British Airways, considered the UK’s ‘flag carrier’, coined the phrase “The World’s Favourite Airline” to describe itself. It was also once the most profitable airline on the planet.
After privatisation in the 80s, BA has ridden a rollercoaster of commercial ups and downs. This finally resulted in it being absorbed into the International Airline Group (IAG) in 2011.
Subsequent poor decisions have seen low cost carriers like RyanAir overtake BA in revenue and passengers carried. Like many companies faced with uncertain market conditions and following the business trend of the time BA returned to its operational roots. It outsourced many business and support functions. Notably this included much of its IT.
Alongside these decisions taken by BA came the maturing of consumer protection legislation for the digital age. This is epitomised by the EU General Data Protection Regulation (GDPR) and the UK’s Data Protection Act of 2018.
The levels of security and monitoring on the BA systems at the time left the Information Commissioner’s Office (ICO) investigators uncertain when, or even if, BA would ever have detected the breach themselves.
The quantity and nature of the exfiltrated personal data was alarming. From the ICO website:
“The attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.
Other details thought to have been accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers.
Usernames and passwords of BA employee and administrator accounts as well as usernames and PINs of up to 612 BA Executive Club accounts were also potentially accessed.”
As further details emerged it seems the attacker found Windows Domain Administrator credentials in clear text in a file on one of the exploited servers. As a security professional it is hard to stress exactly how serious this single fact alone is. At that point the attacker ‘owned’ the BA site.
The ICO investigations, which BA fully complied with, determined in June 2019 that BA had in fact breached the ‘security and accountability’ regulations of the GDPR and issued a notice of intent to levy a fine. Since at the time of the breach the UK was still in the EU, the ICO used the GDPR as well as the Data Protection Act 2018 (from the ICO website:)
“Because the BA breach happened in June 2018, before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR. The penalty and action have been approved by the other EU DPAs through the GDPR’s cooperation process.”
The ICO then considered the amount of the fine. It eventually settled on a figure of £183 million or 1.5% of annual turnover for BA. BA immediately said they would appeal based on the fact they had cooperated fully and there was no evidence that the data had been used in criminal activity. Cooperation, while admirable, is the minimum expectation. The fact that none of the information appears, at this time, to have been used in criminal activity is fortunate at best, difficult to prove and ultimately irrelevant considering the appalling lack of security exhibited by BA.
It is approximately two years since the GDPR came into force, yet in the UK only two fines have actually been issued. The first was issued on Dec. 17th 2019, against London-based Doorstop Dispensary, for £275,000, after it stored patient records in a “careless” manner. Alongside this the BA breach and fine can be seen in perspective. Why only two fines have been issued in the UK when an EU report lists 65,000 breach reports across Europe is unclear. With regulators in other countries issuing fines in excess of €65 million why has the UK not followed suit?
What is clear is that data breaches of the kind experienced by BA are not uncommon. What is less common is the woeful security infrastructure and processes exposed in the BA case. It was to deter such lackadaisical security and to encourage tighter controls that the GDPR was permitted to levy fines up to 4% of annual turnover.
Fast forward to 2020 and the advent of Covid-19. The impact of the virus on the travel and transportation industry has been nothing short of cataclysmic. Airline business dropped off a cliff and was down by at least 90%-98% year-on-year for all airlines (except those specialising in cargo). This contributed to the recent announcement by the ICO that they were adjusting the fine for BA down to a figure of £20 million. A full description of the rationale for the reduction can be found in the official Penalty Notice from the ICO.
So what are we to make of this story? Does it show that the GDPR is an effective legislative framework that adequately protects individual’s data from negligent enterprises ? Or does it demonstrate that newly drafted laws may fall victim to corporations with deep pockets. With resolution of such cases mired in lengthy and expensive wrangling, where justice and fairness become additional victims?
In an attempt to show good faith BA setup a class action lawsuit where the victims, whose data was exposed, may seek some compensation. However lawyers groups have pointed out that some of the terms of the suit, for example a time limit to register as a claimant, may work against legitimate victims.
There is little doubt that the GDPR is the best example of data protection legislation so far. Certainly countries like the United States have nothing comparable to deter lax security by entities managing huge amounts of personal information. The GDPR has yet to be tested in the courts and surely if the failures of BA in their particular case had not been so egregious they may well have provided such a test. In fact BA may, even now, decide that they have grounds to challenge the ruling of the ICO. Having had their fine reduced by a massive 89% however, BA may well consider the matter mercifully closed.
As part of the deliberations on the size of the fine imposed the matter of the effects on those individuals whose data had been compromised was considered. In our connected and digital world the exploitation of information, personal and otherwise, is widespread and immediate. There is no putting the data genie back in the bottle. In cases such as BA the business can put in place improvements to hopefully avoid similar incidents in future. For those unlucky enough to have had their data compromised the effects could be longer lasting and with greater consequences.
BA are not alone in having their original level of penalty adjusted. There has also been a reduction for the fine imposed on Marriott by the ICO. This was originally £99 million and has been reduced to £18.4 million. Are we witnessing a reluctance of the ICO to impose the levels of fines permitted and suggested by the GDPR ? Can we simply dismiss the fine reductions as evidence of the authority taking into consideration the unusual circumstances of Covid-19 ?
One of the main discussion points, when the levels of possible fines under the GDPR was disclosed, was whether they represented a real deterrent to large companies who handle so much of our data. Considering the massive and catastrophic effects that a single large data leak can inflict on potentially millions of people, the levels of fine do not seem disproportionate. Increasing numbers of companies operating on the internet are adopting an almost stateless identity. Permitting them to avoid responsibility for such things as local taxes. Against this backdrop a robust and severe penalty structure for the GDPR seems most welcome.
Looking forwards to a time when the Covid-19 effect begins to fade we should expect the ICO, and other defenders of individual data privacy, to take a firm stance against breaches. This should involve using the GDPR and other available legislation to impose the maximum available fines. Only in this way might companies, that are sometimes household names, learn to seriously address their abject failures to protect personal data.