The UK Data Protection Agency has fined British Airways (BA) £ 20 million for violating laws designed to ensure the privacy of customers and employees. This corresponds to the equivalent of around 22 million euros. The Information Commissioner’s Office (ICO) accuses the airline of “having processed a significant amount of personal data without adequate security measures”. As a result, there was a cyber attack that the company had not discovered for over two months.
Don’t miss any news! With our daily newsletter you will receive all the news from heise online for the past 24 hours every morning.
Subscribe to the newsletter now
Lower fine for lost sales
Last year, the ICO initially announced that it wanted to set the fine at around 204 million euros. This would have corresponded to 1.5 percent of the turnover of the BA in the previous financial year worldwide. According to the General Data Protection Regulation (GDPR), on the basis of which the supervisory authority initiated the procedure, a maximum penalty of up to four percent of the transaction amount would have been possible. The ICO justifies the fact that the fine is now significantly lower with current sales losses at BA due to the corona pandemic. Further objections of the group against the original calculation approach were also taken into account.
In the 2018 attack, cyber criminals potentially had access to the personal information of around 429,612 customers and staff. This included the names, addresses and credit card information including the Card Validation Value (CVV) security codes of 244,000 customers. There were also usernames and passwords of employees and administrators as well as of holders of premium frequent flyer cards.
IT security now “significantly improved”
The ICO investigators believe the company should have discovered and fixed the vulnerabilities earlier. Common protective measures such as limited access rights, two-factor authentication and “thorough tests” of the infrastructure would have been sufficient. Some of the precautions would have been available through setting options in the Microsoft operating system that BA was using. On the other hand, the company improved its IT security considerably after the attack.
The British data protection officer Elizabeth Denham emphasized that this is the highest penalty that the ICO has imposed so far. The passengers had entrusted their personal data to BA, the failure to protect them was “unacceptable” and had unsettled many of those affected.
Since the breakdown occurred in June 2018 and thus at a point in time before Brexit, the ICO, according to its own information, investigated the case on behalf of the European Data Protection Committee (EDPS) as the lead supervisory authority within the framework of the GDPR. The sanctions were approved by the EDPB through the usual cooperation process. British data protection law is still based on the GDPR, even if British Prime Minister Boris Johnson wants to change this.
H&M accepts fines in Germany
The Swedish clothing retailer Hennes & Mauritz (H&M) has meanwhile accepted the current record fine of just under 35.3 million euros imposed in Germany on the basis of the GDPR. The Hamburg data protection officer Johannes Caspar had ordered the company to penalize after massive violations of the privacy of employees in a service center in Nuremberg became known. An H&M spokeswoman told the NDR that one waived an appealto draw a line. The group sees the amount to be paid as disproportionate in view of the local incident.