5 Key Take-Aways From the £183 Million British Airways GDPR Fine

Not many businesses need worry about a fine of £183 million, as most don’t have the turnover British Airways has. However, in the wake of the Information Commissioner’s Office (ICO) announcing that they intend to fine British Airways £183.39 million for a data breach, what can all businesses learn from this case?

Facts of the Case
In September 2018, users of British Airways’ website were diverted to a fraudulent site. Through this false site, details of about 500,000 customers were harvested by the attackers, including log in details, payment card details and travel booking details as well name and address information.
The incident was first disclosed on 6th September 2018, approx. 15 weeks after GDPR came into effect. The stolen data did not include travel or passport details.
The penalty imposed on British Airways is the first one to be made public by the ICO since the introduction of GDPR, which makes it mandatory for businesses to report data security breaches to the ICO within 72 hours.

1. Being a victim of crime is no defence.
British Airways was actively targeted by sophisticated cyber criminals and is essentially the victim of a crime. Your website could be targeted in the same way, or you could simply have your laptop stolen from your home. Regardless of your ‘victim’ status, the ICO will fine you if they believe you didn’t take adequate security measures to protect personal information.

2. Some businesses are more vulnerable to fines than British Airways.
The information breached by British Airways was limited to log in details, payment card details and travel booking details as well name and address information. None of this falls into ‘special category’ data which is what the ICO usually come down hardest on and which we look at as ‘high risk’ information. Special categories include information pertaining to the health, sex life, political, religious or ethnic backgrounds of individuals. If you regularly handle special category data, you are at higher risk.

3. No-one needs to get hurt…except the shareholders

British Airways stated at the time of the breach there was no evidence that any of the information stolen had led to fraudulent activity. What they were really saying is ‘no-one was hurt’, in the hope this would mean no penalty for them. That’s not how the ICO works – as far as they are concerned, if you lose control of the information, that’s enough for them to fine you. The ICO does not have to prove that the owners of the information suffered any kind of loss. Of course shareholders in Bright Airways are feeling the pain today. Had the breach happened 10 weeks earlier the fine would have been at most, £500,000. Painful indeed.

4. Lawyers are profiting from the British Airways fine.
Speaking of individuals suffering a loss, a number of law firms have been aggressively advertising they can get compensation for the ‘victims’ of the British Airways data breach. So the fine may be only one of the financial blows that British Airways are facing this year. It means Joe Public are starting to understand they can profit from data breaches – which now means it’s not just the ICO that businesses need to worry about, it’s the man on the street pondering the opportunity for a quick compensation claim.

5. Fixing things afterwards doesn’t get you out of a fine.
It seems that British Airways became aware of the breach within less than 2 weeks, and that they have taken significant steps to fix the weakness which allowed the hacker to exploit their systems. But this hasn’t prevented a massive fine, the world wide publicity and a significant dip in their share valuation. There’s little point mending the gate after the horse has bolted – you need to constantly watch out for risks in your business, and make sure you fix them before something goes wrong.

I feel sorry for British Airways, I really do. I think it’s an outrageously high fine and I think that they are being made an example of. The Commissioner herself commented:
“… the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

One thing is clear – the ICO mean business. After 14 months of criticism for ‘doing nothing’ they’ve come out with the gloves on. Who’s going to be next?
For information on how your business can protect information and meet GDPR compliance requirements, please get in touch on hello@briefed.pro.

Orlagh Kelly is a Barrister and MD at Briefed, www.briefed.pro, a specialist GDPR compliance agency based in London, Dublin, Belfast and San Francisco. Her next GDPR training event is this month, check for more information on their Events Page.