Expert Insights

You are here:

Home
News & Insights
Expert Insights
ICO issues British Airways with a ground-breaking fine

28 October 2020

ICO issues British Airways with a ground-breaking fine

On 16 October 2020, The Information Commissioner’s Office (the “ICO”) imposed a monetary penalty notice fining British Airways Plc (“BA”) £20million for breaching its data security obligations under the General Data Protection Regulation (the “GDPR”) when they faced a cyber-attack in 2018. This is the ICO’s largest fine to date and the amount imposed was a significant reduction on the £183.39 million the ICO announced that it intended to fine BA back in July 2019.

Details of the cyber attack

The attacker is believed to have accessed the personal data of over 400,000 BA customers and staff members worldwide. Information obtained includes names, addresses, payment card numbers and CVV numbers; although it is thought only around 100,000 customers had their payment information accessed. The attack went undetected for over 2 months spanning from 22 June to 5 September 2018.

Usernames and passwords of BA employee accounts, as well as usernames and PINs of up to 600 BA Executive Club accounts, were also potentially accessed.

Failure to prevent the attack

The ICO listed a number of factors in its penalty notice report that BA could have used to mitigate the risk of the attacker being able to access personal data through the BA network. These include:

limiting access to applications, data and tools to only those which are required to fulfil a user’s role;
undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems; and
protecting employee and third party accounts with multi-factor authentication.

It was noted that these additional measures would not have entailed excessive costs or technical barriers to BA, with some of these measures already available through the Microsoft Operating System that they used.

Another consequential factor taken into account by the ICO was that on 22 June 2018 BA did not detect the attack themselves but were informed by a third party more than two months after, on 5 September 2018. The ICO considered this to be a severe failing because it is not clear whether or when BA would have identified the attack themselves. Had it not been for this third party the financial harm could have been even more widespread.

Significance

The fine payable by BA is the largest imposed to date by the ICO for a breach of the GDPR. Although £20million appears to be a narrow escape (compared to the £183million originally suggested by the ICO), Article 83 of the GDPR does require the ICO to ensure any fine imposed is "effective, proportionate and dissuasive". The ICO considered BA’s prompt action that was taken to mitigate the risk of harm suffered (once aware of the attack), as well as the economic impact of COVID-19 on the business – and with all considerations taken into account, imposed a greatly reduced (albeit still eye-watering) fine.

Our thinking

Charity Training Series

Sarah Rowley

Events
22 Jun 2023
Join us in our three part series where we will be joined by various experts. Read More Join us in our three part series where we will be joined by various experts.
Basic Guide to Different Types of Liabilities and Claims Under the Building Safety Act 2022

Hannah McDonald

Insights
24 Mar 2023
The Building Safety Act 2022 (BSA) has introduced a new regime with a particular emphasis on “higher-risk buildings” Read More The Building Safety Act 2022 (BSA) has introduced a new regime with a particular emphasis on “higher-risk buildings”
Defect Claims in Construction Projects

Sam Johnson

Insights
24 Mar 2023
This article tackles what a construction defect is, where the liability for such defects sits, and how defect claims might be resolved. Read More This article tackles what a construction defect is, where the liability for such defects sits, and how defect claims might be resolved.
FT Adviser quotes Sarah Higgins on the abolished LTA and how this affects divorce and inheritance

Sarah Higgins

In the Press
23 Mar 2023
How could the abolished LTA affect divorce and inheritance? Read More How could the abolished LTA affect divorce and inheritance?
The Times quotes Karen Stages on solicitor apprenticeships

Karen Stages

In the Press
23 Mar 2023
“We have been offering apprenticeships for six years, and this year marks the year that our first cohort will qualify as solicitors. " Read More “We have been offering apprenticeships for six years, and this year marks the year that our first cohort will qualify as solicitors. "
The Times quotes Rupa Lakha on the Indian legal services market opening up to foreign lawyers

Rupa Lakha

In the Press
23 Mar 2023
Rupa Lakha reacts to the Indian legal services market opening up to foreign lawyers, providing new opportunities for collaboration. Read More Rupa Lakha reacts to the Indian legal services market opening up to foreign lawyers, providing new opportunities for collaboration.
Property Patter: Spring Budget 2023

Samuel Lear

Podcasts
22 Mar 2023
Our Real Estate team discuss what the Spring Budget means for Property-focused businesses. Read More Our Real Estate team discuss what the Spring Budget means for Property-focused businesses.
Sarah Wray writes for eprivateclient on the tax implications to consider when developing a garden

Sarah Wray

In the Press
21 Mar 2023
Losing the plot: Tax implications of developing the garden Read More Losing the plot: Tax implications of developing the garden
Felicity Chapman writes for Circle2Success on changes to Capital Gains Tax rules

Felicity Chapman

In the Press
20 Mar 2023
Separating Spouses and Civil Partners to Benefit from Changes to Capital Gains Tax Rules Read More Separating Spouses and Civil Partners to Benefit from Changes to Capital Gains Tax Rules
LexisNexis features Patrick Gearon FCIArb in its UAE Managing Partner Report

