Editor’s Note: In breaking GDPR news, in the closing days of October, the ICO reduced a fine against Marriott to £14.4 million, down from the initial fine of £99 million that ICO threatened in July 2020. We will report more on the Marriott fine in our next issue.
On 16 October, the Information Commissioner’s Office (ICO) fined British Airways plc (BA) a UK record £20 million for breaching the GDPR.
In this article, we look at the factors leading to the fine and how the ICO calculated the amount.
On detection, BA promptly notified the hack to the ICO and its customers and fully cooperated with an investigation. While those actions were taken into account, the ICO1 found BA had seriously failed its obligation to process the personal data of its customers in a manner ensuing appropriate security.
It is sometimes observed that the only organizations that claim not to have suffered cyberattacks are those that haven’t noticed. Given that such attacks are so prevalent, what did BA do wrong for the ICO to find it in breach of GDPR?
In this context, the standard for cybersecurity the GDPR sets is based on what is “appropriate”, not some gold-plated standard. Article 32 GDPR requires organizations to implement “appropriate technical and organizational measures to ensure a level of security appropriate to the risk – taking into account the state of the art, the costs of implementation and the nature, scope and purposes of processing”. This is the standard against which BA was judged.
Features of the Event Suggesting Inadequate Security
While we do not have full technical details, some being confidential, the following features of the hack disclosed inadequacies in BA’s security:
- the hacker was able to compromise and obtain login credentials of accounts connected to employees of a BA service provider, Swissport, in a “supply chain attack”;
- system access, via Citrix, was by single username and password, without multi-factor authentication;
- the hacker, having accessed the apps intended for Swissport, was able to access other parts of the network;
- using network reconnaissance tools the hacker obtained access to a privileged domain administrator account, whose login details were stored in plain text;
- the hacker was thereby able to access log files containing payment card details stored in plain text, the storing of which was neither intended nor required, resulting in 108,000 cards being compromised;
- the hacker was able to redirect payment card data to a website the hacker had set up, BAways.com, resulting in automatic skimming of card data; and
- the hacker remained on BA’s systems undetected for three months
The effect of the hack was access to personal data of some 500,000 individuals. In around 250,000, the compromised data included the name, address, card number and CVV number (card security code) of BA customers.
What Happened Afterwards?
The hack was detected in September 2018 when a third party notified BA that customer data was being sent to the rogue website. BA stopped the hack within a couple of hours and the following day notified the ICO, payment card companies plus around 500,000 customers, as required by GDPR.
The ICO investigated and, after detailed submissions and evidence, issued a Notice of Intent to fine BA £183 million in July 2019. This was followed by a 15 month period of further investigation and representations by BA, involving significant extensions to the standard six months.
Over two years after receiving the initial report, the ICO announced on 16 October that it was fining BA £20 million.
Why BA was in Breach
The ICO noted that not every hack is a breach of GDPR and that it must not reason based on hindsight. The question was whether BA’s security was adequate, taking into account the GDPR factors described above – essentially whether BA had adopted current technology and processes in the light of the costs of their implementation, the nature of its personal data processing and the risk to data subjects.
The ICO found the features of the hack demonstrated BA failed to meet this standard. In particular,
- industry guidance and BA’s own Network Policy required multi-factor authentication;
- Citrix guidance identified “breakout” into other areas of IT systems as a known security issues and listed effective counter-measures which were not taken;
- storing passwords in unencrypted plain text files carried a “very high” risk of exploitation;
- there were many measures readily available to BA which it could have used to prevent or mitigate the hack without excessive cost;
- no mechanism was in place to detect the unauthorized enabling of an account by the hacker; and
- BA breached the PCI DSS requirement to minimize storage of cardholder data – CVV numbers should not have been stored at all.
BA argued the ICO was applying an unduly high standard with the benefit of hindsight and failed to have regard to the whole of its security environment. The ICO rejected this in the light of the number of appropriate measures available to BA that an organization of its scale should have taken.
BA also argued the hack was so sophisticated that appropriate security measures would not have kept it out. The ICO found it was not so sophisticated as to negate BA’s responsibilities.
The ICO confirmed that not every breach of GDPR will result in a fine. However, a fine was appropriate for serious breaches like this one which involved:
- insecure processing of large amounts of personal data for a significant period;
- around 430,000 data subjects, many of whom were likely to suffer distress knowing their card details had been accessed by a hacker;
- the compromise of “full financial” data, which carries the highest risk severity score in the ENISA2 Guidance on assessing the severity of data breaches.
The ICO found that an appropriate level of fine, applying the GDPR test of being “effective, proportionate and dissuasive” while taking into account the factors set out in GDPR and BA’s turnover, would have been £30 million.
That figure would be reduced by 20% owing to BA’s mitigation, such as: prompt notification and cooperation, customer assistance and implementation of remedial security measures.
This gave a figure of £24 million, which was further reduced due to the financial impact on BA of Covid -19 to £20 million. This represents around 0.16% of BA’s 2017 turnover, considerably below the 4% or 2% maximum.
BA Did Not Go Quietly
Some readers might conclude that, given the facts, BA should have accepted that a finding of breach and a significant fine was inevitable.
Nothing could be further from the truth. Adopting the aggressive stance for which the recently departed CEO of its parent company is well known, BA fought the ICO on every conceivable point. It made eleven submissions against both the decision to fine it and the amount.
All of these submissions were rejected. Many were on the ‘brave’ side, for example the argument that the ICO should have fined at the DPA 1998 level when the limit was set at £500,000 and the contention that it should not use turnover as a core quantification metric.
One point of interest was whether the maximum theoretical fine was 4% or 2% of BA’s turnover. Article 32, the specific GDPR provision on data security, is in the 2% category, while breach of Article 5, the general principles of processing including data security, carries the higher 4% maximum tariff. BA’s argument that the lower percentage applies is persuasive. Although the ICO unconvincingly maintained its position that the higher limit applied, the point was academic since the £20 million fine was well below both.
BA’s spirited approach can nevertheless be justified by its relative success in having the fine massively reduced by nearly 90% from the £183 million figure in the ICO’s 2019 Notice of Intent.
There is no real explanation of why the ICO went from £183 million to what would have been £24 million in the absence of Covid, merely a statement that it was based on BA’s representations. It seems hard to believe that these could have been so radically different from BA’s initial representations to justify such a change. It therefore seems more likely that the ICO simply changed its mind on the level of fine, perhaps fearing it would be overturned on appeal.
Viewed comparatively, the biggest GDPR fines that have been issued are €50 million and €32 million to Google and H&M by the French and Hamburg authorities respectively. Those breaches involved different factors but were arguably no less serious than BA’s, certainly with regard to intent. £20 million is more consistent with that level of penalty than the mooted £183 million.
Just after its notice of intent to fine BA, the ICO issued Marriott International with a similar notice for £99 million, again for a cybersecurity breach. That case is still being dealt with, but there a significantly reduced fine must be likely, perhaps around the £10 million mark.
BA has 28 days to lodge an appeal against this fine to the First-tier Tribunal. It will be interesting to see whether it carries on the fight.
Although this fine is far lower than first indicated, it is nonetheless significant and shows the GDPR has considerable teeth, which the ICO is not afraid to use.
A £20 million fine is also a salutary reminder for organizations subject to GDPR to have proper cybersecurity measures in place. The cost of taking such measures is far less than the costs of large fines, remedial action, private actions for compensation and damage to goodwill.
1 Acting as lead authority since this involved cross-border processing
2 The European Union Agency for Cybersecurity