UK ICO Shows its Teeth in Fining BA £183 Million for 2018 Breach
The UK data protection regulator, the Information Commissioner’s Office (ICO), announced Monday that it intends to fine British Airways (BA) a total of £183.39 million (just under $230 million) for the 2018 breach that compromised the personal information of 500,000 customers.
The fine is levied under the auspices of the EU’s General Data Protection Regulation (GDPR) and is Europe’s largest fine to date. In the first nine months after GDPR came into force on May 25, 2018, the total amount of imposed fines across the EU amounted to €55.955.871 — €50 million of which was levied as a single fine by the French regulator CNIL against Google.
This is now the first clear indication that European data protection regulators will not be afraid to use the full power of GDPR against major companies. Those organizations around the world that have been waiting to see the likely extent of GDPR enforcement need wait no longer. GDPR fines have been purposely linked to turnover so that large companies cannot treat data protection fines as part of necessary running costs.
Noticeably, according to Amanda Finch, CEO of the Chartered Institute of Information Security Professionals, “Twenty-three percent of security professionals named [the BA breach] the worst security breach of 2018, second only to Facebook and the Cambridge Analytica scandal.” The ICO fined Facebook the maximum it could prior to GDPR: £500,000. Half a million UK pounds will have little effect on a company the size of Facebook; but £183 million will undoubtedly make an impression on both the BA board and all other companies watching this.
BA revealed on September 6 that it had been breached, and that cybercriminals had access to the personal and financial details of customers who made bookings between August 21 and September 5. The criminals were one of the Magecart groups who specialize in web-based card skimming. The stolen data comprised customer names, postal addresses, email addresses and credit card information.
Security firm RiskIQ, which has monitored Magecart for several years, commented, “Magecart set up custom, targeted infrastructure to blend in with the British Airways website specifically and avoid detection for as long as possible. While we can never know how much reach the attackers had on the British Airways servers, the fact that they were able to modify a resource for the site tells us the access was substantial, and the fact they likely had access long before the attack even started is a stark reminder about the vulnerability of web-facing assets,” RiskIQ concludes.
The ICO says the attack “is believed to have begun in June 2018.”
While the intended fine from the ICO is substantial, it could have been worse. It represents approximately 1.5% of BA’s £11.69 billion worldwide turnover last year. It could have been up to 4% or £467.6 million. It seems to have been set to be painful but not ultimately damaging. IAG, the company that owns BA along with several other European airlines, should have no long-term effect since the fine still represents little more than 7% of overall profits.
The overall cost of the breach to BA will, however, be much higher. “£183m is the cost of not protecting sensitive personal information from cybercriminals and this is just the fine not including the actual costs of cleaning up or responding to the data breach,” comments Joseph Carson, chief security scientist at Thycotic. “The cost of doing nothing minus the cost of doing something is the cyber risk that companies are willing to take by not taking cybersecurity more seriously.”
In the statement from the ICO, Information Commissioner Elizabeth Denham explained, “People’s personal data is just that — personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear — when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
BA’s CEO Alex Cruz said the airline was “surprised and disappointed” by the fine. “British Airways responded quickly to a criminal act to steal customers’ data,” he said in a statement, adding, “We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.” Degree of criminality involved and physical evidence of subsequent fraud have little bearing on the requirements of GDPR, and will not likely have any effect on BA’s probable appeal.
In fact, this seems to be an eminently proportionate sanction from the ICO. There has been a suspicion that European regulators would go all out with their first major fine to demonstrate that GDPR needs to be taken seriously. “There was always a belief that whichever large company first fell foul of a GDPR breach would be held up as an example,” comments Malcolm Taylor, director of cyber advisory at ITC Secure. “In contrast I think this looks a proportionate response from the ICO, and one in which they have demonstrated their new powers and delivered a punishment, but avoided going all-out against (in this case) BA.”
What may already have reduced the intended fine is BA’s cooperation with the ICO’s investigation. “British Airways has cooperated with the ICO investigation and has made improvements to its security arrangements since these events came to light,” comments the ICO. Against this, however, is the ICO’s explanation for the sanction: “The ICO’s investigation has found that a variety of information was compromised by poor security arrangements.”
“This is the first proper example of the ICO imposing a fine under GDPR. The security industry has been waiting for this but, even so, I judge the size of the fine has taken many by surprise,” suggests Taylor. He also wonders about an ‘unintended consequence’ of large GDPR fines: “Most attackers are in it for the money, but the perverse kudos they will feel (and get) is also likely to be a factor. What price being the attacker behind the ICO’s biggest ever fine?”
This is the new normal that companies must now face, “The ICO is enforcing it’s mandate” says Sam Curry, chief security officer at Cybereason. “The message here is clear: it’s not about checking boxes — it’s about privacy in the company’s DNA. You can’t just roll out a good enough app that doesn’t have good enough privacy or security. It’s also not about the facile direct risk of fraud. This is about the privilege of holding data, which is no more a right for BA than for anyone; and violation of that erodes the integrity of a class of users’ identities.”
Related: GDPR: One Year Down…Now What?