Blog Layout

BA GDPR Data Breach Fine Lowered to £20m Due to COVID-19

Leo Daniels • Oct 16, 2020

This is a subtitle for your new post

The fine against British Airways for GDPR failings has been reduced to £20m from the original £183m intent to fine issued last July.

An ICO investigation found the airline was processing a significant amount of personal data without adequate security measures in place, leading to a cyber-attack during 2018, which it did not detect for more than two months. It said the amount to be fined (£20m) was considered with both representation from BA and the economic impact of COVID-19 on the business.

The ICO also said, as the breach happened in June 2018, before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR. The penalty and action have been approved by the other EU DPAs through the GDPR’s cooperation process.

According to the penalty notice, a proposed penalty of £183.39m was issued on July 4 2019 with a extension till March 21 2020 agreed in December. On April 3 2020, the ICO wrote to BA requesting information regarding the impact of COVID-19 on its financial position, and having considered BA’s representations, both BA and the ICO “agreed to a series of further extensions of the statutory deadline to 30 September.

Rachel Aldighieri, managing director of the Data & Marketing Association (DMA), said: “Brexit and coronavirus have put businesses under immense financial strain and a fine of this magnitude will get the attention of board members of organizations across the UK. They will certainly not want to risk receiving similar disciplinary action from the ICO.

“This is the largest fine issued by the ICO to date under the new GDPR laws, highlighting the importance all businesses should place on the security of customers’ data and the need to build in safeguards to protect it.”

In the attack, an attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers. Other details thought to have been accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers.

Usernames and passwords of BA employee and administrator accounts as well as usernames and PINs of up to 612 BA Executive Club accounts were also potentially accessed.

The ICO said that since the attack BA has made considerable improvements to its IT security. Information Commissioner Elizabeth Denham said: “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure.

“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.”

Piers Wilson, head of product management at Huntsman Security, said: “Whether this was a result of clever bargaining by BA, the investigation process uncovering mitigating factors, an acknowledgement of the ravages of COVID-19 on the airline industry or the ICO deliberately setting a high initial target with a more realistic goal in mind, it could give the message that fines will not be as severe as businesses and some in the security and privacy industry expect.”

Vanessa Barnett, commercial and IP partner at Keystone Law, added: “In the grand scheme of things, it’s important that the punishment fits the wrongdoing: whilst the GDPR certainly has teeth and can really bite quite hard, it’s great to see the ICO continuing with its attitude of proportionality that existed pre-GDPR. Don’t forget that before GDPR the statutory limit was £500,000.

“£500,000 to £20m is a big jump and will still very much focus the (compliance) minds! The ICO may have felt some moral pressure not to whack BA even more in the midst of a global pandemic which is affecting it hugely and luckily, its enforcement framework allows that.”

 

We’re 1-fix, we can help you secure your business

At 1-fix, we take a realistic approach to technology – ensuring our client’s systems are best protected.

If you have any concerns, questions or simply want to explore how to better secure your business, please do get in touch with the team for a FREE demonstration, consultation to explore how exposed your business might be and identify actions to take.

Join Our Mailing List

All sign-ups are handled inline with our privacy policy and can unsubscribe at any time.

IT Support Services
Cybersecurity Deep-Dive
IT Cloud Migration Service

Recent Blogs

By Craig Atkins 27 Mar, 2024
We've finalists for not one, but two Network Group Awards 2024!
By Craig Atkins 22 Mar, 2024
World Backup Day is just around the corner so we thought we'd share a few reasons why backing up your computers regularly is so important.
By Craig Atkins 15 Mar, 2024
John Clark, from Solutions Shared joined us on a webinar to discuss what Microsoft Power Apps are and how they can be used in your business.
By Lee Dugdale 13 Mar, 2024
This blog answers FAQs about Cyber Essentials such as 'What is Cyber Essentials?', 'Why do I need Cyber Essentials?' and 'Do all businesses need Cyber Essentials'
By Jess Dugdale 08 Mar, 2024
This year we went all out to celebrate International Women's Day, with our first Women in Business event yesterday at the Thames Lido.
By John Clark 05 Mar, 2024
John Clark, from Solutions Shared Ltd , shares his Top 10 things that you may not know Microsoft Power Apps could do.
Show More
Share by: