The Information Commissioner has today released details of its first major potential fine in the UK under the GDPR and Data Protection Act 2018.
In a statement published on its website this morning, the ICO indicates its intention to fine British Airways (BA) £183.39m for the cyber breach it reported in autumn last year.
In her blog post of 30 May 2019, Elizabeth Denham had issued a warning that “many of the investigations launched with our new powers are now nearing completion and we expect outcomes soon, demonstrating the actions my office is willing and able to take to protect the public.”
It is now abundantly clear that the ICO meant business when it said that it would be taking “robust action”.
On 6 September 2018, BA informed customers that, between 21 August – 5 September 2018, details of approximately 380,000 names, billing addresses, email addresses, travel details, bank card numbers, CVV codes and card expiry dates had been subject to a sophisticated and extensive cyber-attack. Hackers managed to infiltrate the BA website and app to enable them to scrape valuable financial information.
The ICO have not yet announced details of how the proposed fine has been calculated. We expect one of the aggravating factors contributing to the eye-watering level of the penalty was because of the nature of the financial information stolen. Not only did the hackers skim customer names, billing addresses and bank card details, but they also obtained CVV numbers (the three to four digit security number on cards needed to complete online transactions).
At the time that BA announced details of the breach, it confirmed that it did not store CVV numbers, leading security experts to speculate that malware was used to scrape the details live as they were inserted by customers on the BA site or app. In November 2018, security company RiskIQ released a blog post indicating that affected BA customer details were being sold on the dark net by cybercrime group Magecart.
Under the old data protection regime, the highest monetary penalty issued by the ICO was to Equifax for a cyber hack affecting around 15 million UK citizens (and around 145 million individuals worldwide). The fine was for £500,000, which was the maximum level of fine available to the ICO under the Data Protection Act 1998. In the UK, the personal data records affected by the Equifax breach comprised names, email addresses, dates of birth, telephone numbers, driving licence numbers, usernames, password, secret questions and answers to those questions, and partly obscured financial information.
Given the substantial increase in the fining powers of the ICO, it would be very useful if the Information Commissioner would provide details of the criteria it uses for determining the level of the initial fine imposed. This will assist organisations in predicting and planning for potential exposure of their processing activities.
BA now has an opportunity to make representations to the ICO in respect of the level of the penalty and the findings. As the lead supervisory authority for the breach, the ICO also announced that it will be taking representations from other EU supervisory authorities whose residents have been affected by the breach.
Also, BA may face individual claims. For example, a potential class-action claim, led by US-UK law firm SPG Law, claims that affected individuals may be entitled to recover £2,000 or more.