UK’s ICO reduces British Airways data breach fine to £20M, after originally setting it at £184M

One of the biggest data breaches in U.K. corporate history has been closed off by regulators not with a bang, but a whimper. Today the Information Commissioner’s Office, the U.K.’s data watchdog, announced that it would be fining British Airways £20 million ($25.8 million) for a data breach in which the personal details of more than 400,000 customers were leaked after BA suffered a two-month cyberattack and lacked adequate security to detect and defend itself against it. It had originally planned to fine BA nearly £184 million, but it reduced the penalty in light of the economic impact that BA (like other airlines) has faced as a result of COVID-19, as well as work BA had undertaken to address the issue, and the ICO learning more about the nature of the attack in a further investigation.

Even with the reduced penalty size, the ICO is sticking by its original conclusions:

“People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure,” said Information Commissioner Elizabeth Denham in a statement. “Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20 million fine – our biggest to date. When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”

BA responded with a statement of its own, noting that it has complied with the investigation and is recognizing the reduced penalty.

“We alerted customers as soon as we became aware of the criminal attack on our systems in 2018 and are sorry we fell short of our customers’ expectations,” a spokesperson said to TechCrunch. “We are pleased the ICO recognises that we have made considerable improvements to the security of our systems since the attack and that we fully co-operated with its investigation.”

From what we understand, some £150 million of the reduction was made as the ICO pieced apart the events that led to the attack and put less blame on BA than it had originally made; another £6 million was discounted based on BA’s response, and a further £4 million was taken off as part of the ICO’s COVID-19 policy, reflecting the impact the coronavirus pandemic has had on BA’s business.

That step down underscores the impact the coronavirus pandemic is having on regulations. In some cases, in order to more quickly address issues that potentially impact business growth, we’ve seen regulators try to speed up their responsiveness to casework and even leave behind some previous reservations to green light activities, as in the case of e-scooters.

But in the case of the BA fine, we’re seeing the other side of the COVID-19 impact: Regulators have chosen to take a less hard line when it comes to financial penalties when the company in question is already struggling. That could change the impact and also set a precedent in terms of how regulators respond to future cases of security and data protection neglect.

The original proposal to fine BA £184 million was 1.5% of BA’s revenues in the 2018 calendar year, and it was originally set in 2019. That was, of course, before the coronavirus pandemic hit, halting travel globally and bringing many airlines to their knees. The original order, ironically, was subject to a lot of classic regulatory red tape, which in this case worked in BA’s favor as, in addition to hearing arguments from BA, it also included an assessment of the state of the company in the current market.

“In June 2019 the ICO issued BA with a notice of intent to fine,” the ICO noted in its statement on the reduced fine. “As part of the regulatory process the ICO considered both representations from BA and the economic impact of COVID-19 on their business before setting a final penalty.”

Although the fine was lower, the salient facts of the investigation’s findings remained the same: the ICO determined that BA had “weaknesses in its security” that could have been prevented with security systems — procedures and software — that were available at the time.

As a result, data from 429,612 customers and staff was leaked, including “names, addresses, payment card numbers and CVV numbers of 244,000 BA customers,” the ICO said, adding that the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers were also believed to be a part of the breach, as well as the usernames and passwords of BA employee and administrator accounts, and the usernames and PINs of up to 612 BA Executive Club accounts (these last two were also not completely verified, it seems).

On top of that, BA never detected the attack, it said: it was notified of the breach by a third party.

The ICO said that its action has been approved by other DPA’s in the European Union: This is because the attack happened while the U.K. was still in the EU, and so the investigation was carried out by the ICO on behalf of the EU authorities, it said.

For BA’s part, the airline, which is part of the International Airlines Group — formed through mega mergers, it also includes Iberia, Aer Lingus, Vueling and other brands and operators — has been working to reinvest in the security of its systems. It also offered “concerned customers” 12 months membership to a credit check/management service.

There have been a number of data breaches in the travel and hospitality sector in recent years affecting not just other airlines (for example easyJet and 9 million records impacted this past May; and Cathay Pacific, which was fined only £500,000 earlier this year for a breach that impacted 9.5 million customers globally, with around 111,000 in the U.K.), but also hotels, with the biggest being a Marriott phishing attack estimated to have impacted some 500 million people.

Updated with more detail on the fine and also commentary from BA.