Regulatory Cyber Alert: ICO to Fine British Airways £183.39m ($230M) Under GDPR for Data Breach

On 8 July 2019, the UK’s Information Commissioner’s Office (ICO) announced its intent to fine British Airways £183.39m ($230M) under the General Data Protection Regulation (GDPR) for a breach that occurred from 21 August through 5 September 2018. During this breach the personal data of approximately 500,000 customers was stolen. The proposed penalty represents the largest fine of a company since GDPR came into force. The fine is approximately 367 times larger than the previous (pre-GDPR) record ICO fine of £500,000 imposed on Facebook for the Cambridge Analytica scandal.

Researchers from the RiskIQ threat management firm attribute the British Airways (BA) breach to the Magecart threat group, a group notorious for using physical devices and software code to “skim” credit card and other personal information entered by consumers. In this instance, after careful surveillance of the BA website source, Magecart injected JavaScript into BA’s online and mobile ticket booking systems. Using camouflaged scripts, the code diverted customer information, including names, email addresses, and credit card information such as credit card numbers, expiration dates, and three-digit security codes, to a Magecart domain in Romania.

The proposed ICO penalty, while a record amount, is still less than the maximum 4% of turnover allowed by the GDPR. Nonetheless, despite the noted cooperation of BA with the ICO, the fine is the largest ever imposed by a regulatory agency. BA has 28 days to appeal this decision, and is in the process of preparing representations to the ICO.

ACA Aponix Guidance

With this fine, the ICO is clearly indicating the seriousness it affords to the needs of companies to protect personal data, and the severity with which it intends to penalize those firms that are lacking in this regard. All firms need to ensure that they are in compliance with GDPR and other relevant data privacy regulations. Additionally, these safeguards are crucial toward portfolio companies holding customer personal data.

ACA Aponix recommends that firms:

• Review and heighten cybersecurity efforts toward protection of personally identifiable information
• Establish and review compliance programs with GDPR and/or other data privacy regulations
• Notify employees regarding the data breach, and suggest that if they were personally affected, they should close current credit card accounts and open new ones in their stead

How We Help

ACA Aponix can help your company reduce the risk of a data breach and avoid regulatory penalties. We offer the following services:

• GDPR gap analysis
• GDPR awareness training
• GDPR vendor diligence
• Cybersecurity and technology risk assessments
• Phishing testing and cyber awareness
• Penetration testing and vulnerability assessments
• Policies, procedures and governance
• Cyber incident response planning
• Mock regulatory cyber exams
• Threat intelligence

Contact Us

For More Information

If you have any questions, please contact your ACA Aponix consultant or email us at info@acaaponix.com