ICO issues British Airways with a ground-breaking fine
On 16 October 2020, The Information Commissioner’s Office (the “ICO”) imposed a monetary penalty notice fining British Airways Plc (“BA”) £20million for breaching its data security obligations under the General Data Protection Regulation (the “GDPR”) when they faced a cyber-attack in 2018. This is the ICO’s largest fine to date and the amount imposed was a significant reduction on the £183.39 million the ICO announced that it intended to fine BA back in July 2019.
Details of the cyber attack
The attacker is believed to have accessed the personal data of over 400,000 BA customers and staff members worldwide. Information obtained includes names, addresses, payment card numbers and CVV numbers; although it is thought only around 100,000 customers had their payment information accessed. The attack went undetected for over 2 months spanning from 22 June to 5 September 2018.
Usernames and passwords of BA employee accounts, as well as usernames and PINs of up to 600 BA Executive Club accounts, were also potentially accessed.
Failure to prevent the attack
The ICO listed a number of factors in its penalty notice report that BA could have used to mitigate the risk of the attacker being able to access personal data through the BA network. These include:
- limiting access to applications, data and tools to only those which are required to fulfil a user’s role;
- undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems; and
- protecting employee and third party accounts with multi-factor authentication.
It was noted that these additional measures would not have entailed excessive costs or technical barriers to BA, with some of these measures already available through the Microsoft Operating System that they used.
Another consequential factor taken into account by the ICO was that on 22 June 2018 BA did not detect the attack themselves but were informed by a third party more than two months after, on 5 September 2018. The ICO considered this to be a severe failing because it is not clear whether or when BA would have identified the attack themselves. Had it not been for this third party the financial harm could have been even more widespread.
Significance
The fine payable by BA is the largest imposed to date by the ICO for a breach of the GDPR. Although £20million appears to be a narrow escape (compared to the £183million originally suggested by the ICO), Article 83 of the GDPR does require the ICO to ensure any fine imposed is "effective, proportionate and dissuasive". The ICO considered BA’s prompt action that was taken to mitigate the risk of harm suffered (once aware of the attack), as well as the economic impact of COVID-19 on the business – and with all considerations taken into account, imposed a greatly reduced (albeit still eye-watering) fine.
Our thinking
Hope Barton
Q&A: The qualifying criteria explained
What do landlords need to prove to satisfy ground (g) of section 30(1) of the 1954 Act for the purposes of a new tenancy?
Michael Lingens
Charles Russell Speechlys has advised the owners of The Centre for Reproductive and Genetic Health (CRGH) on its sale to FutureLife
CRGH is the largest private fertility clinic in the London IVF market.
Naomi Heathcote
Green leases crucial to achieving net zero in the built environment
‘Net zero’ requires emissions to be reduced as far as possible, and for the remaining (or ‘residual’) emissions to be removed or captured.
Samuel Lear
Samuel Lear answers the EG Legal Q&A on code rights
Q&A: Code rights queries answered
Charlotte Duly
Retail Bulletin quotes Charlotte Duly on the House of Zana trademark row with Zara
"In this battle of David and Goliath, the little guy has come out on top."
David Coates
Charles Russell Speechlys advises Puma Private Equity on its investment into MUSO
We have advised long-term client Puma Private Equity on its investment into MUSO TNT Limited.
Helen Coward
FT Ignites Europe quotes Helen Coward on portfolio manager bonuses
"HMRC has had asset managers in their spotlight for some time now"
Melania Constable
Melania Constable and Jessica Williams write for Pharmacy Business on what the collapse of Testerworld means for community pharmacies
What does the collapse of Testerworld mean for community pharmacies?
Mark Howard
IT Pro quotes Mark Howard on investment in UK tech start-ups
"The UK has the strongest venture and growth capital funding ecosystem in Europe.”
Christopher Hadnutt
Chris Hadnutt writes for Building Magazine on construction project defects
Chris Hadnutt writes for Building Magazine on construction project defects
Tristram van Lawick
The Sunday Times quotes Tristram van Lawick on investment into country estates
“For overseas buyers the security of the UK property market is seen as a safe investment compared with other parts of the world"
Nicola Saccardo
Charles Russell Speechlys welcomes Partner Nicola Saccardo to the Firm’s London office
Charles Russell Speechlys welcomes Partner Nicola Saccardo
Simon Ridpath
Charles Russell Speechlys announces 24% international revenue growth
Charles Russell Speechlys announces 24% international revenue growth
Michael Powner
Barrister with gender critical beliefs discriminated against by chambers
An employment tribunal has found that the barrister, Allison Bailey was discriminated against because of her gender critical beliefs.
Chris Haywood
Chris Haywood writes for The Oath on the impact of Dubai's new Virtual Asset Law on NFTs and the metaverse
A future-ready framework?
Sarah Morley
The new UK register of overseas entities – the impact on property transactions
The Economic Crime Act establishes a new register of beneficial ownership of overseas entities, read the implications here.
Piers Master
Register of Overseas Entities: What are the deadlines for trust structures holding UK real estate?
The ROE is intended to launch on 1 August 2022 - read more about the deadlines trust structures holding UK real estate will be facing
Emma Preece
EG quotes Emma Preece on the Cine-UK and Cineworld Court of Appeal Covid rent arrears ruling
“This appeal was always going to be an uphill battle for the tenants.”
David Savage
Construction News quotes David Savage on a recent fire safety ruling and the implications of this
"Although clearly fact-specific as any case is, this is an interesting and important case..."
Sally Ashford
Changing an Enduring Power of Attorney
Learn what you need to know about changing an Enduring Power of Attorney to a Lasting Power of Attorney.