British Airways – Details of the Data Breach and the Record $230 Million Fine

On July 8th, 2019, the Information Commissioner’s Office (ICO) issued British Airways (BA) a $230 million (USD) fine for a data breach in 2018 that affected approximately 500,000 of its customers.

This is the biggest fine that has ever been issued by the ICO to date.

Details of the breach were first announced by British Airways on September 6th last year, which informed the public that the private information of around 380,000 customers was compromised between August 21st to September 5th.

Soon after, the ICO made public that BA’s breach was a result of its website being compromised by cyberhackers which allowed them to retrieve private user information by redirecting traffic to a fraudulent site. This stolen information consisted of names, email addresses, phone numbers, and credit card information (including expiry dates and CVVs) of an estimate of 500,000 customers.

Diving deeper into the breach, RiskIQ—a cybersecurity firm investigated the incident and reported its findings in a blog post on September 11th, 2018. In summary, the post explains that the breach was made possible via a “script injection” into BA’s website by a cybercriminal group called Magecart. The malicious script was designed to steal information from online payment forms and is similar to the one used in the Ticketmaster breach in June 2018.

GDPR Infringement

The General Data Protection Regulation (GDPR) requires that companies participate in the safe collection, processing, and storage of consumer data. Because BA failed to enforce the security measures necessary to comply with this law, it faced a to-be-determined violation penalty of up to 4% of its annual revenue. Based on BA’s $15.2 billion revenue in 2017, the maximum possible penalty for the airline was roughly $610 million.

Yesterday, the ICO came out with a $230 million fine for British Airways—less than half of the maximum penalty.

British Airways’ Response

Since the fine was announced, Alex Cruz, the Chief Executive and Chairman of British Airlines, came out with a statement,

“We are surprised and disappointed in this initial finding from the ICO. British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused.”

The International Airline’s Group (IAG), which holds a majority stake in British Airways is planning to fight the fine. Willie Walsh, the CEO of International Airlines Group commented,

“British Airways will be making representations to the ICO in relation to the proposed fine. We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”

IAG will have 28 days from July 8th, 2019 to makes its case for the initial part of the process.

What we can learn from this

This should be a huge wake-up call for businesses of all sizes to take cybersecurity and other efforts to protect private information more seriously. Elizabeth Denham, Information Commissioner at ICO explains the importance of protecting personal data,

“People’s personal data is just that – personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it.”

Let British Airways’ case be an example of how serious regulators are when it comes to enforcing privacy laws such as GDPR. Failure to do so can result in huge fines and a tremendous impact on a company’s reputation.