The record sanction imposed by the Information Commissioner on British Airways is remarkable not only because of the eyewatering size of the proposed £183 million fine, but also the nature of the breach.
It is thought that around 500,000 customer records were diverted to a fraudulent website by hackers, where they then harvested information including log in, payment card and travel booking details, as well names and addresses.
At the time, British Airways described the incident as a "sophisticated, malicious criminal attack" on its website, and the airline has said that it is "surprised and disappointed" at the fine, having cooperated fully with the Information Commissioner's Office (ICO) and improved its security.
No doubt, the surprise and disappointment stems from the fact that BA was the victim (along with the individuals whose data was compromised) of a criminal act, but that, as the ICO made clear, is precisely the point. "People's personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience,” said Information Commissioner, Elizabeth Denham. "That's why the law is clear - when you are entrusted with personal data, you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."
The fine would represent approximately 1.5% of BA’s 2017 turnover, and the new GDPR regime allows for a maximum fine of 4%. And so, while BA didn’t exactly get off easily, a more serious case of deliberate or reckless misuse of data could be even more costly to an organisation.
Whilst these figures may seem astronomical for those working in the charity sector, a similar case reported in June 2018, but relating to events in the autumn of 2016, saw a charity fined £100,000 by the ICO. On that occasion, some 400,000 data records were hacked through a failure to secure personal information, and an “easy to guess password”. Significant also was the fact that the nature of the work of the charity, the British and Foreign Bible Society, meant that it was, according to the ICO, “likely that the religious belief of the 417,000 supporters could be inferred, and the distress this kind of breach can cause cannot be underestimated.”
Since the events predated the introduction of the new, much higher level of sanctions under GDPR, a fine in comparable circumstances, even for a charity, could be much higher – 1.5% of the British and Foreign Bible Society’s 2018 income of £19.4 million would be £291,000. And the contributing factor of the likely inference of the religious beliefs of supporters or other sensitive affiliations should cause faith-based charities and those dealing with certain types of projects to be particularly mindful.
UPDATE - on the same day that the news of proposed BA fine was reported, news came through of a hack attack on St Johns Ambulance. Hopefully their systems will have proved more robust.