British Airways Faces £183m Fine Over Data Breach

Filed Under: British Airways

In September 2018, details of a massive British Airways data breach went public.

The basics of British Airways’ data breach

It was revealed that between August 21 and September 5, 2018, personal and financial details of customers using ba.com may have been compromised. Initial reports suggested that this impacted about 380,000 transactions, so that’s a significant breach.

Many of you are probably familiar with the General Data Protection Regulation (GDPR), which came into effect last year, and has some strict new guidelines for how companies have to protect consumers’ information.

British Airways facing £183m fine

British Airways is now facing the consequences of this breach under GDPR, and their fine is massive. British Airways is looking at a £183m fine from the Information Commissioner’s Office (ICO) for last year’s data breach.

This is the biggest penalty the ICO has ever handed out, and it’s the first to be made public under the new rules.

Information Commissioner Elizabeth Denham had the following to say:

“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience.

“That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

With GDPR, the maximum penalty for a breach like this is 4% of annual turnover. British Airways’ penalty amounts to about 1.5% of their annual turnover.

So while it’s not the maximum, it’s by far the biggest fine that has ever been levied, as previously the biggest penalty was a £500,000 fine to Facebook. This British Airways fine is nearly 370x as big as the previous biggest one.

It sure does seem like the commission is trying to make an example of British Airways here. While they’re fining within the limits, I think this will send a message to companies about the importance of safely securing customer data.

British Airways is appealing the decision

Following this ruling, British Airways has 28 days to appeal the decision.

IAG CEO Willie Walsh has said that the airline intends to appeal the decision:

“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”

Meanwhile British Airways CEO Alex Cruz has said he’s “surprised and disappointed” in their findings:

“British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.”

Bottom line

It sure seems like major data breaches have become more common in the past couple of years, rather than less common. This penalty for British Airways does seem extreme, given the previous precedent. At the same time, it doesn’t seem unreasonable in the sense that it’s not even the maximum they could be fined.

If this doesn’t send a shiver down the spine of the executive of any major company, I don’t know what will.

I’ll be curious to see if British Airways has any luck with their appeal…

Comments
  1. I want to say “serves them right for cosying up to Boeing instead of helping their own in Wales by purchasing Airbus” but it’s barely enough to make a dent, is it

  2. So this fine works out to $482 per passenger whose data was leaked. Doesn’t that seem like over-deterrence? I do think there is *some* value to protecting personal information. But if we’re being honest, how much would any of us really pay (or accept) to avoid being the victim of a data breach that just contained an airline booking inquiry? For example, if I told you you could have $482 in cash right now but information about one British Airways reservation you made in 2018 would fall into the hands of hackers, wouldn’t you take the cash? (Or to put a finer point on it, suppose next time you placed an airline booking, you had to pay an excess fee of $482 to avoid info about the booking being provided to hackers, would anyone pay that?)

    I understand some people will say BA has a moral obligation to protect customer data. But the question is, how much is that really worth. You can’t eliminate hacks entirely — you just want to punish them enough that BA takes sensible, reasonable precautions — you don’t want them to turn their computer into Fort Knox such that it’s even more difficult for people to use as part of their daily bookings, etc. Charging $482 per lost record seems to me likely to induce an absurd level of protection.

  3. The amount of the fine makes sense given the nature of the breach. In this situations hackers were able to take advantage of a very simple security vulnerability and inject a script that directly extracted customers’ user and billing details in real time.

    Basic security measures would have prevented this breach. The fine is so high because BA neglected to invest even minimal resources in preventing this.

    Unrelated to this, BA’s user-facing IT has felt outdated for a long time and it seems like they’ve neglected this area as a whole in favor of cost-saving.

  4. This could be a serious error by British Airways in appealing the fine, as if seen to be frivolous, and there has been fraudulent activity in the UK on BA Amex cards related to purchases made during the period of the data loss. Therefore, they may see an increase to the maximum 4% of turnover. They should be very careful in considering their position.

  5. >john, it really depends. But even 500 is reasonable price for data breach in my opinion. If I had a reliable credit card company for which I pay a lot as membership fee, I would be relatively safe and a few calls would do it. Still I value my time and the more I pay for my card more valuable my time is… But for those who do not have a good protection from cc company I am pretty sure the cost can be easily more than 500…

  6. I was one of the many who had their data breached. I was informed by BA that my data had been breached. Within a couple of months, two identify theft attempts were made using my details – someone trying to open a checking account with a bank, and someone trying to open a credit card. As a result, my details have been listed on CIFAS (a UK fraud prevention service) which means any attempts to gain credit in my name requires the bank etc to go through much more stringent steps. However, I’ve been declined now on two occasions trying to open accounts with two different banks – nothing to do with my credit score (which is excellent) but clearly to do with being listed on CIFAS (one of the banks simply said that I failed to meet their identify proof requirements and then shut down the application with no further comment).

