One of the biggest data breaches in UK corporate history has been closed off by regulators not with a bang, but a whimper — as a result of Covid-19. Today the Information Commissioner’s Office, the UK’s data watchdog, announced that it would be fining British Airways £20 million for a data breach in which the personal details of more than 400,000 customers were leaked after BA suffered a two-month cyberattack and lacked adequate security to detect and defend itself against it. It had originally planned to fine BA nearly £184 million, but it reduced the penalty in light of the economic impact that BA (like other airlines) has faced as a result of Covid-19.
The major step down in the fine underscores what kind of an impact the coronavirus pandemic is having on regulations. In some cases, in order more quickly address issues that potentially impact business growth, we’ve seen regulators try to speed up their responsiveness and even leave behind some previous reservations to green light activities, as in the case of e-scooters.
But in the case of the BA fine, we’re seeing the other side of the Covid-19 impact: regulators are taking a less hard line with penalties on companies that are already struggling. That raises questions of how impactful their decisions are, and what kind of a precedent they are setting for future security and data protection neglect.
Even with the reduced penalty size, the ICO is sticking by its original conclusions:
“People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure,” said Information Commissioner Elizabeth Denham in a statement. “Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date. When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”
The fine is the highest-ever leveled by the ICO. But it’s a major step down from the £184 million penalty — 1.5% of BA’s revenues in the 2018 calendar year — that the regulator had originally set last year. That was, of course, before the coronavirus pandemic hit, halting travel globally and bringing many airlines to their knees. The original order went through a process of appeal, which included an assessment of the state of the company in the current market.
“In June 2019 the ICO issued BA with a notice of intent to fine,” the ICO noted in its statement on the reduced fine. “As part of the regulatory process the ICO considered both representations from BA and the economic impact of COVID-19 on their business before setting a final penalty.”
The salient facts of the investigation’s findings remained the same: the ICO had determined that BA had “weaknesses in its security” that could have been prevented with security systems — procedures and software — that were available at the time.
As a result, data from 429,612 customers and staff was leaked, including “names, addresses, payment card numbers and CVV numbers of 244,000 BA customers,” the ICO said, adding that the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers were also believed to be a part of the breach, as well as the usernames and passwords of BA employee and administrator accounts, and the usernames and PINs of up to 612 BA Executive Club accounts (these last two were also not completely verified, it seems).
On top of that, BA never detected the attack, it said: it was notified of the breach by a third party.
The ICO said that its action has been approved by other DPA’s in the European Union: this is because the attack happened while the UK was still in the EU, and so the investigation was carried out by the ICO on behalf of the EU authorities, it said.