In 2018, British Airways suffered a high-profile data breach. More than 400,000 people were affected and it impacted both personal and credit card-related information. Last year, the Information Commissioner’s Office announced that the company could face a fine in the region of £183 million. Then, last week, it was reported that a fine of £20 million had been imposed. ICO Fines can be issued for up to £17.5 million or 4% of an organisation’s annual worldwide turnover (whichever is higher).

A huge development in the security landscape

Although nowhere near the originally quoted figure, this latest of ICO fines is still huge within the cyber security landscape. We spoke with CRIBB’s Technical Director, Patrick Carolan, about what it means moving forwards.

We published an article after the breach and then posted on social media when the £183m fine was announced. Why do you think the actual fine has been reduced by so much?

I think there are several factors involved. I believe that the ICO mentioned COVID-19 and the impact that has had on the economy affecting the decision. There is also a feeling in the security community that BA reacted relatively well afterwards. They were very helpful in the subsequent investigation, too.

Top Tip

Make sure that your existing security protocols and policies are kept up to date. Regular training for all staff will be vital, too – awareness is key in the pursuit of cyber resilience!

Our cyber security experts are always ready to provide evaluations on security frameworks and processes, just contact us for more information.

Patrick, do you think the fine still represents a significant landmark in the cyber security world?  

Definitely, it is absolutely massive in the grand scheme of things because it demonstrates their hard-line stance. Companies must have robust data protection measures in place, regardless of size or stature. BA are a huge brand known around the world, a British institution in fact. Taking that into consideration along with the travel industry’s current plight and you can see that the ICO means business.

How did this data breach happen in the first place?

There still haven’t been many technical details released about the incident but we do know it was hackers. We also know that names, email addresses and credit card details were stolen.

We also know that the cyber attack took place between 21st August and 5th September. BA issued a statement addressing customers who had made a payment during that period. All of which might suggest that the information was obtained at the point of entry, so it could have been that a script containing malicious coding was used on the website.

Of course, you cannot rule out foul play from the inside – a disgruntled employee, for example, might have tampered with the site.

Speculation aside, could this have been prevented?

It’s very easy to say ‘yes’ with hindsight but I think it just goes to show how vulnerable companies and organisations are these days. Between relatively simple email phishing scams and more complex hacking incidents, if you do not have strong cyber security policies and processes in place, you are definitely a target. It’s important to note that even if you do think that you have water-tight controls, you should still be analysing and evaluating everything. Cyber-attacks and data breaches are constantly evolving.

Finally, why was there such a big gap in between the breach occurring and the fine being issued?

It’s interesting because a lot of the cyber security community have questioned that. For me, I firstly think that it was such a big incident that it needed to be dealt with in absolutely the right way. It needed the appropriate amount of consideration and investigation. Secondly, 2020 has obviously had a devastating impact across the board, and economically it definitely needed to be factored into the final decision. Thirdly, and perhaps the most important aspect, is that in terms of ICO fines, this was the first major one under the EU data regulation GDPR. As such, it was always going to be a landmark decision.