British Airways has been fined £20 million by the Information Commissioner’s Office (ICO) after a data breach in 2018 which involved over 400,000 customers. During the breach, bank card information, addresses, names and other sensitive data were stolen by cyber criminals.
After initially fining the airline a whopping £183.9 million in 2019, the ICO downgraded the penalty partially due to the ongoing economic impact of the COVID crisis. The £20 million penalty represents the largest fine levied by the ICO to date, but is significantly lighter than the original judgment in 2019.
Reasons behind the downgraded fine
With the devastating impact COVID-19 has had on the aviation industry, enforcing the original £183.9 million fine would have been untenable. The ICO said in a statement their process was influenced by:
“Representations from BA and the economic impact of COVID-19 on their business before setting a final penalty.”
Despite easing off on their final penalty, the ICO stands by its initial judgment and believes the fine sends out a message to other companies. According to Information Commissioner Elizabeth Denham:
“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.”
Did BA get off lightly?
Given the extent of the breach, which the ICO confirmed “included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers”, BA may have gotten off the hook. The initial £183.9 million fine reflected the gravity of the negligence, which Commissioner Denham outlined in no uncertain terms:
“When an organization fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear. When you are entrusted with personal data you must look after it.”
However, despite such a sizeable markdown in the penalty, Data protection officer Carl Gottlieb notes that £20 million is still a significant sum of money in the current economic climate. Gottlieb told the BBC:
“It shows the ICO means business and is not letting struggling companies off the hook for their data protection failures.”
How has the airline responded?
British Airways will be somewhat relieved at the extent of the penalty markdown, especially as the airline anticipates tough times ahead. On Monday, CEO Alex Cruz announced he was stepping down as CEO of British Airways, further compounding difficulties. A spokesperson for the airline commented:
“We are pleased the ICO recognises that we have made considerable improvements to the security of our systems since the attack and that we fully co-operated with its investigation.”
The breach in 2018 went undetected for a full two months and was only brought to the airline’s attention by a third-party security expert. Subsequently, BA invested in upgraded cybersecurity systems and co-operated completely with the ICO investigation.