In June 2018, the company, British Airways, became aware that it was the subject of a complex cyber-attack. Online traffic was diverted away from the BA website and through to a false site, where customer details were scraped from the web and retained by fraudsters. Approximately 500,000 customers had their personal data stolen and abused, inclusive of credit card details, names and addresses. The incident itself was only brought to the attention of the government watchdog appointed to handle such matters, the Information Commissioner’s Office (ICO), in September 2018.
The incident itself comes after the introduction of the Data Protection Act 2018 into the law of the United Kingdom. This, in turn, granting applicability to the General Data Protection Regulation (Regulation (EU) 2016/679) which imposes at a European level more onerous and stringent requirements and responsibilities upon big businesses. Further to this, the framework offers more in the realms of punishments and sanctions where companies are found to have failed to prevent an information breach or failed to have the appropriate policies and practices in place to combat attacks such as that suffered by BA. Thus, this incident at BA has been the first opportunity the ICO has had to flex its new muscles under the fresh legislation…and it hasn’t let it slip through its fingers.
On 8 July 2019, the ICO published its intention to fine BA a total of £183.39 million. This in itself is an undeniably large figure to hit a company with, however the fine has split opinion to some extent. There are those that point out that this figure is only 1.5% of BA’s annual turnover, whilst the new GDPR legislation both in the UK and at the level of the European Union allows the ICO to fine a company 4% of its annual turnover, or £17 million – which ever is greater and appropriate.
Regardless of one’s opinion, the fine and published intention show that the ICO are taking GDPR seriously. This fine has shot the previous record fine imposed by the ICO out of the water, this being the fine which amounted to £500,000.00 slapped onto Facebook following the Cambridge Analytica scandal in 2016. If anything, published intentions such as this should raise the alarm for any business still dragging their feet in relation to GDPR, because you may find the ICO on your doorstep sooner than you think.
Another lesson that might be best taken from this decision is the importance of cyber-security in modern business. The thriving information age has seen business and companies hoping to operate online possess large quantities of sensitive and commercial information. This, naturally, makes them prime targets for those seeking to use the internet malevolently. A thorough review of internet and online security would be well-advised in the midst of a gradually-growing, hostile online environment targeting businesses holding consumer data.
For any legal advice on your own data protection procedures, policies and practices, Backhouse Jones can provide quality, informed guidance on how best to avoid an adverse ICO decision, or how best to mitigate the damage should you find yourself under investigation. For such services call 01254 828300 and speak to Brett Cooper or Jo Dawson-Gerrard.