• news-banner

    Expert Insights

ICO issues British Airways with a ground-breaking fine

On 16 October 2020, The Information Commissioner’s Office (the “ICO”) imposed a monetary penalty notice fining British Airways Plc (“BA”) £20million for breaching its data security obligations under the General Data Protection Regulation (the “GDPR”) when they faced a cyber-attack in 2018. This is the ICO’s largest fine to date and the amount imposed was a significant reduction on the £183.39 million the ICO announced that it intended to fine BA back in July 2019.

Details of the cyber attack

The attacker is believed to have accessed the personal data of over 400,000 BA customers and staff members worldwide. Information obtained includes names, addresses, payment card numbers and CVV numbers; although it is thought only around 100,000 customers had their payment information accessed. The attack went undetected for over 2 months spanning from 22 June to 5 September 2018.

Usernames and passwords of BA employee accounts, as well as usernames and PINs of up to 600 BA Executive Club accounts, were also potentially accessed.

Failure to prevent the attack

The ICO listed a number of factors in its penalty notice report that BA could have used to mitigate the risk of the attacker being able to access personal data through the BA network. These include:

  • limiting access to applications, data and tools to only those which are required to fulfil a user’s role;
  • undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems; and
  • protecting employee and third party accounts with multi-factor authentication.

It was noted that these additional measures would not have entailed excessive costs or technical barriers to BA, with some of these measures already available through the Microsoft Operating System that they used.

Another consequential factor taken into account by the ICO was that on 22 June 2018 BA did not detect the attack themselves but were informed by a third party more than two months after, on 5 September 2018. The ICO considered this to be a severe failing because it is not clear whether or when BA would have identified the attack themselves. Had it not been for this third party the financial harm could have been even more widespread.

Significance

The fine payable by BA is the largest imposed to date by the ICO for a breach of the GDPR. Although £20million appears to be a narrow escape (compared to the £183million originally suggested by the ICO), Article 83 of the GDPR does require the ICO to ensure any fine imposed is "effective, proportionate and dissuasive". The ICO considered BA’s prompt action that was taken to mitigate the risk of harm suffered (once aware of the attack), as well as the economic impact of COVID-19 on the business – and with all considerations taken into account, imposed a greatly reduced (albeit still eye-watering) fine.

Our thinking

  • IBA Annual Conference 2023

    Charlotte Ford

    Events

  • Mental Health Management

    Nick Hurley

    Events

  • Doing business in the UAE & Israel

    William Reichert

    Events

  • Calculating Social Value in BTR

    Francis Ho

    Events

  • Dangers of trusts

    Mark Summers

    Events

  • In-House Insights

    Megan Paul

    Events

  • Heritage property and conditional exemption

    Sarah Wray

    Insights

  • City AM quotes Gareth Mills on the CMA’s new set of principles for regulating AI

    Gareth Mills

    In the Press

  • Hamish Perry and Mike Barrington write for The Evening Standard on whether a merger between the CBI and Make UK can work

    Hamish Perry

    In the Press

  • Silicon quotes Gareth Mills on the UK consumer lawsuit against Google

    Gareth Mills

    In the Press

  • Property Week quotes Louise Ward on the additional support required by aspiring UK life sciences operators

    Louise Ward

    In the Press

  • Sarah Higgins and David Wells-Cole write for Wealth Briefing on the pitfalls of using unregulated legal services

    Sarah Higgins

    In the Press

  • Office to Lab Conversions: A new lease of life (sciences) for some of London’s offices?

    Georgina Muskett

    Quick Reads

  • Charles Russell Speechlys’ UK offices receive environmental certification

    Kerry Stares

    News

  • Case analysis: URS Corporation Ltd V BDW Trading Ltd

    James Worthington

    Insights

  • True value adjudications; don’t jump the gun!

    Christopher Busaileh

    Insights

  • Financial Reporter quotes Rhys Novak on a new FCA review into the treatment of PEPs

    Rhys Novak

    In the Press

  • In-House Insights Programme 23/24

    Megan Paul

    Events

  • Restrictive covenants – who has the benefit?

    Georgina Muskett

    Insights

  • First time buyers relief and trusts

    Sarah Wray

    Insights

  • City AM quotes Ashwin Pillay on the latest round of ONS M&A statistics

    Ashwin Pillay

    In the Press

  • The Family Fund: Bank of Mum & Dad 2.0

    Vanessa Duff

    Quick Reads

  • The perpetual struggle between the environment, heritage and development: the M&S decision vs 55 Bishopsgate

    Sophie Willis

    Quick Reads

  • Treasury Committee endorses mandatory venture capital diversity policies from 2025

    Lia Renna

    Quick Reads

  • Oops!....I did it again - Britney's third divorce

    Charlotte Posnansky

    Quick Reads

  • Product compliance and Brexit - UK Government concedes to CE markings indefinite recognition

    Jamie Cartwright

    Quick Reads

  • Recognising financial abuse in a relationship

    Vanessa Duff

    Quick Reads

  • Has the Orpéa plan impaired shareholder's consent? - Le plan de sauvegarde d'Orpéa n'a-t-il pas vicié le consentement des actionnaires historiques ?

    Dimitri-André Sonier

    Quick Reads

  • Will the downturn in the Paris region property market lead property companies to turn to ad hoc proceedings, as they did in the 1990s?

    Dimitri-André Sonier

    Quick Reads

  • Les défaillances en France proches de leur niveau de 2019 - French insolvencies close to 2019 levels

    Dimitri-André Sonier

    Quick Reads

  • Making BitCoin a BitClearer

    Charlotte Posnansky

    Quick Reads

  • Casino Group: An agreement with investors and debt holders is expected at the end of July

    Dimitri-André Sonier

    Quick Reads

  • DIAC Issues First Annual Report

    Georgia Fullarton

    Quick Reads

  • One year on: "Influencer Culture: lights, camera, inaction" remains astonishingly accurate

    Caroline Swain

    Quick Reads

  • Saudi Center for Commercial Arbitration publishes new Arbitration Rules

    Peter Smith

    Quick Reads

  • Key takeaways from the UK Government's "Green Day"

    Martha Glaser

    Quick Reads

  • From Holby City to 5 Fleet Place - David Ames shares his experience of "Behind the Lens" with CRS

    Quick Reads

  • The Domestic Abuse Act 2021 in Action

    Sophia Leeder

    Quick Reads

  • This week in the news: inheritance tax interest costs rising due to Probate delays

    Sarah Wray

    Quick Reads

  • WhatsAppGate - Should businesses be reviewing their social media policies?

    Anna Rogers

    Quick Reads

Back to top