The ICO announced this week that British Airways would be fined £20 million in respect of a data security breach that left the personal data of over 400,000 customers exposed to hackers for months.  The ICO initially set the fine at £183 million in June 2019.  Such a massive fine would probably have broken BA but note that it is still a substantial fine, especially given the pandemic and its effect on the travel industry.

The level of the fine demonstrates the regulator’s commitment to maintain the standards of data protection in the UK.  The press release about the fine highlights that the ICO took action as Lead Authority on behalf of all European regulators and that it was approved by them through the GDPR’s cooperation process.  No doubt the ICO also wanted to send a clear message just before the end of the transition period following Brexit that the UK provides adequate protection for personal data of European citizens.

As with many data protection breaches, the initial incident, in this case a hacking attack, reveals systemic weaknesses in data security which lead to the fine.  In the case of BA there was a catalogue of failings.

  • The hacker(s) accessed BA systems using the credentials of an employee of a third party service provider to BA and used the facility which enables remote access to IT systems.  It was configured to allow access to specific applications by using a single user name and password.
  • Access rights were very wide and not sufficiently restricted to job roles.
  • Multi-factor authentication was not enabled.
  • IT administrator credentials were held in plain text, in a folder on the server and the lack of security exposed them to access by the hacker(s).  With “privileged access” the hacker had “virtually unrestricted access” to BA systems, the penalty notice explains.
  • Data relating to payment cards (credit and debit cards) was not encrypted on BA systems in breach of the Payment Card Industry Data Security Standards.
  • BA did not have systems in place to identify the breach.  Data being streamed from its compromised system was identified by a third party which reported it to BA.
  • It was also noted that BA had not undertaken rigorous penetration testing of its systems.

These are failings of commonly accepted standards.  If a large, wealthy corporation like BA can be failing to meet compliance standards, how many organisations are similarly behind the curve?  A Compliance Team focused on checking that compliance controls are up to date and effective is a basic business requirement.  Controls can become outdated, colleagues complacent without a third party to keep them up to the mark.  We call it “checking the checkers”.

Who is checking your company’s data protection compliance programme?  Don’t lose sleep over data compliance, we offer a data protection compliance checking service to keep our clients up to date and ahead of the curve in data protection awareness and compliance.

Mandy P Webster, Data Protection Consultant