British Airways hack: why record £183m fine could have been far greater
Airline data breach was first major case under new GDPR rules
British Airways has been fined £183m over a major security breach last year - the biggest penalty ever handed out by the UK Information Commissioner’s Office (ICO).
The airline says it is “surprised and disappointed” by the decision and plans to appeal.
But experts point out that the regulator could have slapped BA with a fine totalling more than double that amount, under the Europe-wide General Data Protection Regulation (GDPR). So what are the new rules and why was this case so significant?
Subscribe to The Week
Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.
Sign up for The Week's Free Newsletters
From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.
From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.
What happened in the BA hack?
On 6 September, the airline announced that the personal and payment details of tens of thousands of customers had been stolen during a data breach.
“Details of payment cards, including the number, expiry date and three-digit security code or ‘card verification value’ (CVV) were illegally extracted from the reservations system,” reports The Independent.
BA said that hackers had carried out a “sophisticated, malicious criminal attack”, compromising 382,000 transactions carried out on its website and app between 21 August and 5 September. Police and the “relevant authorities” had been notified, the company added.
Apologising to the people affected, BA bosses said that the breach had been resolved and that stolen data did not include travel or passport details. The firm had begun contacting customers “the moment” that the breach was discovered, the airline added.
The ICO this week said that users of the website had been diverted to a fraudulent site, where details of around 500,000 people were harvested.
Following the announcement of the fine, BA chair Alex Cruz said on Monday: “British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.”
Where does GDPR come in?
The BA fine is the first to be made public under the new rules, which came into effect in May 2018 in “the biggest shake-up to data privacy in 20 years”, says the BBC.
“Until now, the biggest penalty was £500,000, imposed on Facebook for its role in the Cambridge Analytica data scandal. That was the maximum allowed under the old data protection rules that applied before GDPR,” says the broadcaster.
The new rules allow a maximum penalty of 4% of the guilty party’s turnover - which for BA would have amounted to £488m. Instead, the penalty inflicted amounts to 1.5% of its the airline’s turnover in 2017 and is considerably lower than the £488m maximum.
The case has attracted considerable interest as the first of its kind, as cybersecurity journalist Kate O’Flaherty noted in an article for Forbes last September.
Ian Thornton-Trump, a cybersecurity industry veteran, told O’Flaherty that it would be a “tough” decision for the ICO. “Everyone wants the GDPR to have teeth so the ICO has to strike to right balance here,” he explained.
The BA breach was not as bad as some other recent hacks, such as that suffered by Equifax in 2017, and the maximum fine might push BA to the point of insolvency, Thornton-Trump added.
He predicted a fine “in the £5m to £10m range”, adding: “That’s substantial but it does not put the company at risk and is not ‘too political’.”
Protesting against the £183m fine announced this week, Willie Walsh, chief executive of the International Consolidated Airlines Group (IAG), BA’s parent company, said: “We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”
Sign up for Today's Best Articles in your inbox
A free daily email with the biggest news stories of the day – and the best features from TheWeek.com
-
Geoff Capes obituary: shot-putter who became the World’s Strongest Man
In the Spotlight The 'mighty figure' was a two-time Commonwealth Champion and world-record holder
By The Week UK Published
-
Israel attacks Iran: a 'limited' retaliation
Talking Point Iran's humiliated leaders must decide how to respond to Netanyahu's measured strike
By The Week UK Published
-
Crossword: November 2, 2024
The Week's daily crossword puzzle
By The Week Staff Published
-
Questions arise over the use of an AI crime-fighting tool
Under the Radar The tool was used in part to send a man to prison for life
By Justin Klawans, The Week US Published
-
Why Captchas are getting harder to solve
Under The Radar If the process continues to get harder, it could cause problems for people trying to book tickets for popular shows
By Chas Newkey-Burden, The Week UK Published
-
Data breaches increased in 2023 and with them, internet security concerns
The Explainer One report found a 78% year-to-year increase in breaches from 2022 to 2023
By Justin Klawans, The Week US Published
-
Cyberflashing, fake news and the new crimes in the Online Safety Act
The Explainer UK's first conviction demonstrates scope of controversial law that critics describe as a threat to privacy and free speech
By Harriet Marsden, The Week UK Last updated
-
Russian hackers allegedly breach US government agencies in cyberattack
Speed Read
By Theara Coleman Published
-
Clop gang: Russian hackers issue ‘dark web ultimatum’ to BBC, Boots and BA
Under the Radar Affected companies urged to install security patches and not pay cyber criminals behind hack
By Rebekah Evans Published
-
Catfishing: what the law says
feature Campaigners are calling for online deception to become a specific criminal offence
By The Week Staff Published
-
What is ‘sextortion’ and why are cases on the rise?
In Depth Police issue warning over criminal extortion using threat of sharing sexual images
By The Week Staff Published