The British ICO (Information Communication Office) intends to fine airline British Airways (BA) with £183.39M for infringements of the General Data Protection Regulation (GDPR). The reason was a cyber incident in Summer 2018.
The Background: Hack at British Airways
I had mentioned the privacy incident at British Airways in my German blog post Datenleaks und Sicherheit (26.10.2018). British Airways (BA) already had to admit a hack on September 6, 2018. In the period between August 21, and September 5, 2018, customer data from BA customers was hacked. In October there was an ‘update’ to the horror message. An investigation has shown that the hackers may have stolen additional personal data. In any case, the holders of 77,000 credit cards who had not yet been notified were informed of a possible outflow of their data (name, billing address, e-mail address, card payment information, including card number, expiration date and CVV). It was suspected that 108,000 customers who booked with BA without a credit card may also be at risk. Potentially affected are customers who made Reward Bookings between 21 April and 28 July 2018 and used a credit card.
ICO investigation and fine
The incident took place after the entry into force of the European Data Protection Basic Regulation (DSGVO, English GDPR) on May 28, 2018. The supervisory authorities therefore had to decide on a fine according to the GDPR regulations. While Facebook may have escaped the Cambridge Analytica scandal with a maximum fine of 500,000 pounds (see ‘Höchststrafe’ für Facebook in England im Analytica-Skandal), things look worse for British Airways.
Blog reader Leon had already informed me this morning by mail about this message from the ICO (Information Communication Office). The UK independent authority was set up to safeguard information rights in the public interest, to promote openness in public bodies and to ensure data protection for individuals. The ICO report essentially contains the following statements.
- Following an extensive investigation, the ICO has indicated that it intends to impose a fine of £183.39 million on British Airways for breaches of the General Data Protection Regulation (GDPR).
- The proposed fine relates to the above-mentioned cyber incident reported by British Airways to the ICO in September 2018. In this incident, user input and data on flight bookings on the British Airways website were diverted to a fraudulent site and stolen by hackers. This incident, which is believed to have started in June 2018, has compromised the personal data of approximately 500,000 customers.
- The ICO’s investigation revealed that a great deal of information was compromised by poor corporate security. This includes registration (login), payment data and travel booking data as well as name and address information.
British Airways cooperated with the ICO in the investigation and has improved its security arrangements since these events became known. The company will now have the opportunity to comment to the ICO on the proposed findings and sanctions.
ICO has been investigating this case as lead supervisory authority on behalf of other EU Member State data protection authorities. It has also liaised with other regulators. Under the GDPR ‘one stop shop’ provisions the data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings.
The ICO will consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision.