Maximise your Avios, air miles and hotel points

British Airways fined £20m for the 2018 data breach, was acting illegally

Links on Head for Points may pay us an affiliate commission. A list of partners is here.

The Information Commissioner’s Office has just published its final verdict on the 2018 data breach at British Airways.

The fine has been reduced to £20 million from the initial proposal of £183 million. The ICO makes it clear that this is partly due to the current financial difficulties at the airline – as well as BA’s co-operation and prompt reporting – and it is not a reassessment of the severity of the breach.

The ICO findings are damning. British Airways was found to have been acting illegally in its treatment of customer data.

British Airways fined £20m for 2017 data breach

An ICO investigation found the airline was processing a significant amount of personal data without adequate security measures in place. This failure broke data protection law and, subsequently, BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months.

ICO investigators found BA ought to have identified weaknesses in its security and resolved them with security measures that were available at the time.

Addressing these security issues would have prevented the 2018 cyber-attack being carried out in this way, investigators concluded.”

How big was the BA data breach?

The ICO says:

The attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.

Other details thought to have been accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers.

Usernames and passwords of BA employee and administrator accounts as well as usernames and PINs of up to 612 BA Executive Club accounts were also potentially accessed.”

Could BA have prevented the attack?

The ICO says it could – and some of the measures were already available to it via its existing IT plaform. To quote:

There were numerous measures BA could have used to mitigate or prevent the risk of an attacker being able to access the BA network. These include:

  • limiting access to applications, data and tools to only that which are required to fulfil a user’s role
  • undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems;
  • protecting employee and third party accounts with multi-factor authentication.

None of these measures would have entailed excessive cost or technical barriers, with some available through the Microsoft Operating System used by BA.”

British Airways Executive Club data breach

BA didn’t even know it had been hacked ……

ICO investigators found that BA did not detect the attack on 22 June 2018 themselves but were alerted by a third party more than two months afterwards on 5 September. Once they became aware BA acted promptly and notified the ICO.

It is not clear whether or when BA would have identified the attack themselves. This was considered to be a severe failing because of the number of people affected and because any potential financial harm could have been more significant.”

You can read the full ICO report here. The summary findings are here.

It isn’t clear if IAG was aware of the contents of this report, including the finding that British Airways had been acting illegally, when Alex Cruz was removed from his role as CEO and Chairman of British Airways on Monday.

Comments (54)

  • Publius says:

    I’m totally disgusted with the ICO for reducing the fine due to covid.
    Does this mean the multitude of startups (who never declare a profit) cannot be fined?
    Despicable logic – hope someone raises a class action against the ICO now!

    • Lady London says:

      I understand it’s quite common for headline fines to be very substantially reduced after the headlines are long gone.

      However $20m given the level of negligence the worldwide customers affected etc, does feel like a slap with my furry teddy bear, rather than a fine that ought to have reflected the level of British Airways’s negligence.

      Especially as there were other indicators that British Airways’s IT was failing seriously. Such as the systems meltdown on a UK Public Holiday weekend that left people stuck at airports all over the world. Which was followed by a similar event, also due to whoever was running BA’s IT (I presume that’s *was* ) a few months later.

      How long is it taking BA to lose
      $20m these days.? Is it less than a day?

      And correspondingly, at the time of these breaches how long was it taking BA to make $20m? A day?

      I would far rather the regulator had come down to the usual amount and given BA 3 -5 years to pay, with interest.

      • JP-MCO says:

        Maybe it was £183m reduced to £20m if the CEO who had overseen it all was removed?

        • ChrisC says:

          I’ve read similar comments elsewhere.

          There is no way the ICO could or would have insisted on Cruz being sacked in some sort in deal to reduce the fine.

          The employment (or not) of individuals involved In causing the failure is a matter for the company not the regulator.

    • ChrisC says:

      The fine can either be a cash sum – the maximum is €20m – or based on turnover – maximum of 4% (no maximum cash sum hence the original large possible fine)

      So a company they made no profit could still be fined.

      You could if you felt so inclined take the ICO to the High Court for Judicial Review but you would have to have some evidence that their decision was somehow inherently wrong because they failed to follow the law and their published procedures and not just because you don’t like the decision.

    • Jake Mc says:

      The logic is not despicable. It’s helping to protect the livelihoods of those that had nothing to do with the hack.
      What is the point of slapping an enormous fine on BA when, in lieu of being able to generate any meaningful profit over the next 6 months or so, the only way they would balance the books is by sacking more staff and making more benefit cuts?

      It’s hardly fair those that had nothing to do with the hack should lose out.

      I don’t disagree that 20m is on the light side but straight up large fine feels like a blunt tool that will cause suffering to the wrong people.

      The ICO should probably look at legislation that would enable them in future to undertake a more targeted approach to the decision makers in an organisation (i.e. those that signed off on the deficiencies that enabled the breech)

      • Mr(s) Entitled says:

        Fine them £100mm, deferred for 2yrs, payable over 3yrs. Job done.

