It seems the data breach that involved British Airways has come back to haunt them, with the UK Information Commissioners Office (ICO) fining the airline £20 million for failing to protect the personal and financial details of over 400,000 if its customers.
The ICO breaks down what happened:
- The attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.
- Other details thought to have been accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers.
- Usernames and passwords of BA employee and administrator accounts, as well as usernames and PINs of up to 612 BA Executive Club accounts, were also potentially accessed.
The investigation found that British Airways was processing a significant amount of personal data without adequate security measures in place. This failure broke data protection law and, subsequently, BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months. They found that the airline should have identified weaknesses in its security and resolved them with security measures that were available at the time.
ICO investigators found that BA did not detect the attack on 22 June 2018 themselves but was alerted by a third party more than two months afterwards on 5 September. Once they became aware BA acted promptly and notified the ICO.
It is not clear whether or when BA would have identified the attack themselves. This was considered to be a severe failing because of the number of people affected and because any potential financial harm could have been more significant.
As to the fine, the ICO issued the airline with a notice to intent to fine. This was set originally towards £183 million – however, the ICO has reduced this due to the economic impact of COVID-19 on their business. This is still one of the biggest fines the ICO has issued.
Information Commissioner Elizabeth Denham said: “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure.
“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.
“When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”
There were ways to prevent this, with penetration testing, limiting access to systems, using multi-factor authentication and so on. But at the end of the day – this was preventable and the airline messed up.
We’re living in an age these days, where security has to be expected – not just at the consumer, but also at organisational levels.
Whilst the airline has seemed to improve its security since then, its a reminder to both consumers and companies to be careful, to test and to be a lot more careful online.
The full enforcement action notice is at https://ico.org.uk/media/action-weve-taken/mpns/2618421/ba-penalty-20201016.pdf.
It also serves as a warning for those companies who think they can get away with the minimum possible security measures, with a not-so-subtle warning to ensure they will face action and heavy fines if they fail to comply and protect their data.
Welcome to Economy Class and Beyond – Your no-nonsense guide to network news, honest reviews, with in-depth coverage, unique research as well as the humour and madness as I only know how to deliver.