Patrick Gearon FCIArb

In the Press
20 Mar 2023
"We hope to continue to grow all three of our Middle East offices and grow our presence in other key markets in the Middle East..." Read More "We hope to continue to grow all three of our Middle East offices and grow our presence in other key markets in the Middle East..."
Failing to prevent is preparing to fail - the new "failure to prevent" fraud criminal offence

Abigail Rushton

Insights
17 Mar 2023
The "Bill" has proposed a new criminal offence for corporate entities for the failure to prevent fraud. Read More The "Bill" has proposed a new criminal offence for corporate entities for the failure to prevent fraud.
Digital Assets in 2022-23: Key Developments & Trend Spotting in the UK, Switzerland, the Middle East & Hong Kong

Nick White

Insights
17 Mar 2023
We explore key developments & trend spotting in the UK, Switzerland, the Middle East & Hong Kong for digital assets. Read More We explore key developments & trend spotting in the UK, Switzerland, the Middle East & Hong Kong for digital assets.
Tips on managing disputes after the Privy Council refuses to hear appeal in Perry offshore trust litigation

Sarah Moore

Insights
17 Mar 2023
The Privy Council refused to hear appeal in Perry offshore trust litigation - here are tips on managing trust disputes. Read More The Privy Council refused to hear appeal in Perry offshore trust litigation - here are tips on managing trust disputes.
Spring Budget - Corporate Tax

Helen Coward

Insights
17 Mar 2023
The Chancellor clearly hopes that the new first year allowance will incentivise business investment. Read More The Chancellor clearly hopes that the new first year allowance will incentivise business investment.
Spring budget 2023: a quiet budget for farmers?

Sarah Wray

Insights
16 Mar 2023
A couple of points from Jeremy Hunt’s budget speech that are relevant to farmers and landowners. Read More A couple of points from Jeremy Hunt’s budget speech that are relevant to farmers and landowners.
Silicon quotes Nick White on what the 2023 Spring Budget means for UK tech

Nick White

In the Press
16 Mar 2023
"...now is the time for the UK to invest significantly in an attempt to build up its credentials as a global tech leader in its own right.” Read More "...now is the time for the UK to invest significantly in an attempt to build up its credentials as a global tech leader in its own right.”
Pharmaphorum quotes Louise Ward on the Budget and what this means for the biopharma sector

Louise Ward

In the Press
16 Mar 2023
"The new R&D tax credits scheme will be welcomed by small and medium sized companies." Read More "The new R&D tax credits scheme will be welcomed by small and medium sized companies."
Creating a trans inclusive workplace

Syma Spanjers

Insights
15 Mar 2023
This briefing looks at the legal and practical issues that commonly arise in creating a trans inclusive workplace. Read More This briefing looks at the legal and practical issues that commonly arise in creating a trans inclusive workplace.
Dealing with an Insolvent Contractor

Joseph Bearman

Insights
14 Mar 2023
Learn how to deal with an insolvent contractor, by following our step by step guide. Read More Learn how to deal with an insolvent contractor, by following our step by step guide.
Administrations in Rugby Union: a breakdown of Wasps’ and Worcester’s demise

Jamie Rhodes

Insights
13 Mar 2023
Both rugby clubs lose their all their P-Shares, after the Rugby Football Union (RFU) rejected their no-fault insolvency appeals. Read More Both rugby clubs lose their all their P-Shares, after the Rugby Football Union (RFU) rejected their no-fault insolvency appeals.

Show all News & Insights

ICO issues British Airways with a ground-breaking fine

Details of the cyber attack

Failure to prevent the attack

Significance

Anna Rogers

Our thinking

Charity Training Series

Basic Guide to Different Types of Liabilities and Claims Under the Building Safety Act 2022

Defect Claims in Construction Projects

FT Adviser quotes Sarah Higgins on the abolished LTA and how this affects divorce and inheritance

The Times quotes Karen Stages on solicitor apprenticeships

The Times quotes Rupa Lakha on the Indian legal services market opening up to foreign lawyers

Property Patter: Spring Budget 2023

Sarah Wray writes for eprivateclient on the tax implications to consider when developing a garden

Felicity Chapman writes for Circle2Success on changes to Capital Gains Tax rules

LexisNexis features Patrick Gearon FCIArb in its UAE Managing Partner Report

Failing to prevent is preparing to fail - the new "failure to prevent" fraud criminal offence

Digital Assets in 2022-23: Key Developments & Trend Spotting in the UK, Switzerland, the Middle East & Hong Kong

Tips on managing disputes after the Privy Council refuses to hear appeal in Perry offshore trust litigation

Spring Budget - Corporate Tax

Spring budget 2023: a quiet budget for farmers?

Silicon quotes Nick White on what the 2023 Spring Budget means for UK tech

Pharmaphorum quotes Louise Ward on the Budget and what this means for the biopharma sector

Creating a trans inclusive workplace

Dealing with an Insolvent Contractor

Administrations in Rugby Union: a breakdown of Wasps’ and Worcester’s demise

Share this Page