A whopping £183.39 million (around NZ$345.3 million) – or 1.5% of British Airways’ worldwide turnover for the 2017 financial year – is what the airline could be slapped with if it is not able to make the Information Commissioner’s Office (ICO) change its mind about the company’s alleged data protection violations.
“Following an extensive investigation, the ICO has issued a notice of its intention to fine British Airways £183.39 million for infringements of the General Data Protection Regulation (GDPR),” stated the authority in response to a London Stock Exchange filing.
The ICO noted: “The proposed fine relates to a cyber incident notified to the ICO by British Airways in September 2018. This incident in part involved user traffic to the British Airways website being diverted to a fraudulent site.
“Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018.”
According to the authority, its probe found that a variety of information – including log in and payment card details – was compromised by what it called “poor security arrangements” at British Airways.
In a regulatory filing by the airline’s parent firm International Airlines Group (IAG), chief executive Willie Walsh said they plan to take all appropriate steps to defend British Airways’ position vigorously, including making appeals if necessary.
“We are surprised and disappointed in this initial finding from the ICO,” asserted British Airways chairman and chief executive Alex Cruz in the same document.
“British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.”
Cruz added: “We apologise to our customers for any inconvenience this event caused.”
However, in the view of Information Commissioner Elizabeth Denham, such breaches go beyond inconvenience.
“People’s personal data is just that – personal,” stated Denham. “When an organisation fails to protect it from loss, damage, or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it.
“Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
The ICO, meanwhile, noted that British Airways has cooperated with the investigation and has made improvements to its security arrangements. It added: “The company will now have opportunity to make representations to the ICO as to the proposed findings and sanction.”
“ICO has been investigating this case as lead supervisory authority on behalf of other EU Member State data protection authorities. It has also liaised with other regulators,” explained the authority.
“Under the GDPR ‘one stop shop’ provisions, the data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings. The ICO will consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision.”
Commenting on the development, Charles Taylor Adjusting deputy head of cyber Laetitia Fouquet highlighted the size of the potential penalty.
“This is the biggest fine imposed by the ICO, well over the £500,000 fine imposed on Facebook for its role with Cambridge Analytica,” said Fouquet in a statement sent to Insurance Business.
“This shows a hardening stance in Europe, with authorities no longer imposing fines for inadequate consent, direct marketing message, or sharing of data with other organisations but willing to impose fines up to 4% turnover as directed in the GDPR when inadequate security was in place and high number of customers were affected.”
The Charles Taylor Adjusting executive also offered insights on what this could mean for insurance.
“While BA has been given leave to appeal, this not only shows that the ICO is prepared to impose higher fines in line with the authority conferred by the GDPR which may put businesses at risk,” declared Fouquet, “but also it reignites the debate about whether these fines are insurable and whether the limits on cyber policies are tailored to cover such major events and fines.”