In recent months, the British ICO, under the direction of the Information Commissioner Elizabeth Denham, has been occupied with underlying investigations leading to the issuing of the ambitious 183 million Sterling fine, imposed on British Airways for infringing the General Data Protection Regulation. British Airways holds one of the widest clientele of international passengers in the global airline industry. In recent years, many have witnessed the falling standards of the well-reputed airline, which escalated considerably upon the finding of the breach.
The breach in question stemmed from user traffic which was diverted to a fraudulent site without authorisation, subjecting users to attacks of their customer details. This was a result of a malicious script aimed at leafing through payment information prior to effecting payment. Impacted data includes credit card numbers, expiry dates, CVV digit codes, home addresses and names amongst other personal information. Travel information and passport information was not leaked. The breach led to around half a million victims, whose data was compromised over the 4-month span of the breach. The 500,000 victim mark discovered by the ICO in investigation, is a substantially higher number of victims than initially claimed by British Airways, with the attacks impacting both online and app customers.
The company acted efficiently upon discovery of the breach, and made immediate efforts to locate the parameters of the breach. In September of 2018, the breach was reported by British Airways in a short time from discovery. British Airways contacted known victims at that point and gave them guidance for mitigation of impacts and containment of the breach. Victims have not been offered further aid in addition to the mentioned guidance. On notification filed by the company, Mr.Cruz, holding an upper management position within British Airways, promised to cooperate fully and aid any customer financially impacted by the attacks, also promising compensation for such financial hardships.
Despite the company’s cooperation throughout investigations and efforts of solving vulnerabilities from their online security system, the ICO still filed a notification of intention to fine a record amount of 183 million Sterling. This is expected to be contested by British Airways, who may pass on their responses in the coming 28 days, after which prescription for effective complaints elapses, making the issued fine final. Owners of the British Airways – IAG, have already expressed disdain to the ICO findings, with them claiming that they should only be conditionally liable. They expressed intentions to embark on a legal journey to defend their position – a reasonably expected response to such a high fine. As reflected in their statements, the IAG aim to put the presence of unspecified criminals into play, whilst also arguing that the actual resulting danger did not lead to actual fraud, but the mere exposure to fraud. Having said this, victims of this breach are currently claiming that financial attacks could potentially be linked to this attack.
Whilst the attack was external to the company, British Airways was deemed to be highly responsible due to facilitating the fraud through inadequate security arrangements, which compromising critical data. It is this nature of compromised data and resulting risks including theft, fraud or financial consequences, which drove the ICO to impose such a fine. Denham in fact highlighted the idea that one is not liable merely for damaging the data, but for compromising such data and breaching one’s duty of care, leading to the loss, theft or damage of data. This impinges on the spirit of the GDPR – that of protecting the fundamental right to protection of privacy, as highlighted from the statement that ‘personal data is just that – personal’. Another motivator of the high sanction could be the involvement of international victims, impinging on multiple nationalities, allowing the one-stop shop mechanism to take place. In the coming weeks, we should expect the cooperation between DPA of relevant jurisdictions to publish comments and opinions which are expected to further influence the ICO.
The British ICO had earlier warned that the lenient approach will no longer be upheld, especially with the enactment of the GDPR. This is why Data Protection professionals view this record fine, being more than 300 times as much of the Equifax and Facebook Cambridge Analytica fines, as an indicator of larger fines to follow in the European context. In fact, similar statements have been made in Germany and France, who have stated that investigations regarding major breaches are underway. One must note that whilst the fine is already quite high, this was issued only under the first sanctioning tier, with a 1.5% of global annual turnover fine, as opposed to the maximum second-tier fine which would have amounted to around 485 million Sterling. This high fine is also expected to bring about a reaction amongst the larger companies. The expected macro impact is in fact that of awareness and increased technological safeguards instituted by such larger companies, as to protect data subjects from online breaches. This will potentially promote the idea of data risk in forefront considerations of marketing and customer services.