On October 16, 2020, the Office of the UK Information Commissioner (“ICO”) announced a fine of £ 20,000,000 (approximately US $ 25,850,000) on British Airways (“BA”), owned by International Consolidated Airlines Group, SA is for violations of the General EU Data Protection Regulation (GDPR). This is a significant decrease (around 90%) from the proposed fine of £ 183,390,000 (around $ 230,000,000) announced by the ICO in July 2019, but which is the largest fine imposed by the ICO to date.
The ICO found that BA has not processed its customers’ personal data in a way that ensures adequate security in accordance with Article 5 (1) (f) and Article 32 of the GDPR. The relevant data breach took place between June 22 and September 5, 2018, when an unidentified attacker gained access to BA’s IT systems and network. The attacker was able to redirect customer payment card data from the BA website to a fraudulent website controlled by the attacker for a period of 15 days. This process is known as “flying over”. BA was informed of the problem by a third party and communicated to the ICO on September 6, 2018. A total of around 430,000 people were affected.
As a result of the attack, personal customer data such as name, address and payment card data (including CVV) as well as login data of BA employees and administrator accounts were recorded. BA Executive Club account usernames and PIN numbers have also been compromised. The ICO noted that BA was negligent in the circumstances and knew that a company of its size and profile was likely to be attacked by attackers. Various measures were suggested that BA could have taken to prevent the breach from occurring, which were not implemented, and it was suggested that each of the different steps the attacker took to eventually breach personal data, “Could have been prevented or The effects were reduced by the BA taking one or more suitable measures that were open to it. “Additionally, the ICO noted that the compromised financial data was considered sensitive, even though no specific category data was involved. The ICO also commented: “The errors are particularly serious if it is unclear whether or when BA itself would have ever discovered the violation.”
Additionally, the ICO highlighted the “fear and distress” suffered by individuals as a result of their personal information being disclosed and disagreed with BA’s claim that payment card breaches are an “inevitable fact of life,” commenting, “This Statements trivialize what was a serious mistake by BA. “
When calculating the fine, the ICO took into account BA’s representations in response to the original letter of intent on the fine and additional technical information that BA provided along with the factors listed in Article 83 (2) of the GDPR, including the nature, severity and duration of the breach , Number of people affected and their damage, as well as measures to mitigate the impact of the incident. Mitigating factors included the fact that BA did not derive any financial benefit from the breach, immediately notified the ICO, committed no relevant prior breaches, and offered to compensate individuals for financial losses incurred as a direct result of their theft Card details. The ICO stated that BA had fully cooperated with the investigation and noted the improvements that have been made to BA’s IT security since the breach. The criminal complaint also details the BA’s legal challenges to the ICO’s approach to calculating the fine. This includes far-reaching administrative arguments and criticism of the ICO’s obvious dependence on a draft internal procedure (on which the ICO did not rely) when calculating the final penalty). The ICO reduced the fine by 20% (to £ 24 million) to reflect the extenuating measures taken by BA and reduced the fine by an additional £ 4 million to reflect the economic impact of the COVID-19 pandemic.
Finally, it should also be noted that the potential fine under the GDPR for violating the safety principle under Article 5 (1) (f) (the higher level of up to 4% of total global sales) and Article 32 (the lower level) differs from to at 2%). The ICO addressed this apparent anomaly and recognized the overlap between Articles 5 and 32, but relied on Article 83 (3), which provides that if several provisions of the GDPR are violated, the total amount of the fine must not exceed the stated amount worst offense. “