In 2018, British Airways suffered a high-profile data breach which affected more than 400,000 people and impacted both personal and credit card-related information. Last year, the Information Commissioner’s Office announced that the company could face a fine in the region of £183 million, but last week it was reported that a fine of £20 million had been imposed.

Whilst nowhere near as high as that originally quoted figure, this latest development is still a huge one on the cyber security landscape and we spoke with CRIBB’s Technical Director, Patrick Carolan, about what it means moving forwards.

We published an article after the breach and then posted on social media when the £183m fine was announced; why do you think the actual fine has been reduced by so much?

I think there are several factors, I believe that the ICO mentioned COVID-19 and the impact that has had on the economy as something that affected the decision, but there is also a feeling in the security community that BA reacted relatively well afterwards and was very helpful in the subsequent investigation.

Top Tip

Make sure that your existing security protocols and policies are kept up to date and that regular training is provided for all staff – awareness is key in the pursuit of cyber resilience!

For greater peace of mind, our cyber security experts are always ready to provide in-depth evaluations on security frameworks and processes, just contact us for more information.

Patrick, do you think the fine still represents a significant landmark in the cyber security world?  

Definitely, it is absolutely massive in the grand scheme of things because it demonstrates their hard-line stance on companies having robust data protection measures in place, regardless of size or stature. BA are a huge brand known around the world, a British institution in fact, so taking those facts into consideration along with the situation the travel industry finds itself in right now and you can see that the ICO very much mean business.

How did this data breach happen in the first place?

There still haven’t been many technical details released about the incident but we do know it was hackers and we also know that names, email addresses and credit card details were stolen.

We also know that the cyber attack took place between 21st August and 5th September, and that BA issued a statement addressing customers who had made a payment during that period – all of which might suggest that the information was obtained at the point of entry, so it could have been that a script containing malicious coding was used on the website.

Of course, you cannot rule out foul play from the inside – a disgruntled employee, for example, might have tampered with the site.

Speculation aside, could this have been prevented?

It’s very easy to say ‘yes’ with hindsight but I think it just goes to show how vulnerable companies and organisations are these days. Between relatively simple email phishing scams and more complex hacking incidents, if you do not have strong cyber security policies and processes in place, you are definitely a target. It’s important to note that even if you do think that you have water-tight controls, you should still be analysing and evaluating everything, because cyber attacks and data breaches are constantly evolving.  

Finally, why was there such a big gap in between the breach occurring and the fine being issued?

It’s interesting because a lot of the cyber security community have questioned that; for me, I firstly think that it was such a big incident that it needed to be dealt with in absolutely the right way and with the appropriate amount of consideration and investigation. Secondly, 2020 has obviously had a devastating impact across the board, and economically it definitely needed to be factored into the final decision. Thirdly, and perhaps the most important aspect, is that this was the ICO’s first major fine under the EU data regulation GDPR, and as such was always going to be a landmark decision.