GDPR fine British Airways: hacked company double victim?

The British Supervisory Authority, the British Information Commissioner's Office (ICO), announced its intention to impose a GDPR fine of £183 million (equivalent to €243.47 million) on British Airways. This is 1.5% of the total turnover of the company in the financial year 2017. Since it is a proposed fine, British Airways can still express their position and comments on the investigation, the findings and the fine proposed by the ICO.

• Related: One year GDPR: an overview of enforcement, warnings and fines

What happened?

A cyber-attack on British Airways

The trigger for the GDPR fine proposed by the ICO was a cyber-attack on the British airline. Since June 2018, cybercriminals have been redirecting traffic to the official British Airways website to another fraudulent website. The ICO's investigation revealed that cybercriminals obtained personal data from approximately 500,000 customers through this mechanism. 

An investigation by the ICO as lead authority

The British supervisory authority started the investigation after the data breach was notified to them by the airline in September 2018. The investigation revealed that different categories of personal data had been leaked. This included data such as login details, booking details, contact details, but also financial data such as expiry dates and the three-digit CVC code of credit cards. However, British Airways states on its website that no travel dates or passport details have been leaked. 

The study will be conducted by the ICO as the leading supervisory authority under the one-stop shop mechanism. This mechanism implies that the supervisory authority of the head office in the EU will conduct the investigation and will cooperate with the other supervisory authorities to this end. These authorities will also be able to comment on the proposed fine before the ICO imposes a final fine.  

The proposed administrative fine

Potentially the highest GDPR fine so far

The GDPR provides that an administrative fine may not exceed 4% of the total worldwide annual turnover in the preceding business year of the undertaking concerned (Article 83 GDPR). The fine of £183.39 million (equivalent to €243.47 million) proposed by the ICO is equal to 1.5% of British Airways' annual turnover in 2017. The proposed fine is thus within the limits set by the GDPR, but would be the highest fine imposed so far by a supervisory authority. This potential fine amounts to four times the fine imposed on Google earlier this year by the CNIL. 

Factors that play a role in the determination 

In any event, the ICO should take into account the elements of Article 83 of the GDPR for the determination of the fine. It also provides that any fine must be effective, proportionate and dissuasive. However, the ICO has not yet provided any information on the exact criteria for determination of the fine, but according to us the following elements seem to be relevant to this determination:

1. A first element is that the size of the data breach was greater than reported by the airline. British Airways claimed on 6 September 2018 that there would be 380 000 people involved in the data leak, but the ICO's investigation stated that there would be 500 000 people involved. ICO may have taken this element into account determining the fine.
2. A second element is the nature of the leaked personal data, namely financial data. Although these data do not constitute sensitive data within the meaning of Article 9 of the GDPR, a leak of such data could lead to damage to the data subjects. After all, enough information - including customer names, billing addresses and CVC codes - had been leaked to carry out online transactions with the money of those involved. 
3. A third element in the calculation of the fine is the lack of appropriate security measures. The cyber-attack is likely to have been made possible by the fact that British Airways had not taken adequate technical and organisational security measures as required by the GDPR (Article 32 GDPR). 

British Airways does not accept the fine

According to the ICO, British Airways participated in the investigation and the airline has in the meantime improved its security system, but this proved to be insufficient to convince the ICO not to fine them. 

In the meantime, British Airways announced that it was surprised and disappointed by the possible fine proposed by the ICO in its communication. According to the CEO, the company reacted quickly to the theft of its customer data. In the same communication, International Airlines Group - the group to which British Airways belongs - stated that it did not agree with the fine proposed by the ICO. They will take all measures to defend the position of the company and, if necessary, to appeal against the fine.

It remains to be seen whether the ICO will stand firm and actually impose this monster fine. Meanwhile, affected consumers can find all their questions on the British Airways website. 

Six preliminary lessons from the case  

1. Take into account the GDPR basic principles: only process personal data that are necessary in accordance with the principle of data minimization and storage limitation. For example, do not store a CVC code for a long time if it is not needed.
2. Take appropriate technical and organisational measures: when processing personal data, appropriate measures must be taken to ensure security.
3. Take extra care with financial data: those who process financial data must be extra careful. Take appropriate measures that reflect the risk.
4. Report a data breach on time: if there is a risk, report the data breach to the competent supervisory authority within 72 hours and provide all information that is available at that time.
5. Make an additional report if necessary: a report can be made in several phases. This means that the first report can still be adjusted by means of a second report. For example, this may be necessary if an internal investigation reveals that the number of people affected is greater than initially thought. 
6. Avoid double loss: if you do not take adequate technical and organisational measures and are targeted by hackers, you will suffer double loss, i.e. a major dent in the image and a high GDPR fine.