On October 16, 2020, the UK Information Commissioner’s Office (“ICO”) announced its fine of £20,000,000 (approximately $25,850,000) for British Airways (“BA”), which is owned by International Consolidated Airlines Group, S.A, for violations of the EU General Data Protection Regulation (“GDPR”). This is a significant (approximately 90%) decrease from the proposed fine of £183,390,000 (approximately $230,000,000) announced by the ICO in July 2019, but is the largest fine imposed to date by the ICO.
The ICO found that BA failed to process the personal data of its customers in a manner that ensured appropriate security, as required under Article 5(1)(f) and Article 32 of the GDPR. The relevant data breach took place between June 22 and September 5, 2018, when an unidentified attacker gained access to BA’s IT systems and network. The attacker was able to redirect customer payment card data from the BA website to a fraudulent site controlled by the attacker, a process referred to as “skimming,” for a 15-day period. BA was informed of the issue by a third-party and notified the ICO on September 6, 2018. Overall, approximately 430,000 data subjects were affected.
As a result of the attack, customer personal data such as name, address and payment card details (including CVV) were harvested, as well as log-in details of BA employees and administrator accounts. Usernames and pin numbers of BA Executive Club accounts also were compromised. The ICO commented that BA was negligent in the circumstances, knowing that a company of its size and profile was likely to be targeted by attackers. It suggested various measures that BA could have taken to prevent the breach from occurring, which were not implemented, and commented that each of the several steps that the attacker took, leading to the eventual breach of personal data, “could have been prevented, or its impact mitigated, by BA implementing one or more of a range of appropriate measures that were open to it.” In addition, the ICO commented that although special category data was not involved, the financial data compromised was considered sensitive. The ICO also commented: “The failures are especially serious in circumstances where it is unclear whether or when BA itself would ever have detected the breach.”
In addition, the ICO pointed to the “anxiety and distress” that individuals suffered as a result of the disclosure of their personal information, and disagreed with BA’s contention that payment card breaches are an “unavoidable fact of life,” commenting: “These statements trivialize what was a serious failure on BA’s part.”
In calculating the fine, the ICO took into account BA’s representations in response to the original Notice of Intention to fine and additional technical information that BA submitted, together with the factors listed in Article 83(2) of the GDPR, which include the nature, gravity and duration of the infringement, the number of data subjects affected and the damage to them, and steps taken to mitigate the impact of the incident. Mitigating factors included the fact that BA did not gain any financial benefit from the breach, notified the ICO promptly on becoming aware of it, had no relevant previous infringements and offered to compensate individuals for financial loss suffered as a direct result of the theft of their card details. The ICO stated that BA had cooperated fully with the investigation, and noted the improvements that have been made to BA’s IT security since the breach. The Penalty Notice also sets out in some detail BA’s legal challenges to the ICO’s approach to calculating the fine, which include wide-ranging administrative law arguments and criticism of the ICO’s apparent reliance on a Draft Internal Procedure (which the ICO stated it had not relied on in calculating the final penalty). The ICO reduced the fine by 20% (to £24 million) to reflect the mitigating actions taken by BA, and reduced the fine by a further £4 million to reflect the economic consequences of the COVID-19 pandemic.
Finally, it also should be noted that the potential fine under the GDPR for infringement of the security principle differs under Article 5(1)(f) (the higher level of up to 4% of total worldwide turnover) and Article 32 (the lower level of up to 2%). The ICO addressed this apparent anomaly, acknowledging the overlap between Articles 5 and 32 but relying on Article 83(3), which provides that where several provisions of the GDPR are infringed, the total amount of the fine “shall not exceed the amount specified for the gravest infringement.”