The UK Information Commissioner精东影业 Office (ICO) has fined British Airways (BA) 拢20 million ($25 million). The commission found the airline responsible for failing to protect over 400,000 of its customers鈥 personal and financial data, which was leaked during a cyber-attack incident in 2018. While significant, the financial penalty is around 25 times lower than the 鈥渨orst-case鈥 scenario.
Following a two-year investigation, the ICO found that British Airways was processing 鈥渁 significant鈥 amount of its customers鈥 private data without proper security measures. Had the airline identified and resolved weaknesses of its security measures, it could have prevented the 2018 cyber-attack 鈥渂eing carried out in this way,鈥 the commission outlined in a statement on October 16, 2020.
British Airways cyber-attack
British Airways revealed that it had been subject to a cyber-attack on September 6, 2018.
鈥淔rom 22:58 (BST) August 21, 2018, until 21:45 (BST) September 5, 2018, inclusive, the personal and financial details of customers making bookings on ba.com and the airline精东影业 app were compromised,鈥 the airline精东影业 statement read.
At that time, it was estimated that hackers obtained personal data of around 380,000 BA精东影业 customers, including names, addresses, credit card numbers, expiry dates and security codes, but not travel or passport details, as the airline stressed.
“We discovered that something had happened but we didn’t know what it was [on the evening of September 5, 2018]. So overnight, teams were trying to figure out the extent of the attack,鈥 the airline精东影业 Chairman and Chief Executive Alex Cruz was quoted as saying by the BBC at that time. “The first thing was to find out if it was something serious and who it affected or not. The moment that actual customer data had been compromised, that’s when we began immediate communication to our customers.”
However, the ICO announcement indicates that the data breach actually affected around 429,612 BA精东影业 customers and staff. Among them, there are around 244,000 people whose names, addresses, payment card numbers, and CVV numbers are believed to have been accessed by the attacker.
Historic 拢20M fine against BA
鈥淭heir failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result,鈥 ICO investigators outlined in the statement. 鈥淭hat精东影业 why we have issued BA with a 拢20m fine 鈥 our biggest to date.鈥
However, the biggest fine to date is actually not that great when taken into the account that the initial, worst-case estimation pointed to a 25 times greater sum.
After the information about the BA精东影业 cyber-attack became public in 2018, experts counted that the airline might be subject to up to 拢489 million ($637 million) fine 鈥 4% of its annual global revenue in 2017.
In June 2019, ICO issued the airline with a notice of intent to fine, finally revealing the actual size of the proposed financial penalty. In reality, the authority was proposing a 拢183.39 million fine against the air carrier, which was equal to approximately 1.5% of BA精东影业 revenue in 2017.
So how did the fine go from the intended 拢183.39 million to the actual 拢20 million? Well, COVID-19 happened. 鈥淎s part of the regulatory process the ICO considered both representations from BA and the economic impact of COVID-19 on their business before setting a final penalty,鈥 the authority explained in its latest statement.
