British Airways Facing Record Penalty; Is This the Beginning of Maximum GDPR Fines?

British Airways Facing Record Penalty; Is This the Beginning of Maximum GDPR Fines?
featured image

This article originally appeared in CPO Magazine on July 11, 2019.

The General Data Protection Regulation (GDPR) fines are what really set it apart from any previous digital privacy laws. At a maximum of the greater of €20 million (about $22.5 million USD) or 4% of annual global turnover, these fines provide the teeth needed to force companies to take their cybersecurity practices seriously. However, to date the Data Protection Authorities (DPA) of Europe have appeared to be hesitant to levy truly proportional fines against the biggest offenders. A proposed £183 million (about $229 million USD) fine of British Airways might signal a change in approach.

If it holds up, it would be about 1.5 to 2% of what the company has reported in annual earnings in recent years. For some perspective, that’s about the cost of one of the company’s Boeing 747 jets.

The British Airways data breach

The fine is being levied in response to the 2018 data breach of British Airways that exposed the sensitive data of about 500,000 customers. A criminal hacking group was able to penetrate the British Airways payment system and log data being entered by customers paying for their tickets through both the company’s website and mobile app.

British Airways is in particular trouble due to the fact that financial data (credit and debit card account numbers with CVVs) were exposed and that the breach was active for a little over two weeks before being detected and shut down. The Information Commissioner’s Office (ICO), Britain’s DPA, characterized the root cause of the breach as “poor security arrangements” at the company.

The record-setting fine

The British Airways fine would set a record for both the ICO and all GDPR authorities. The largest of the GDPR fines to date was levied against Facebook back in January; the social media company was stung for the equivalent of $57 million by France’s DPA for its role in the Cambridge Analytica fiasco. ICO’s previous largest fine was also to Facebook, but for a relatively paltry half a million pounds.

Information Commissioner Elizabeth Denham appeared to want to make a statement with this fine, declaring that “when an organization fails to protect (personal data) from loss, damage or theft it is more than an inconvenience.” The smaller GDPR fines from the ICO prior to the British Airways incident were out of necessity, as the original terms of the country’s Data Protection Act (drafted in 1998) took precedence until May of this year and put much more lenient caps on penalty amounts. ICO is now free to assess full GDPR penalties and has wasted little time in doing so.

British Airways has 28 days to appeal and to make representations to the ICO. CEO Alex Cruz issued a statement indicating that the company was “surprised and disappointed” and intends to fight the fine. It is possible to have fines reduced or even eliminated on appeal under the terms of the GDPR, but there is little precedent for doing so. It has been extremely rare for ICO to reverse or significantly reduce a fine throughout the history of the Data Protection Act – the most high-profile incident was the return of a £250,000 fine to the Scottish Borders Council in 2013, though that applied to a case in which printed physical media records of employee pensions were thrown in a recycling bin in a public parking lot.

It appears it will be very difficult for British Airways to successfully appeal this fine, but even if they do it will provide them no protection from individual or class action lawsuits from passengers who were affected by the breach. A class action suit was filed by passengers in November of 2018 and is pending. The British Airways claim that there was no fraudulent activity on accounts will face scrutiny here, as at least one affected member has gone on record claiming that their credit card was used for unauthorized charges in the wake of the breach. British Airways is owned by International Airlines Group, parent company of a number of airlines based in Western Europe including Aer Lingus and Iberia.

Is this the opening salvo of maximum GDPR fines?

Each DPA in the European Union is granted a good deal of flexibility in terms of the fine amounts they can assess. Since the GDPR went into effect in May of last year, the trend has been away from unusually large fines.

Full enforcement began at that time with no official grace period. It might appear as if an unofficial transitional period has been in effect across Europe, but ICO has stated that they would have sought a much larger fine of Facebook in January had they possessed the legal ability to do so at the time.

Very large GDPR fines have proven to be counterproductive in some cases. Smaller companies that are hit with large GDPR fines sometimes cannot absorb the cost and are instead liquidated, which leads to net lower recovery amounts for the government. This should not be an issue with a company the size of British Airways, however. If the full fine remains in place, the company would essentially lose the equivalent of one of their fleet of about 400 Boeing 747s.

Tim Erlin, VP, product management and strategy at Tripwire, had this to say about finding a balance:

“The size of this fine certainly sends a clear message for GDPR enforcement: protect your customers’ data or pay. If anyone was unclear on how GDPR would be enforced, this fine should deliver clarity.

“Regulations like GDPR can be used to raise the bar on information security across whole industries, but we are fundamentally talking about criminal activity here, and these regulations also walk a fine line between improving security and blaming the victim. In order for GDPR to remain effective, the supervisory authorities have to levy fines appropriately, and specifically in cases where clear negligence was present. It’s fair to expect organizations to safeguard sensitive data, but even an organization delivering above average protection can fall victim to a sophisticated attacker. Very simply, cybersecurity isn’t a solved problem.”

GDPR compliance

GDPR fines are all about proportionality. Large enterprise-scale businesses that are entrusted with personal data of millions of people have the most to fear, but also the greatest ability to absorb the impact.

Alex Calic, strategic technology partnerships officer for The Media Trust, expanded on what this heavy British Airways fine means for the European regulatory landscape:

“If there was any doubt that regulators would enforce GDPR, the ICO’s decision to hand down an unprecedented, if unexpectedly, stiff penalty will surely put that to rest and leave all companies under GDPR anxious about data security and privacy. The message is clear. If you collect consumer data, you’d better make sure it’s safe and know who has access to it. Moreover, reporting a breach and cooperating with regulators after the fact won’t guarantee immunity from the penalties.

“The problem is most third parties are strangers to site and mobile app owners, yet they often have access to user data and operate outside the site or app owner’s IT perimeter. Companies under GDPR and other data privacy laws on the horizon should retake control of their digital ecosystems. This means closely monitoring their digital assets for any unauthorized parties and activities, as well as working with third parties on enforcing digital policies and rooting out those who break them.”

Small-to-medium businesses need to take compliance just as seriously, as the high rate of company dissolutions due to much more modest fines demonstrates. One of the steps to protect fundamental data and stay in compliance with the GDPR is the appointment of a qualified Data Protection Officer when required. Companies must also have a process in place to allow the DPO to readily audit the storage and transfer of all personal data that passes through the network.

Cybersecurity is the other main key. What can the British Airways example teach us? The company was laid low by Magecart, a group that is notorious for attacking shopping cart systems. Magecart’s attacks are the online equivalent of the credit card skimmers that are installed in ATM machines. The group prefers unpatched, improperly secured systems with known vulnerabilities. Patching and updating is crucial, but so is keeping a careful eye on any extensions that are installed. Extensions often come packed with their own unique vulnerabilities. In the case of the British Airways breach, it appears the attackers’ initial point of compromise was the baggage claim information lookup feature used on both the website and Android app.