It has been widely reported this week that the Information Commissioner’s Office (ICO) has handed out its biggest penalty yet to a company for an information security breach.
British Airways (BA) has been fined a cool £183m by the ICO for its system security breach, which was disclosed in September last year and, under the new General Data Protection Regulation (GDPR), the ICO has also gone public with the notice.
In September, The Guardian reported the breach in an article the day after the news had first broken. At the time, BA thought that details of 380,000 transactions, including personal details such as credit card numbers, email addresses and home addresses, had been stolen from a period between June 2018 to August 2018.
Over a two-week period, BA’s website and app had been diverted to a fraudulent website site where details of customers’ personal details were taken by the hackers. It turned out that the estimated number BA reported in September was far more, around 500,000.
At the time of the reported breach, BA issued a statement and said “The stolen data did not include travel or passport details. From 22.58 BST August 21 2018 until 21.45 BST September 5 2018 inclusive, the personal and financial details of customers making bookings on ba.com and the airline's app were compromised. The breach has been resolved and our website is working normally.” They also urged their customers to contact their banks and credit card providers to alert them that their details may have been compromised.
This is the biggest penalty to date that the ICO imposed. The next largest applied was on Facebook of £500,000 for its role in the Cambridge Analytica data scandal.
However, the ICO could’ve slapped on a far greater fine to BA. It now has the power to penalise companies up to 4% of turnover, whereas £183m sounds a lot, it only represents 1.5% of BA’s reported turnover.
Airline owner IAG has been quoted in an article this week published by the BBC as being "surprised and disappointed" by the penalty and they now have a chance to appeal against the ICO’s penalty.
Obviously the multi-million-pound fine is big news but there is far more at stake for businesses should they experience a breach. For BA and many other companies hit by an information breach, apart from the knock to the company’s accounts, there is potentially the immeasurable brand reputation damage and ongoing impact in the undermining of customer confidence in such a trustworthy brand.
The BBC’s Technology Correspondent, Rory Cellan-Jones, said “The message is clear - if you don't treat your customers' data with the utmost care expect severe punishment when things go wrong.”
Don’t think it ‘won’t happen to me’. If you would like a chat about how secure your company data is, please do get in touch.