[BreachExchange] UK’s ICO reduces British Airways data breach fine to £20M, after originally setting it at £184M

[Destry Winant]

https://techcrunch.com/2020/10/16/uks-ico-downgrades-british-airways-data-breach-fine-to-20m-after-originally-setting-it-at-184m/

One of the biggest data breaches in UK corporate history has been
closed off by regulators not with a bang, but a whimper. Today the
Information Commissioner’s Office, the UK’s data watchdog, announced
that it would be fining British Airways £20 million ($25.8 million)
for a data breach in which the personal details of more than 400,000
customers were leaked after BA suffered a two-month cyberattack and
lacked adequate security to detect and defend itself against it. It
had originally planned to fine BA nearly £184 million, but it reduced
the penalty in light of the economic impact that BA (like other
airlines) has faced as a result of Covid-19, as well as work BA had
undertaken to address the issue, and the ICO learning more about the
nature of the attack in a further investigation.

Even with the reduced penalty size, the ICO is sticking by its
original conclusions:

“People entrusted their personal details to BA and BA failed to take
adequate measures to keep those details secure,” said Information
Commissioner Elizabeth Denham in a statement. “Their failure to act
was unacceptable and affected hundreds of thousands of people, which
may have caused some anxiety and distress as a result. That’s why we
have issued BA with a £20 million fine – our biggest to date. When
organisations take poor decisions around people’s personal data, that
can have a real impact on people’s lives. The law now gives us the
tools to encourage businesses to make better decisions about data,
including investing in up-to-date security.”

BA responded with a statement of its own noting that it has complied
the investigation and recognizing the reduced penalty.

“We alerted customers as soon as we became aware of the criminal
attack on our systems in 2018 and are sorry we fell short of our
customers’ expectations,” a spokesperson said to TechCrunch. “We are
pleased the ICO recognises that we have made considerable improvements
to the security of our systems since the attack and that we fully
co-operated with its investigation.”

>From what we understand, some £150 million of the reduction was made
as the ICO pieced apart the events that led to the attack and put less
blame on BA than it had originally made; another £6 million was
discounted based on BA’s response, and a further £4 million was taken
off as part of the ICO’s Covid-19 policy, reflecting the impact the
coronavirus pandemic has had on BA’s business.

That step down underscores the impact the coronavirus pandemic is
having on regulations. In some cases, in order to more quickly address
issues that potentially impact business growth, we’ve seen regulators
try to speed up their responsiveness to casework and even leave behind
some previous reservations to green light activities, as in the case
of e-scooters.

But in the case of the BA fine, we’re seeing the other side of the
Covid-19 impact: regulators have chosen to take a less hard line when
it comes to financial penalties when the company in question is
already struggling. That could change the impact and also set a
precedent in terms of how regulators respond to future cases of
security and data protection neglect.

The original proposal to fine BA £184 million was 1.5% of BA’s
revenues in the 2018 calendar year, and it was originally set in 2019.
That was, of course, before the coronavirus pandemic hit, halting
travel globally and bringing many airlines to their knees. The
original order, ironically, was subject to a lot of classic regulatory
red tape, which in this case worked in BA’s favor as, in addition to
hearing arguments from BA, it also included an assessment of the state
of the company in the current market.

“In June 2019 the ICO issued BA with a notice of intent to fine,” the
ICO noted in its statement on the reduced fine. “As part of the
regulatory process the ICO considered both representations from BA and
the economic impact of COVID-19 on their business before setting a
final penalty.”

Although the fine was lower, the salient facts of the investigation’s
findings remained the same: the ICO had determined that BA had
“weaknesses in its security” that could have been prevented with
security systems — procedures and software — that were available at
the time.

As a result, data from 429,612 customers and staff was leaked,
including “names, addresses, payment card numbers and CVV numbers of
244,000 BA customers,” the ICO said, adding that the combined card and
CVV numbers of 77,000 customers and card numbers only for 108,000
customers were also believed to be a part of the breach, as well as
the usernames and passwords of BA employee and administrator accounts,
and the usernames and PINs of up to 612 BA Executive Club accounts
(these last two were also not completely verified, it seems).

On top of that, BA never detected the attack, it said: it was notified
of the breach by a third party.

The ICO said that its action has been approved by other DPA’s in the
European Union: this is because the attack happened while the UK was
still in the EU, and so the investigation was carried out by the ICO
on behalf of the EU authorities, it said.

For BA’s part, the airline, which is part of the International
Airlines Group — formed through mega mergers, it also includes Iberia,
Aer Lingus, Vueling and other brands and operators — has been working
to reinvest in the security of its systems. It’s also offered
“concerned customers” 12 months membership to a credit
check/management service.

There have been a number of data breaches in the travel and
hospitality sector in recent years affecting not just other airlines
(for example easyJet and 9 million records impacted this past May; and
Cathay Pacific, which was fined only £500,000 earlier this year for a
breach that impacted 9.5 million customers globally, with around
111,000 in the UK), but also hotels, with the biggest being a Marriott
phishing attack estimated to have impacted some 500 million people.

Updated with more detail on the fine and also commentary from BA.