CategoriesBritish ChambersCharity SectorConstructionCyber SecurityEducationFinancial & LegalHealth Wellbeing & LeisureInternational TradeIT InsightsJob VacanciesManufacturingMarketingMember NewsPolicySales & Marketing InsightsSussex ShowcaseTransport & Logistics Sector
ArchiveMay 2021April 2021March 2021February 2021January 2021December 2020November 2020October 2020September 2020August 2020July 2020June 2020May 2020April 2020March 2020February 2020January 2020December 2019November 2019October 2019September 2019August 2019July 2019June 2019May 2019April 2019March 2019February 2019January 2019December 2018November 2018October 2018September 2018August 2018May 2018
British Airways (BA) has been let off a possible £183 million data breach fine due to the economic disruption caused by the coronavirus.
The Information Commissioner’s Office (ICO) will now fine BA the smaller sum of £20 million, after taking into account appeals from the airline and also the economic fallout from the pandemic.
The original fine was approximately 1.5 per cent of the company’s annual turnover in adherence with guidelines set out in the European General Data Protection Regulation.
But £20m is still a significant sum. It’s the highest fine to date imposed by ICO. It serves as a warning to companies of all sizes about what can happen when customers’ personal data is not appropriately protected.
In 2018 more than 400,000 personal details and banking, information of BA’s customers was stolen including login, payment card and travel booking details as well as names and addresses. In a second incident, a further 185,000 customers who used the airline’s Avios rewards system also had personal data exposed.
ICO said BA failed to take necessary actions to protect customer data. This failure included a lack of multi-factor authentication across at least 13 critical applications. Many essential security measures were available free through Microsoft Windows, but BA didn’t use these.
The airline was only alerted to the data breach when a third party raised the issue more than two months after it occurred. ICO said there was little evidence the airline would have ever been able to identify the attack itself.
ICO’s lower fine also reflects the fact that the airline fully co-operated with its investigation and has since made significant improvements to the security of its systems.
The final fine is lower than the £50 million fine issued by French regulator, CNIL, against Google in 2019 but that was clearly before the economic disruption caused by Covid-19 when all airlines’ turnovers were significantly reduced.
Gary Jowett, from Computer & Network Consultants (CNC) in Brighton, said: “In this digital age companies have new ways to interact virtually with their customers which makes them more responsive and successful. But sometimes the people who design and implement systems fail to take account of all the security issues and the avenues and back doors criminals might use to undermine their systems. Twenty million is a significant sum, but it may only hurt BA a little bit. For a much smaller organisation, a fine a fraction of that amount could prove fatal.”