Giuristidimpresa.co.uk

Giuristidimpresa.co.ukGiuristidimpresa.co.ukGiuristidimpresa.co.uk

Global edition

Global edition Global edition

Data Privacy

ICO fines British Airways £20m for data breach affecting more than 400,000 customers

Abstract


On the 16 October 2020 ICO serve a penalty notice to the British Airways plc after an investigation for 20 million of pound.


The ICO investigation found the airline was processing a significant amount of personal data without adequate security measures in place. 


This failure broke data protection law and, subsequently, British Airways was the subject of a cyber-attack during 2018, which it did not detect for more than two months.

ICO investigators found British Airways ought to have identified weaknesses in its security and resolved them with security measures that were available at the time.

Addressing these security issues would have prevented the 2018 cyber-attack being carried out in this way, investigators concluded, and decide to elevate the sanctions in breach of Section 155, of the Data protection Act 2018.

This paper summarise and better explain the logic of the decision, extracting the best practices applicable to the case.

  1. Introduction 
  2. Personal Data involved in the Failure
  3. How Corporate should have reacted 
  4. Conclusion
  5. Best practices in preventions


1. introduction 


In summary, between 22 June and 5 September 2018, a malicious actor ("the Attacker") gained access to an internal web application of the British Airways system and compromised the credential for a Citrix remote access gateway ("CAG").


Soon after obtained the access the attacker edited a JavaScript file on the British Airways website, and proceeded with an exfiltration of cardholder data from the website to an external domain "$www.BAways.com$".


British Airways, acted promptly in notifying the Commissioner of the Attack on 6 September 2018 and thereby complied with its obligations in this respect, and also if the Commissioner considered that BA has cooperated fully with the investigation has elevated the sanctions. 


The penalty have been elevated because the Commissioner has found that in comparison with what the market offer British Airways wasn't prepare to process the personal data of its customers in a manner that ensured appropriate security of the data, including: 


  •  protection against accidental lost 
  • destruction or damage 
  • using technical and organisational measures


All mandatory requirements expressed by Article 5(1)(f) and by article 32 of the GDPR. 


In conclusion, the infringement constitute serious failure  to comply with GDPR, the ICO expected a strong and more coherent data protection framework from the companies. 


In particular, is mandatory processed the customer data in a manner that ensures appropriate security of the personal data, including protection against: 


  • accidental loss
  • destruction or damage 


Failing is "per se" a breach of the legislation framework, art.5 of GDPR make clear that the controller shall be responsible for compliance with, unless they demonstrate to   have taken the appropriate steps to prevent those event. And wasn't the case with British Airways. 


2. Personal Data involved in the Failure


The Attacker is believed to have potentially accessed the personal data of approximately 429.612 individuals in particular: 


  • Name, address, card number and CCV number of BA customers -244.000 data subjects
  • Card number and CVV only - 77.000 data subjects
  • Card number only - 108.000 data subjects
  • Usernames and passwords of BA employee and administrator accounts
  • Usernames and passwords of BA employee and administrator accounts
  • Usernames and pin numbers of up to 612 Ba Executive Club accounts


Those data are enough to have access to the owner of those cards and potentially causing even greater damage, in the foreseeability future. 


3. How Corporate should have reacted 


There were numerous measures BA could have used to mitigate or prevent the risk of an attacker being able to access the BA network, for example:


  • limiting access to applications, data and tools to only that which are required to fulfil a user’s role
  • undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems;
  • protecting employee and third party accounts with multi-factor authentication
  • danaid access to third party employee of the "SWISSPORT" from which the attack started
  • protect cards details stronger and not storing data not required for any particular business purpose
  • not allowed redirection of customer data, BA blocked the linkage only after a third party advise
  • installation of a next-generation anti-virus  


The ICO found that none of these measures would have entailed excessive cost or technical barriers, with some also available through the Microsoft Operating System used by BA. 


In fact, before elevating the sanctions ICO has evaluate:


  • the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered 
  • the international negligent character of the infringement
  • any action taken by the controller or processor to mitigate the damage suffered by data subjects
  • the degree of responsibility of the controller or processor, taking into account technical and organisational measures implemented by them pursuant to Article 25 and 32
  • any relevant previous infringements by the controller or processor
  • the degree of co-operation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement
  • the categories of personal data affected by the infringement
  • the manner in which the infringement became known to the supervisory authority, including whether, and if so to what extent, the controller or processor notifies the supervisory authority of the infringement
  • where previous measures have previously been ordered against the controller or processor concerned with regard to the same subject matter 


Concluding anyway for the 20 million sanctions. 

However, Since the attack, BA has made considerable improvements to its IT security.



5. Best practices in preventions


Any Company should have a Security Risk Implementation plan in place which include:


  • risk scoring contracts to link in with existing risk assessments 
  • due diligence 
  • accreditation 
  • assurance of existing suppliers of the adoption of measures to mitigate risks
  • audit arrangements and compliance monitoring 
  • Comprehensive mapping of all tiers of the upstream and downstream supply chains to the level of individual contracts


All of those practice were also suggested by the Cyber Security Council since 2018.


October 2020

by Daniele Lupi



Copyright © 2025 giuristidimpresa.co.uk - Tutti i diritti riservati.

Gestito da

This website uses cookies.

We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.

DeclineAccept