British Airways hack: why record £183m fine could have been far greater

British Airways has been fined £183m over a major security breach last year - the biggest penalty ever handed out by the UK Information Commissioner’s Office (ICO).

The airline says it is “surprised and disappointed” by the decision and plans to appeal.

But experts point out that the regulator could have slapped BA with a fine totalling more than double that amount, under the Europe-wide General Data Protection Regulation (GDPR). So what are the new rules and why was this case so significant?

Subscribe to The Week

Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.

SUBSCRIBE & SAVE

Sign up for The Week's Free Newsletters

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

Sign up

What happened in the BA hack?

On 6 September, the airline announced that the personal and payment details of tens of thousands of customers had been stolen during a data breach.

“Details of payment cards, including the number, expiry date and three-digit security code or ‘card verification value’ (CVV) were illegally extracted from the reservations system,” reports The Independent.

BA said that hackers had carried out a “sophisticated, malicious criminal attack”, compromising 382,000 transactions carried out on its website and app between 21 August and 5 September. Police and the “relevant authorities” had been notified, the company added.

Apologising to the people affected, BA bosses said that the breach had been resolved and that stolen data did not include travel or passport details. The firm had begun contacting customers “the moment” that the breach was discovered, the airline added.

The ICO this week said that users of the website had been diverted to a fraudulent site, where details of around 500,000 people were harvested.

Following the announcement of the fine, BA chair Alex Cruz said on Monday: “British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.”

Where does GDPR come in?

The BA fine is the first to be made public under the new rules, which came into effect in May 2018 in “the biggest shake-up to data privacy in 20 years”, says the BBC.

“Until now, the biggest penalty was £500,000, imposed on Facebook for its role in the Cambridge Analytica data scandal. That was the maximum allowed under the old data protection rules that applied before GDPR,” says the broadcaster.

The new rules allow a maximum penalty of 4% of the guilty party’s turnover - which for BA would have amounted to £488m. Instead, the penalty inflicted amounts to 1.5% of its the airline’s turnover in 2017 and is considerably lower than the £488m maximum.

The case has attracted considerable interest as the first of its kind, as cybersecurity journalist Kate O’Flaherty noted in an article for Forbes last September.

Ian Thornton-Trump, a cybersecurity industry veteran, told O’Flaherty that it would be a “tough” decision for the ICO. “Everyone wants the GDPR to have teeth so the ICO has to strike to right balance here,” he explained.

The BA breach was not as bad as some other recent hacks, such as that suffered by Equifax in 2017, and the maximum fine might push BA to the point of insolvency, Thornton-Trump added.

He predicted a fine “in the £5m to £10m range”, adding: “That’s substantial but it does not put the company at risk and is not ‘too political’.”

Protesting against the £183m fine announced this week, Willie Walsh, chief executive of the International Consolidated Airlines Group (IAG), BA’s parent company, said: “We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”