ICO to fine British Airways £183.39 million for Cyberattack

British Airways suffered a high profile cyberattack in Summer 2018.

The cause of the attack is currently unclear. British Airways alleged at the time that it was a "sophisticated, malicious criminal attack". The ICO's news statement indicates it was due to "poor security arrangements" allowing traffic to be diverted to a fraudulent website.

British Airways announced to the London Stock Exchange on 8 July 2019 that the Information Commissioner's Office ("ICO") intended to fine British Airways £183.39 million for 2018 cyberattack. The ICO's response indicates around 500,000 customers were affected and compromised information included "log in, payment card, and travel booking details as well name and address information".

Further detail may become clear once the ICO issues the formal Monetary Penalty Notice. 

This is the first major UK fine under the GDPR regime. As such, it is a very important step and clear signal of the ICO's intention in terms of fine levels.

The proposed fine emphasizes the possible consequences of breaching the GDPR and the need for data protection and cybersecurity to be boardroom issues. The ICO can fine controllers up to the greater of €20 million and 4% of global turnover. For some time commentators wondered how the fines to be imposed for breaches of the GDPR will be implemented. Some of you may recall my colleague, Tom Torkar's article on Equifax and Facebook being fined £500,000 (the maximum possible under the old data protection regime) for their failure to protect the personal data of UK citizens where Tom highlighted the ICO's comment in relation to the Facebook breach that the "fine would inevitably have been significantly higher under the GDPR", indicating that they will not be afraid in the future of imposing super fines on companies that reflect the severity of the breach. This proposed fine equates to 1.5% of British Airways' global turnover for the calendar year ending 31 December 2017.

Today's reaction to the proposed fine in the press and social media should remind all controllers of the reputational damage and cost one can suffer if a cyber incident becomes public.

As regards the formal Monetary Penalty Notice, it will be interesting to see if it provides the view of the panel of non-executive advisors to the Commissioner’s Office regarding the investigation findings and representations made. The Regulatory Action Policy refers to the panel possibly being convened for "very significant penalties (expected to be those over the threshold of £1M)". Given this is the first major UK fine under the GDPR and the level of the proposed fine, we anticipate such panel will have been convened.

The Monetary Penalty Notice may also provide some further detail as to the cause of the breach. There are online suggestions a company insider may have "tampered with the website and app's code for malicious purposes".

Process Going Forward

According to the ICO's own Regulatory Action Policy, British Airways will now have at least 21 days to make representations about the imposition of the penalty and its level.  This period may include a face-face meeting between the ICO and British Airways where British Airways submit mitigating factors and no doubt will request a reduction in the proposed fine. Willie Walsh has already indicated British Airways will "take all appropriate steps to defend the airline's position vigorously, including making any necessary appeals". The ICO has also liaised with other EU national data protection authorities whose residents have been affected. The ICO's statement advised that such other authorities "will also have the chance to comment on the ICO's findings".

Given the severity of the fine and British Airways announcement to the London Stock Exchange, we anticipate it will be longer than 21 days before any fine is announced.

UPDATE:

The day after the intention of the UK's Information Commissioner's Office (ICO) to levy a record fine against British Airways, Marriott International announced to the US Securities and Exchange Commission that the ICO intended to fine it £99.2 million for the personal data breach that it originally announced in November 2018 in connection with security vulnerabilities within the hotel group Starwood which Marriott purchased in 2016.

Businesses should note that super fines now appear to be the norm under the GDPR for significant personal data breaches that the ICO investigates. 

This particular case also emphasises the importance of undertaking thorough technical due diligence when purchasing any target. Marriott appear to have been held responsible for security vulnerabilities that were exploited two years before they purchased Starwood. The ICO's statement in response to Marriott's announcement suggests the fact it took Marriott two years post-completion to discover the vulnerability and subsequent breach was an aggravating factor in the level of the proposed fine.

Further detail may become clear once the ICO issues the formal Monetary Penalty Notice.