British Airways leaks data and fined R $ 145 million

Britain's Information Commissioner's Office announced this week a dramatic reduction in its fine against British Airways for violating the EU's General Data Protection Regulation.

The breach was compounded when British Airways themselves failed to notice it.

The ICO said in a statement on Friday that the airline was processing personal data without adequate security measures.

It is the largest fine ever handed out by the United Kingdom data protection watchdog, the Information Commissioner's Office (ICO), which said BA's failure to act was unacceptable.

The penalty was considerably less than the $237 million (183.4 million pounds) the ICO proposed previous year - in part reflecting the crisis the airline industry is now facing due to coronavirus.

Whilst the £20m fine is the highest GDPR-related fine issued in the United Kingdom to date, it is interesting to note that this has been substantially revised from the £183m initially proposed by the ICO previous year. The commission found the airline responsible for failing to protect over 400,000 of its customers' personal and financial data, which was leaked during a cyber-attack incident in 2018. The breach, which exposed credit card information and employee login credentials, went undetected for two months, according to the agency.

The ICO investigators found that BA should have identified that weaknesses over security that enabled the hack to happen. Thus, the firm has shown a willingness to comply with the strict regulatory context in an impressive way.

This is more than nine times the GBP20 million the airline has eventually been fined. Around 244,000 of the approximately 433,000 customers and staff affected by the breach had their names, addresses and full payment card numbers and CVVs stolen by hackers.

"Other details thought to have been accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers". It suggested various measures that BA could have taken to prevent the breach from occurring, which were not implemented, and commented that each of the several steps that the attacker took, leading to the eventual breach of personal data, "could have been prevented, or its impact mitigated, by BA implementing one or more of a range of appropriate measures that were open to it".

While the fine is less than the £183 million the ICO said it would issue in 2019, it is still the largest-fine ever issued by the watchdog, which said the "economic impact of Covid-19" had to be taken into account.

A British Airways spokesperson tells Information Security Media Group: "We alerted customers as soon as we became aware of the criminal attack on our systems in 2018 and are sorry we fell short of our customers' expectations".

BA was informed of the issue by a third party and notified the ICO on September 6, 2018.