This article originally appeared in Security Today on July 10, 2019.
British Airways, the second largest airline in the United Kingdom, could have to pay a record fine of over 183 million pounds, or about $229 million, for a hack that exposed the private data of hundreds of thousands of customers. The penalty is the largest ever issued by the Information Commissioner’s Office, the British agency tasked with protecting citizens’ data privacy.
An investigation conducted by the ICO found that the airline’s lack of security measures allowed for hackers to “harvest” personal data of 500,000 customers for several months in the summer of 2018. The incident involved diverting customers from the British Airways website to a fraudulent site where users entered their names, email addresses, travel details and credit card information.
Since the attack, the company has made improvements to its security operation and cooperated with the investigation, according to the ICO.
“People’s personal data is just that – personal,” ICO commissioner Elizabeth Denham said in a Monday statement. “When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it.”
She added: “Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."
The announcement came in the wake of new regulations in the U.K., introduced last year, that make it mandatory for companies to report security breaches to the ICO. The changes to the General Data Protection Regulation (GDPR) also increased the maximum penalty to 4 percent of the corporation’s turnover, or yearly net sales. While the fine on British Airways was the largest ever levied by the agency, it was only about 1.5 percent of the airline’s turnover in 2017, according to the BBC.
“If there was any doubt that regulators would enforce GDPR, the ICO’s decision to hand down an unprecedented, if unexpectedly, stiff penalty will surely put that to rest and leave all companies under GDPR anxious about data security and privacy,” said Alex Calic, the strategic technology partnerships officer for The Media Trust.
It doesn’t look like the regulator is slowing down anytime soon. On Tuesday, the ICO announced its intention to fine Mariott International over 99 million pounds, or $124 million, for a data breach that led to the exposure of 339 million sensitive guest records, 30 million of which were related to European residents.
The ICO investigators concluded that Mariott failed to undertake “sufficient due diligence” when it bought Starwood, a group of hotels that had its reservation database hacked in 2014, eventually exposing the data of over 500 million guests. The attack was only discovered and reported to the regulator in November.
Tim Erlin, the vice president of product management and strategy at cybersecurity company Tripwire, said the regulations “walk a fine line” between improving security and blaming the victim of criminal activity.
“In order for GDPR to remain effective, the supervisory authorities have to levy fines appropriately, and specifically in cases where clear negligence was present,” Erlin said. “It’s fair to expect organizations to safeguard sensitive data, but even an organization delivering above average protection can fall victim to a sophisticated attacker. Very simply, cybersecurity isn’t a solved problem.”
Both companies will have the opportunity to argue for a reduction in the fine before the ICO makes its final decision. Regardless of the outcome, security experts say the severity of the British Airways penalty should be a wake-up call to companies about the importance of data security.
“The message is clear,” Calic said. “If you collect consumer data, you’d better make sure it’s safe and know who has access to it.”