  7. @John, you need to remember the idea behind that law. It is there to make it *prohibitive* for companies not to fulfill basic security requirements. That’s why the fine is not based on the number of users impacted, but directly on the turnover.

    The ICO has some very good experts on security matters, and have basically handed down a gross negligence opinion which was followed by the sentencing.

    If I were in WW or AC’s shoes, I would think twice before appealing. You only double down if you’re ready to lose it all!

  8. So when do I get my $482 cash.

    Wait, like any data breach, the company f***s our information and gives us (an already insured) credit monitoring for ONE YEAR. Like my whole life resets every year. Smart hackers (wait they are smart) pneed to wait just 13 months to cash out.

    What do I really get compensated, nothing.

  9. If the fine had been the maximum under the revised law..ie, 4% of turnover..then it would have been £500 million, in my view well-deserved. The weasel from BA should stop complaining.

  10. I’ve been accused on here of being “borderline delusional” in my defence of some aspects of BA — but I think this fine is right.

    BA showed near-complete disregard for the security of their customers’ personal data, and they have to learn that that is unacceptable. This fine is just 10% of next year’s projected profits, so nothing is in danger other than the executives’ bonuses and the size of the shareholders’ dividend payout.

    Companies only understand —or care about — money. Well, BA had better understand this fine.

  11. @ Eskimo

    I don’t understand: if you’re so outraged, why the hell aren’t you suing them?

    English courts have a very strong record in backing consumers against airlines (just ask Ryanair, which spent squillions trying to avoid EU261 claims).

    It’s no use coming on here and whining like a baby. Take control!

  12. For those who think the fine is high, take it from someone who went through a real identity theft eleven years ago. And I’m not just talking about a few compromised credit cards, the damages of which are covered by the banks, but rather the emptying of my bank accounts and the filing of an erroneous IRS tax return which collectively resulted in well over $50,000 in losses. For the corporation involved, it was just a bad day and some bad media fallout but for me it was years of legal action, trashed credit and attorney fees of which I had to pay before I ever received reimbursement several years later. Thankfully today there are a lot more safeguards in place for victims that didn’t exist back then. In my opinion, you can’t punish corporations enough for this.

  13. The 500k Facebook fine was the maximum permitted at the time. It was prior to gdpr. Had it fell under the new rules it would have been a huge fine.

  14. Not sure how they can say they have no evidence of fraud due to the breach. My brand new AMEX Platinum that had only been used at BA for the 5x flight points started immediately getting fraudulent charges and I had to replace it while overseas. I don’t believe the people affected receive the benefit of the fine, and it just goes to the government coffers to help pay for Brexit, so pretty pointless as a customer.

  15. Walsh and Cruz need to show some contrition. Bluff and bluster simply won’t work. BA lost the data because its IT systems failed. And then they badly handled the breach when they (eventually) discovered it.

    The only appeal they have with the ICO is if they believe – and can then prove it – that the ICO has made an incorrect finding based on erroneous data / information. And that’s doubtful because they (BA) will have seen the ICO report beforehand so could have told them them ‘this is wrong’ and provide the ICO with accurate info before the report was published.

    Someone up thread said BA has a ‘moral obligation’ to keep data safe. That’s totally wrong. Under GDPR (and previous UK law going back to at least the 1990’s) they have a LEGAL duty to protect private data. BA failed to protect private data so it jolly well should be fined. And fined a lot.

    They should count themselves lucky they didn’t have the 4% of global turnover as the fine.

  16. I got one mealy-mouthed email from BA about this, after it had all been made public and they had to, which basically said “pfft, if you get stung, we might be interested, we might not, but it’s on you to prove it to us”

    In comparison, I’ve has 2 or 3 proactive emails from Amex (who I booked BA tickets with) saying they were actively monitoring my account and would contact me should anything suspicious be found and not to worry, they had my back.

  17. I don’t think fining companies for data breaches is the correct way to do it. Think of it like this. Someone broke into your house and stole a lot of things. You only notice a couple of days later. After telling the police about what happened you are then punished, and the criminal gets off easily.

    It makes more sense to try and fix the problem whilst making the company pay a smaller fine as well. It just seems wrong to slap a fine on BA without properly helping them fix the problem.

