The Information Commissioner’s Office has fined British Airways £20m after a data breach.
The move came as Marriott International remained in talks with the ICO after the latter proposed a £99.2m fine for the exposure of 30 million European Economic Area residents’ personal data due to system security shortfalls.
Information Commissioner Elizabeth Denham said: “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure.
“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.
“When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”
Because the BA breach happened in June 2018, before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR. The penalty and action have been approved by the other EU DPAs through the GDPR’s cooperation process.
The attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.
Other details thought to have been accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers.
The ICO said that there were “numerous measures” BA could have used to mitigate or prevent the risk of an attacker being able to access the BA network. These included:
- limiting access to applications, data and tools to only that which are required to fulfil a user’s role
- undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems;
- protecting employee and third party accounts with multi-factor authentication.
BA responded: “We alerted customers as soon as we became aware of the criminal attack on our systems in 2018 and are sorry we fell short of our customers’ expectations. We are pleased the ICO recognises that we have made considerable improvements to the security of our systems since the attack and that we fully co-operated with its investigation.”
Paul Cahill, data breach solicitor, Fletchers Data Claims, said: “Whilst it might seem that BA has had a lucky escape here – with the original notice from the ICO suggesting a fine of £183.9m – the ICO’s decision is likely to have large companies reviewing their data security arrangements and seeking to strengthen their protection against cyber-attacks.
“The ICO has decided that despite the fact that the data breach was not intentional or deliberate, BA was responsible for the breach of GDPR as a result of its failure to take ‘appropriate steps’ to secure its customers’ personal data. This decision shows that whilst the ICO does accept that the attack on BA’s systems was malicious, there were clear measures that could have been taken to protect customer data from such an attack.
“The decision suggests that companies cannot simply point to their security measures and suggest that they have tried to prevent an attack, but instead need to show that they regularly review and update their procedures, and could not have reasonably been expected to prevent the attack being successful.”
At Marriott International last year saw the Information Commissioner's Office in the UK announce that it intended to fine Marriott International £99.2m for breaches of data protection law, after five million unencrypted passport numbers and eight million credit card records were exposed. The breach related to a reservations database acquired as part of the acquisition of Starwood Hotels & Resorts.
Denham said: “The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.
“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
Marriott International defended itself against the claim and the Information Commissioner’s Office was due to decide on 31 March what fine, if any, was due from the company. An ICO spokesperson told us: “The regulatory process is ongoing and we will not be commenting until it has concluded.”
Marriott International CEO Arne Sorenson told a US Senate committee hearing last March that the company had not been away of the scale of the data issues at Starwood Hotels & Resorts prior to buying it in 2016, with the source of the breach unknown.
Sorenson told the Senate Permanent Subcommittee on Investigations: “As a company that prides itself on taking care of people, we recognise the gravity of this criminal attack on the Starwood guest reservation database and our responsibility for protecting data concerning our guests. To all of our guests, I sincerely apologise.”
Insight: BA may indeed be counting itself very lucky - while you or I would not care to lose £20m, we would be even less enthused about having to hand over £120m and neither BA nor Marriott International are exactly flush with cash at the moment. Marriott International will no doubt be looking to wrap things up along similar lines.
What both parties will have to ensure is that it doesn’t happen again. Sadly for Marriott it already did, with another in March this year.
The authorities will be less lenient if it looks as though no efforts are being made to stem the tide of leaks, but for the hotel sector this becomes harder as franchising expands at the number of touchpoints for our credit cards and passport details only grows.