British Airways Faces Record-Setting $230 Million GDPR FineUK's Privacy Regulator Ties Size of Proposed Fine to Security Deficiencies
Britain's privacy watchdog has issued a "notice of intent" that it plans to fine British Airways £184 million ($230 million) for violating the EU's General Data Protection Regulation.
The proposed fine is the result of an investigation by Britain's Information Commissioner's Office into British Airways after it suffered a September 2018 data breach that rerouted customers to a fraudulent site designed to steal their payment card data (see: British Airways Finds Hackers Stole More Payment Card Data).
"Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018," the ICO says in a statement issued Monday.
The regulator's fine is being levied not because the airline suffered a breach, but because of what the ICO says was the organization's poor security posture at the time of the breach. "The ICO's investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information," it says.
The ICO has issued a notice of its intention to fine— ICO (@ICOnews) July 8, 2019
British Airways £183.39M for infringements of the General Data Protection
The proposed fine is equivalent to 1.5 percent of BA's 2017 annual revenues. The ICO says the suggested fine is not final, and that its ultimate recommendation will take into account comments from BA as well as other EU data protection authorities. The ICO says that while it has taken the lead on the investigation, "under the GDPR 'one stop shop' provisions the data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO's findings."
Under GDPR, the ICO can fine organizations up to 4 percent of their annual global revenue or £17.9 million ($22.5 million) - whichever is greater - if they violate Europeans' privacy rights, for example, by failing to secure their personal data.
"People's personal data is just that - personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience," says U.K. Information Commissioner Elizabeth Denham. "That's why the law is clear - when you are entrusted with personal data you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."
Security experts have reported that the BA breach appears to tie to groups of attackers - collectively known as Magecart - that implant code on websites that allows them to steal payment card data. Beyond BA, other high-profile victims have included Newegg and Ticketmaster and others (see Magecart Nightmare Besets E-Commerce Websites).
The ICO's proposed GDPR fine would be the biggest to date in monetary amount. But with 400-odd GDPR fines having already been levied to date, attorney Jonathan Armstrong of London-based law firm Cordery tells Information Security Media Group that it's not clear if it would also be the biggest-ever percentage of an organization's annual revenue that has been used to calculate such a sanction.
BA Plans to Appeal
BA and its parent company, International Airlines Group, say they plan to appeal the proposed fine.
"British Airways will be making representations to the ICO in relation to the proposed fine," says Willie Walsh, chief executive of International Airlines Group. "We intend to take all appropriate steps to defend the airline's position vigorously, including making any necessary appeals."
The ICO says BA has cooperated with its investigation and has already made security improvements following the breach. On Monday, BA again apologized for the breach.
"We are surprised and disappointed in this initial finding from the ICO. British Airways responded quickly to a criminal act to steal customers' data," says Alex Cruz, chairman and chief executive of BA. "We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologize to our customers for any inconvenience this event caused."
No evidence of fraud, however, is not the same as no fraud having occurred. It also doesn't forestall the risk that fraud might occur in the future, or have gone unnoticed.
Legal experts say the ICO's finding will likely have a knock-on effect. "As well as the regulatory activity we can certainly expect to see statements from lawyers contemplating a class action against BA," write Cordery attorneys Jonathan Armstrong and André Bywater in a note to clients (see: GDPR: Data Breach Class Action Lawsuits Come to Europe).
The Cordery attorneys say the proposed fine against BA is a clear reminder that organizations must ensure they have a strong cybersecurity posture. "Organizations need to make sure that they do all that they can to stop data breaches," they write. "They also need to make sure they can react to data breaches quickly when they happen."
Regulator to Organizations: Do the Right Thing
The ICO says GDPR penalties - as enacted in the U.K. via the Data Protection Act 2018 - are not meant to be punitive. Organizations that try to do the right thing won't be punished simply for failing. Also, the 72-hour deadline for an organization to alert authorities in the case of some types of breaches isn't meant to serve as a "gotcha," but rather so that regulators can help (see: GDPR: UK Privacy Regulator Open to Self-Certification).
"GDPR fines (amongst other things) are for inappropriate security as opposed to getting breached," says Carl Gottlieb, data protection officer for software firms Duolingo and Hudl, via Twitter. "Breaches are a good pointer but are not themselves actionable. So organizations need to implement security that is appropriate for their size, means, risk and need."
I can't overstate the significance of this #GDPR British Airways fine (1.5% of worldwide turnover / £183m) for anyone in security, privacy or senior management. You've got to get security right, with appropriate levels for your organization, else the fines can be career changing.— Carl Gottlieb (@CarlGottlieb) July 8, 2019
One takeaway for organizations that want to learn from the BA breach is the need to maintain IT environmental awareness. "The question a board should be asking a CISO is whether they know for certain what is running on their website, what should be there, what shouldn't and whether anything has been modified," Gottlieb tells ISMG. "It's just good IT governance. It's a simple problem to understand but takes a lot of effort and commitment to solve."
Not the First GDPR Fine
The ICO's proposed fine against BA would be the biggest-ever GDPR fine. But as noted, it is far from the first GDPR fine to have been previewed or levied.
In the first nine months following GDPR going into full effect on May 25, 2018, EU privacy regulators levied $63 million in fines, the European Data Protection Board reported in May (see: GDPR: Europe Counts 65,000 Data Breach Notifications So Far).
That includes France's privacy regulator in January proposing to fine Google $57 million for data security and privacy violations involving "transparency, information and consent."
Another notable case involved Portugal's data protection authority earlier this year fining Centro Hospitalar Barreiro Montijo €400,000 ($449,000) for "breaching the security provisions of GDPR - amongst other violations," Cordery's Armstrong and Bywater write. "The DPA's findings included the fact that there were 985 users of the hospital's IT systems associated with the profile 'doctor' for a hospital that employed only 296 doctors."