British Airways £184 Million GDPR Fine Reduced to £20 Million
The UK’s Information Commissioner’s Office (ICO) has announced that the General Data Protection Regulation (GDPR) financial penalty that was imposed on British Airways in July 2019 has been reduced to £20 million ($26 million) from £184 million ($238 million).
The massive financial penalty was imposed on the International Airlines Group-owned airline over a 2018 data breach that exposed the personal information of approximately 430,000 of its customers. The ICO investigation revealed British Airways had not implemented proper security protocols to protect the large amount of customer data on its systems and, as a result of those security failures, hackers gained access to customers’ credit card information and employee credentials.
The cyberattack is believed to have involved the use of a JavaScript skimmer on its e-commerce checkout system, which exfiltrated customers’ credit card information when they were entered in a Magecart-style attack. The ICO estimates approximately 244,000 customers had their name, address, credit card number, expiry date, and CVV code stolen. Employee credentials were also stolen, along with the usernames and PINs of 612 BA Executive Club account holders.
British Airways was informed by a third party that its systems had been compromised two months after hackers had gained access to its e-commerce system. The ICO expressed concern about the failure to detect the breach and was not convinced that British Airways would even have identified the breach had it not been for the third-party notification.
After being notified about the breach, prompt action was taken to expel the hackers from its systems and customers were notified about the breach. British Airways cooperated fully with the ICO investigation and has made significant improvements to system security.
British Airways appealed the £184 million financial penalty. ICO considered the representations of British Airways when reconsidering the financial penalty together with the economic impact COVID-19 has had on the firm and reduced the penalty to £20 million. Even though there was a sizable reduction in the penalty amount, it is still the largest ever GDPR fine imposed on a company by the ICO.
“People entrusted their personal details to BA, and BA failed to take adequate measures to keep those details secure. Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA a £20m fine – our biggest to date,” said ICO Commissioner Elizabeth Denham.