British Airways Data Breach: ICO issue first public intention to fine under the GDPR

The ICO has taken action against British Airways under the GDPR. We look at the facts of the case and implications for charities & social enterprises.

The Information Commissioner's Office ("ICO") have announced their intention to fine British Airways more than £180m, following an attack on their website which may have exposed the personal data of more than 500,000 people. A further notification of the ICO's intention to fine the hotel chain Marriott International more than £99m for a cyber security breach was issued by the ICO the following day.

These are the first fines to be publicised by the ICO since it gained increased powers of enforcement following the introduction of the General Data Protection Regulation ("GDPR").

British Airways Data Breach: What's happened?

British Airways suffered what it called a "sophisticated, malicious criminal attack" on its website. Users booking with the airline's website were diverted to a fraudulent site, following which their personal information was harvested unlawfully. It is thought that the scam had been taking place for three months from June to September 2018 and that over 500,000 people may have had their personal data compromised.

British Airways notified the ICO, the UK's data protection authority, of the data breach following its discovery and the ICO commenced an investigation into the data breach.

What are the conclusions of the ICO's investigation?

Following its investigation, the ICO has published an intention to fine British Airways £183.39m.

The ICO found that British Airways had poor security arrangements for log-in details, contact information, payment details and booking information.

British Airways and data protection authorities from other EU countries whose residents have been affected by the breach now have the opportunity to make representations to the ICO following the conclusion of the investigation before the fine is formally issued.

Why is the proposed fine against British Airways so big?

This is the first fine the ICO has publicised under the GDPR. Fines under the old rules were capped at £500,000. The maximum fine which can be issued under the GDPR is the greater of €20m or 4% of the organisation's global turnover. The BBC have reported that this fine is set at a level of 1.5% of British Airways' global turnover for 2017.

The ICO's message here is clear. As Elizabeth Denham, the Information Commissioner, summarises, "when you are entrusted with personal data you must look after it". As was widely predicted, the ICO appears to be flexing its enhanced enforcement powers early to send a clear message to organisations that they must take data protection seriously. 

What does this mean for my organisation?

Many charities and social enterprises will be concerned with the level of the fine. Whilst it is important to remember that this fine is based on British Airways' turnover, and so the vast majority of charities and social enterprises will not face fines anywhere near this amount – many fines issued under the new regime are likely to significantly affect the financial viability of many such organisations, and also their reputation.

The key messages from this investigation are the importance data security and the confirmation that the ICO will hold organisations to account even if they are not primarily culpable for a data breach (as is the case with cyber crime). Organisations should ensure that they have adequate procedures in place to safeguard the information they hold, particularly where that information contains payment and other sensitive personal information which could be exploited by a malicious third party.

The case is also a timely reminder to periodically review the data protection measures and documentation organisations have put in place and to check whether they could be strengthened or adjusted to reflect best practice.