ICO issues record breaking fine

Joseph Poppy Headshot
Joseph Poppy
Security Blogger
08/07/2019

British Airways data breach

Cyber security may be about to become more than AOB for organisational boards across the country. British Airways has been struck with a record-breaking £183-million fine as a result of its data breach last year in which around 500,000 customers had their data stolen, including credit card and CVV numbers. This is perhaps the first example of the ICO really flexing their fining muscles post-GDPR, which allows for a maximum fine of up to €20-million or 4% of annual turnover (whichever is greater) for non-compliance.

We spoke briefly about BA’s data breach when it happened. The crux of our article was that compliance does not equate to security and our stance has not changed. Whether it’s PCI DSS, ISO 27001 or Cyber Essentials, compliance isn’t a magic shield that wards off hackers. Of course, they help, but businesses need to be continually reviewing and testing their security strategy throughout the year regardless. If they don’t, they’ll get breached no matter how many signed certificates they have.

This is perhaps the first example of the ICO really flexing their fining muscles post-GDPR

ICO bares its teeth

Contrary to what you might think, regulatory bodies don’t tend to go for the scarily large numbers just because they can. BA’s £183 million might seem a touch steep if you compare it to Facebook’s relatively paltry fine of £500,000 for its role in the Cambridge Analytica scandal. Considering the social media giant racked up $40 billion in revenue in 2017, they probably didn’t notice a casual half a million slip away to the ICO. However, it’s worth noting that this case had to be reviewed under the Data Protection Act, not GDPR. £500,000 was the maximum fine back then in the careless heyday of a pre-GDPR world. Had the whole thing occurred just a short while later, things could have been a lot worse for Zuckerberg and crew.

The BA data breach occurred after that fateful day of May 25th 2018 and, therefore, was subject to the full wrath the legislation allowed. It should be noted that the airline plans to dispute the decision, which is legal speak for spluttering “how much?” However, the ICO have been quoted as saying British Airways had “poor security arrangements” where customer information was concerned. Seeing as customers were unwittingly being diverted to a fraudulent website, it seems hard to argue with this statement. Best practices were probably not being followed.

Whilst BA has cooperated fully with the ICO, they were still responsible for the protection of their customers’ personal data. If there were indeed “poor security arrangements” in place, then they did not take this responsibility seriously enough. Article 32 of GDPR stipulates that the “appropriate technical and organisational measures” should be in place to ensure the security of personal data. At this point in time, it doesn’t seem like this was the case for BA. That is one possible reason for the large fine.

A Physically locked up hard drive next to a laptop with ransomware
Transferring £183 million

The ICO have been quoted as saying British Airways had “poor security arrangements”
A scam alert on a desktop email client
Ticking all the positives.

A warning about cyber security

Whilst it may be difficult for BA to see the positives in this, there are some to be seen from a cyber security perspective. If there’s one thing the higher-ups at companies hate, it’s losing money. The more zeroes on a loss, the more they hate it. It could well be that the ICO has implemented such a large fine to wake businesses up to the severity of the situation. They have a duty to protect their customers’ data and, if they fail in this duty, there’ll be more than just reputational damages to consider.

I can see various suited board members across the country – perhaps even the world – leaning forward and taking note. This note will be ‘get better at cyber security’. It will be in capital letters and underlined twice.

An example has been made and if companies don’t react, they’ll suffer a similar fate. Ripples may already be in motion. Cyber security will rapidly move up the agenda for all businesses, regardless of the size, and customers will benefit from knowing their data is in safe hands.

As Bulletproof co-founder, Oliver-Pinson Roxburgh states “businesses need to get cyber security right, and it’s not necessarily that costly a process, especially when you consider the potential cost of a breach. Regulatory fines are just one aspect, there’s the cost of mitigation, the potential loss of customers and reputational damages to consider.”

It could well be that the ICO has implemented such a large fine to wake businesses up to the severity of the situation.

Staying compliant

GDPR is with us to stay and organisations will have to take their responsibility over customer data seriously. This means having the right tech and management processes in place to ensure security is as tight as it can be. This fine levied at British Airways may well encourage others to get it right before it’s too late. Penetration tests, effective log monitoring, active threat hunting with managed SIEM and proper training are all integral to a strong security strategy and will help your organisation avoid these hefty fines.

Joseph Poppy Headshot

Meet the author

Joseph Poppy Security Blogger

Joseph is a Communications Executive and Security Blogger who has contributed articles covering a range of topics including staying ahead of cyber threats.

10 Steps to Cyber Security

Find out how to secure your business in 10 steps with our free best practice infographic.

Download now

Trusted cyber security & compliance services from a certified provider


Get a quote today

If you are interested in our services, get a free, no obligation quote today by filling out the form below.

(1,500 characters limit)

For more information about how we collect, process and retain your personal data, please see our privacy policy.