ICO - British Airways
| ICO - British Airways | |
|---|---|
 | |
| Authority: | ICO (UK) |
| Jurisdiction: | United Kingdom |
| Relevant Law: | Article 5(1)(f) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 16.10.2020 |
| Published: | 16.10.2020 |
| Fine: | 20000000 GBP |
| Parties: | British Airways |
| National Case Number/Name: | British Airways |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | English |
| Original Source: | ICO (in EN) |
| Initial Contributor: | n/a |
The Information Commissioner’s Office (ICO) fined British Airways €22 million for failing to protect the personal and financial details of more than 400,000 of its customers.
English Summary
Facts
An ICO investigation found the airline was processing a significant amount of personal data without adequate security measures in place. This failure broke data protection law and, subsequently, British Airways (BA) was the subject of a cyber-attack during 2018, which it did not detect for more than two months.
ICO investigators found BA ought to have identified weaknesses in its security and resolved them with security measures that were available at the time. The attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers. Other details thought to have been accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers.
Dispute
Did BA breach Article 5(1)(f) and 32 GDPR by failing to implement appropriate security measures and not protecting against unauthorised access to personal data?
Holding
The ICO held that BA was indeed liable. Because the BA breach happened in June 2018, before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR. There were numerous measures BA could have used to mitigate or prevent the risk of an attacker being able to access the BA network. None of these measures would have entailed excessive cost or technical barriers, with some available through the Microsoft Operating System used by BA. Therefore, considering this, the ICO found that BA had failed to comply with Article 5(1)(f) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
