British Airways has been hit by a fine following an incredibly damaging data breach in 2018 which resulted in the loss of customer data.
At £183 million, this is the biggest fine that the ICO (Information Commissioner’s Office) has issued to a business for a data breach.
British Airways was hit by a “sophisticated, malicious criminal attack” and expressed that they were “surprised and disappointed” in response to the ICO fine.
Why was the fine issued?
British Airways suffered a cyber attack to their website which has resulted in the harvesting of 500,000 British Airways customers’ details.
The attack begun in June 2018 but was not disclosed until 6th September 2018, however when it was announced that 380,000 transactions involving British Airways had been affected. It is estimated that around 2 weeks’ worth of personal data and credit card numbers had been exposed to hackers.
When a customer logged in to the website, they were redirected to fraudulent website which had the capabilities to steal customer data.
Cyber Crime, Data Breaches, and GDPR
GDPR (General Data Protection Regulation) was introduced in May 2018 and is a series of laws protecting personal data. These laws were introduced to incentivise businesses to take their data responsibilities more seriously and make them accountable for their customers’ data.
Since the rules have come into force, this is the first penalty that has been made public under the new legislation. Previously, the biggest fine was £500,000 which was given to Facebook in October 2018.
The law states that if you are trusted with your customers personal data, then you must look after it. For those who fail to protect personal data, they will be found out and issued with a fine in order to prevent further data misuse.
The maximum fine that can be given for a data breach is 4% of the company annual turnover. British Airways’ fine totalled around 1.5% of their 2017 turnover.
British Airways’ Next Steps
British Airways has 28 days to appeal against the fine if they wish.
The money will go to the ICO and directly to their treasury. British Airways have said that it is up to the individuals who were affected to claim any money back.
Of course, the recommended course of action should be a review of their cyber security, ensuring that the British Airways network is totally secure. The last thing they need is to be hit by a further attack, not just for the financial penalties, but the reputation of their business.
Having a safe and secure network would have prevented the data breach in the first place. Stronger network security makes it much harder for cyber criminals to gain access to your company’s important data.
One of the key messages from this data breach is that it can happen to any business or organisation, irrespective of size, fame and fortune. It is important to protect your business to prevent incurring a fine.