The fine is announced in relation to a cyber incident on the company’s webpage, where personal information about approximately 500.000 customers may have been compromised. The incident reportedly lasted a period of 6 weeks in the fall of 2018, where the attackers harvested customer information such as names, addresses and financial information, hereunder credit card numbers.
Shortly after the incident, British Airways implemented a series of measures in order to inform and reassure it’s customers in relation to the cyber attack, such as apology statements in British newspapers and a promise to compensate customers. Up until now, there is no evidence indicating that the attack on the information security has lead to customer fraud. Despite the implemented measures and the lack of proof of fraud, the ICO has announced its intention to fine British Airways an amount corresponding to 1,5% of the Company’s annual turnover. If this happens, this will be the largest fine from the ICO to date.
The intended fine sends a signal to companies that it is not always enough to react quickly and satisfactory in the event of an information security breach in order to avoid fines. Some breaches, like the one in question, is of such a severe nature that the importance of continuous work on information security must be clearly communicated – not only the response time in the event of an actual breach. Implementing preventive measures is one of the most efficient ways to ensure that cyber incidents and the compromise of data do not occur.
The Norwegian Data Protection Authority has stated that the size of the ICO fine stems from British Airways not doing enough to safeguard their customer’s personal data. Emphasis is made to the type and scope of the personal data compromised, hereunder that the attack involves financial information and that it affects an extensive number of customers worldwide.
British Airways has 28 days to appeal the ICO decision.