  18. @The nice Paul

    Go read what @Donna has to say.
    It’s easy to file a lawsuit, it’s not easy to get your life back or fight against greedy corporate lawyers.

    Why would Brexit collect the fines if those who suffer are the customers.
    Yes, they should be fined for breaching regulations. But we should be compensated too.

  19. Elizabeth Denham is a publicity seeking, one-eyed privacy zealot who has been terrorising British businesses and organisations for several years as the British Information Commission Officer. In particular, she went after charities over so called “violations” which were nothing more than them asking their donors for money more often than she thinks they should. Since her terror campaign against charities started, one billion pounds in donations have been lost. I hope this shameless and outrageously expensive publicity stunt she has just pulled with BA results in her finally getting fired. She is a toxic narcissistic psychopath with zero empathy who could care less about the damage she does to other people and the organisations they work for, as long as it lands her name in the tabloid and click bait media.

  20. @Noah Bowie:

    No, not at all. Absolutely not. A better allegory would be:

    Thieves break into your “secure” storage facility where people store valuable, personal objects. You ensure the minimum precautions to secure the facility as required by law, but not all of the precautions expected of a such a storage facility based on industry standards. Then thieves break in by exploiting a well known vulnerability on, say, the door locks. They steal a ton of stuff that doesn’t belong to you but for which you were entrusted to safeguard. And you didn’t tell anyone for a few days.

    Have a look at “due diligence vs due care”.

  21. @AdamR, you forgot to finish that “allegory”. After the thieves break in, a narcissistic, publicity seeking, self promoting regulator like Elizabeth Denham then levies an over the top fine of 183 million pounds, and uses it to get her name all over the media. And the people who were actually victims of the theft are not given any of it. I hope BA sues the pants off her. It is about time someone takes her on. She’s a bully and a thug who actually enjoys it when these things happen and she couldn’t care less about you or me.

  22. Alex Cruz’s track record of cutting corners and cutting costs has now caught up with him.

  23. @ Derek
    That’s a very harsh assessment. She has been passionate about consumer protection , both in Canada and the UK; she hasn’t shown the remotest sign of being a self-promoter. However, she has a lot of people running scared…particularly those who’ve paid scant regard to the protection of data ( and played fast and loose with the truth when breeches have occurred) and well as those engaging in deceptive advertising/marketing. More power to her…she has the sleazebags on the run. I hope she comes back for another go at Facebook.

  24. @ Eskimo

    Parts of your comment are incomprehensible— eg:

    “Why would Brexit collect the fines if those who suffer are customers”

    What? “Brexit” is neither a person nor an organisation. How can it collect fines?!

    But the point is clear: just as the fines levied on someone found guilty of a crime are not handed over to the victims, so the fines on BA go to the state (where all tax-payers benefit).

    If you feel you’ve lost something, sue BA. That’s what civil courts are for. I manage litigation in a lot of countries and in my experience the English civil courts are relatively simple and predictable.

    Or you could just come on here and whine about how unfair everything is.

    @derekglass

    You’re an idiot. She’s one of the more effective UK public servants — and more power to her. If you think some charity fundraisers didn’t need reining in, google “poppy seller olive cooke”, the tragic case of a 92 year old who killed herself because she was overwhelmed by fundraising demands…

  25. @derek

    what absolute nonsense. where is your proof that charities have lost billions in donations because of the ICO. Yes she did fine a dozen or so of them for misusing personal data . But she also ameliorated those fines so they were much lower than they could have been. Being a charity is not a ‘do anything you like’ card. More damage has been done to charity fundraising because of issues of massive salaries for executives and the sex abuse scandal at Oxfam.

    It is quite clear from your rant that for some reason you have a dislike of Elizabeth Denham who has only been the UK regulator for three years. If the UK Government hadn’t wanted a strong advocate for data protection they wouldn’t have appointed her.

    It’s about time that organisations – whether businesses,charities or the public sector – took their data protection obligations seriously. If they treat the issue seriously then they won’t get fined. simple as that

    Oh and today she has published a notice to fine Marriott just under £100m for their data breach that went on for years.

    And UK law says that regulatory fines get paid to the government and not those affected – it’s not her decision it’s the law – yet another inaccurate statement from you.

    Good on her I say.

  26. @derek:

    No. I won’t finish my appropriate allegory (no quotes needed) it with your fanciful lies. You don’t know what you’re talking about and instead choose to fabricate stories based on some weirdly intense personal dislike of someone who seemingly has no direct impact on you. Please seek help.

Leave a Reply

Your email address will not be published. Required fields are marked *