        • Jake Mc says:

          Agreed but I don’t know what remit the ICO have to do so. Furthermore BA could choose to take on that ‘loss’ on to the balance sheet now and still sack further staff / increase cuts.

          Essentially the ICO should look to increase personal accountability rather than leverage greater fines on companies. A CEO / COO / CTO who knows they are retiring shortly is unlikely to care too much about procedure if any comeuppance cannot be leveraged against them personally.

        • Lady London says:

          Exactly.

          • Lady London says:

            * that was for the suspended fine with time to pay.

            Not for individuals being made personally liable for consequences of things they are responsible for within their company professionally. There are very few exceptions to this not being possible and for good reason.

    • Rob says:

      £183m was a warning shot for anyone thinking of not revealing breaches immediately or not cooperating.

  • Chrisasaurus says:

    My understanding is that these reports are typically given to the entity under investigation ahead of publication for reasons such as giving them chance to highlight factual errors or omissions – so would be very likely the board saw this before AC’s departure. Doesn’t of course mean it influenced it, but likely it was known

  • Nori says:

    Do victims get to see any of that money?

  • Dirtyneedlebluesky says:

    Bit unfair of ICO to comment that some of the measures are available in the MS operating system.

    For enterprise grade security solutions this is far from the case. They make it sound you turn it on as a feature and is free.

    Yes MS offer some of these tools, as other software vendors do.

    • Dwb1873 says:

      Being able to apply Least privileges most definitely is though. That’s InfoSec 101.

      Hard to tell from an excerpt but it sounds like they had weaknesses in risk and good security control requirement assessment, putting to one side any actual technical gaps.

      The basics in other words.

    • Joseph Heenan says:

      The point the ICO where trying to make was that BA had already paid for the necessary software (in this case from MS) to enforce better security – they just hadn’t configured the software properly.

  • sayling says:

    So where will the 20 million go once paid?

  • David S says:

    Forget the CEO, what happened to the CIO who was actually accountable for this

    • Defcon5 says:

      There seem to be a few out there, if anyone has signed up and can advise the most legitimate that would be useful.
      I assume they are not disclosing to customers if their details were hacked?

  • James says:

    Looks like I’m eligible to jump on the claim bandwagon. Can anyone recommend a good group action site to register with please? I’m seeing some no-win, no-fee claims of 35%. Just wondering if there’s any better offers out there before I register.

    Cheers

  • Mark Tasker says:

    Can anyone give me just one good reason to fly with this shambles of an airline. It is a disgrace that it has the word “British” in its title

    • Jake Mc says:

      So many, depending on the customer, route, time of year, requirements etc:
      1. Price
      2. Lack of other direct alternatives
      3. Connectivity from regional UK airports to Heathrow
      4. Status (use and earning)
      5. Avios (use and earning)
      6. Accessibility of customer to Heathrow / Gatwick
      7. Flight timings
      8. Requirements of company travel policy
      9. Type of aircraft flown

      Etc…

      Whether we like it or not BA can be competitive or market leading in any one (or more) of those categories on any given flight.

      • Jake Mc says:

        + quality of product! (Although of course very much market dependent)!

      • Paul says:

        There speaks an employee or other vested interest.

        Price – Almost never ex the UK and rips off UK passengers especially regions compared with ex EU. A fare difference is one thing but thousands is quite another
        Lack of competition – This is not something to be proud of!
        Regional connectivity – That laughable. KLM LH QR and EK serve the regions better!
        Status – Its the only show in town again not something to be proud of
        Avios – Dito
        LHR and LGW – They have never shown the slightest commitment to LGW or indeed anywhere else in the UK.
        Flight timings – I have always been amused by this. The timings are driven by slots availability both at department and arrival. They are often less than ideal
        Type of aircraft – until recently the caped out 747 was still a main stay.

        Come on, they are only in business as they have fortress LHR and are overly protected via highly lucrative commercial agreements that allow legal collusion on pricing, schedules and frequent flyer programmes.
        You will never convince me that we wouldn’t have an AA credit card in the UK if it were not for their commercial agreement

        They are neither marked leading or competitive in the own right on any key measures and rely on their protected status to survive. It why they vehemently opposed the 3rd runway and Boris Island.

        If they faced proper competition it would be a very different story

        • Jake Mc says:

          Paul – I think you may have mis-understood my points. I am for the record not an employee nor have any interest in BA (bar some Avios).

          The question posed by Mark was to give a good reason why people would fly BA – not to compare BA to the competition. My response was not whether one should be ‘proud’ but why so many people choose to fly BA.

          It wasn’t supposed to be flagging how BA is brilliant all of the time but that it is better than the alternatives (thus market leading; nb that does not mean ‘good’). Clearly all of those factors above are enough of a pull for enough people that it is a ‘good’ enough reason to fly BA.

      • Lady London says:

        I would add safety to that list of advantages of British Airways.

        After a trying trip there’s still something about seeing the British Airways tailfin and getting on the aircraft to a British welcome and knowing I’m going to be flown home by a British Airways pilot.

Leave a comment

Your email address will not be published. Required fields are marked *

Please click here to read our data protection policy before submitting your comment