There’s been a question around for some time now about who will be first ‘big’ recipient of a hefty GDPR fine. And the answer as of this morning is British Airways (BA), which is looking at a £183.39 million penalty following a cyber-attack last year.
At this stage, the fine is a statement of intent by the UK Information Commissioner’s Office (ICO) as BA has the right to challenge and appeal the decision before enforcement action is taken. But if the ICO sticks to its guns, this will be the largest penalty dealt out under the GDPR regime to date.
The fine relates to a data breach last summer when user traffic to the BA website was diverted to a fraudulent site. Personal data belonging to around 500,000 customers was compromised. The attack, by the cyber-criminal group Magecart, is believed to have taken place in June last year, with the incident disclosed in September.
While the breach was caused by a third party, BA’s security practices are cited as the reason that the airline is being held culpable. The ICO says in a statement:
The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.
People's personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.
While this is the largest GDPR fine to date, BA has actually got off lightly. Organizations can be penalised up to 4% of the company’s global annual turnover of the previous financial year, whichever is higher. As it currently stands, the proposed ICO fine only amounts to 1.5% of BA’s global turnover.
BA of course is in no mood to consider itself lucky here and is publicly aggrieved that criminals can attack it, but as ‘victim’, the airline is being punished. Alex Cruz, British Airways Chairman and Chief Executive, complains:
We are surprised and disappointed in this initial finding from the ICO. British Airways responded quickly to a criminal act to steal customers' data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.
Prompt disclosure of a data breach is an important requirement of GDPR. This is designed to avoid stuations such as that which occured at Yahoo, when disclosures were not made about incidents until long after the event. BA made two disclosures, firstly on 6 September 2018 and a follow-up on 25 October 2018.
The airline will clearly fight back against the ICO decision with the pugnacious Willie Walsh, Chief Executive of BA parent company International Airlines Group, stating:
British Airways will be making representations to the ICO in relation to the proposed fine. We intend to take all appropriate steps to defend the airline's position vigorously, including making any necessary appeals."
For its part, the ICO says it will:
consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision…ICO has been investigating this case as lead supervisory authority on behalf of other EU Member State data protection authorities. It has also liaised with other regulators. Under the GDPR ‘one stop shop’ provisions the data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings.
The ICO has been active in doling out fines of late, with £500,000 bills presented to both Facebook and Equifax over the past year. Equifax was fined £500,000 after failing to protect the personal information of up to 15 million UK customers during a cyber-attack, while Facebook’s followed the Cambridge Analytica revelations.
Crucially however, both fines were issued under the UK Data Protection Act’s regime, where £500,000 was the maximum penalty. If either incident occurred today, the total fine could be considerably higher. The French data watchdog CNIL’s €50 million fine slapped on Google earlier this year for GDPR violations is indicative here.
Until BA makes its appeal - and it has 28 days to do so - it’s not appropriate to comment on the specifics or attribute blame here. There is due process to be observed by all parties. What will be interesting, if the fine holds - or if a revised one emerges - will be to see how BA factors it into its planning. One concern that’s been aired before about hefty fines for commercial organizations is whether the cost finds its way back to the consumers whose privacy is being protected by GDPR. But that’s a debate that has to wait for another day.