruption caused by Covid-19 when all airlines’ turnovers were significantly reduced.
Gary Jowett, from Computer & Network Consultants (CNC) in Brighton, said: “In this digital age companies have new ways to interact virtually with their customers which makes them more responsive and successful. But sometimes the people who design and implement systems fail to take account of all the security issues and the avenues and back doors criminals might use to undermine their systems. Twenty million is a significant sum, but it may only hurt BA a little bit. For a much smaller organisation, a fine a fraction of that amount could prove fatal.”