Last year, ITIJ reported on a cyberattack targeting airline British Airways (BA), which at the time was thought to have compromised the data of some 382,000 customers. The airline faced thousands of pounds in compensation costs and a potentially major fine – and now it has been revealed that the UK Information Commissioner’s Office (ICO) intends to fine the airline £183.39 million for infringing General Data Protection Regulation (GDPR).
The cyberattack in question, which is thought to have begun in June last year, involved user traffic from BA’s website being redirected to a fraudulent site, where customer data was harvested by hackers and uploaded to the dark web. The ICO says that, rather than 382,000, the number of customers whose data was affected is more in the region of 500,000; this included login, payment card and travel booking details, as well as names and addresses.
“People’s personal data is just that – personal,” said Information Commissioner Elizabeth Denham. “When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
The ICO has pointed out that BA has co-operated fully with its investigation and implemented new security measures to avoid a repeat of the incident. The airline will now have an opportunity to make its own case to the ICO regarding the organisation’s findings and its proposed sanction.
Javvad Malik, a security awareness consultant at cybersecurity firm KnowBe4, commented: “While there is no denying that it is a large fine, it is commensurate with the breach, which saw nearly half a million customers’ personal and financial data impacted. After the introduction of GDPR last year, many wondered when the large fines would begin, and this seems to be it.”
Expanding on this, Anna Russel, Vice-President of data protection firm Comforte AG, said that it was important for companies to understand that GDPR is a regulation ‘that has teeth’. “Google was already fined €50 million in France earlier this year, and now with the case of British Airways, it is becoming clear that more big fines will be handed out if organisations fail to take data privacy seriously,” she said. “Elizabeth Denham has pointed out something that many companies don’t yet seem to understand – the personal data that they are processing and storing is not their property. They have only been entrusted with it. That’s a big difference.” She went on to say that British Airways and other organisations handling large amounts of customer data need to take their responsibility seriously, and approach data security with the thoroughness it deserves.
‘Tokenisation’ of data is one method that she suggested companies could adopt. This approach involves all sensitive data being replaced by ‘tokens’, so that in the event of a breach, it is not the actual underlying personal data that is lost, but rather the tokens. This also means that as the data itself is what is protected – rather than the system that holds it – the security measures travel with the data, so it is always protected, wherever it goes.
Cases such as this illustrate that the new cyber battleground, where data takes the place of the gold and silver that pirates of old would once chase down on the high seas, remains dangerously misunderstood by big organisations. Many have seemingly failed to take a proactive approach to data security, which unfortunately means that it will take huge high-profile cases like this – in which trusting customers have had their personal information compromised – for the message to sink in. For better or worse, money talks, so maybe the threat of a hefty fine will be enough for businesses across the travel, insurance and every other industry to start taking this issue seriously.