£20m fine for British Airways data breach – the ICO’s appetite grows despite Covid-19

£20m fine for British Airways data breach – the ICO’s appetite grows despite Covid-19

  • Posted

With its recent issuing of a £20 million fine to British Airways for its GDPR failings, the ICO has reminded the public that it is serious about protecting our personal data, no matter the global climate.

In 2018, BA fell victim to a cyber-attack, which it did not detect for over two months (in fact, a third party notified BA of the breach). As a result, more than 400,000 BA customers and staff had their personal and financial data accessed by a third party.

The ICO’s investigation into this breach determined that BA was processing personal data without adequate security measures, should have identified the weaknesses in its systems and could have taken several steps to adequately protect data. These measures were (and still are) cost-effective and easily implemented, leaving BA with little to no excuse as to why the data breach had occurred.

The key failing for BA was the question of if, not necessarily when, they would have identified the breach: had it not been for the notifying third party, many more individuals could have had their data harvested.  However, BA was credited with acting swiftly and cooperatively once it became aware of the breach.

Following its initial intention to fine BA £183.39 million (equating to 1.5% of its global annual turnover), the ICO heard representations from BA and took into account the effects of Covid-19 to arrive at a final penalty of £20 million, the biggest fine to date.

BA have reportedly made considerable improvements to their IT security since the breach and cooperated with the ICO throughout their investigation. For the ICO’s report on the investigation and the fine, click here.

In other news…

Following the ICO’s notice of intention to fine Marriott International £99 million being issued in July 2019, another extension has been agreed between the parties, so we continue to wait for confirmation of the fine to be issued.

Speak to our specialist lawyers

If you would like advice on your data protection obligations as a business, please do not hesitate to contact our GDPR specialists by emailing corporate@ibblaw.co.uk or call 01895 207264.