Director Irenicon Ltd
Share this content

British Airways landed with massive GDPR fine

10th Jul 2019
Director Irenicon Ltd
Share this content
BA plane

GDPR fines soared to new heights this week as the Information Commissioner’s Office threatened British Airways with a fine of £184m for a significant data breach. Employment law expert Annabel Kaye advises accountancy firms how they can avoid a similar fate.

The Information Commissioner’s Office (ICO) has been investigating a number of large-scale data breaches, and this week’s headline GDPR news is that the body intends to fine British Airways (BA) £183.39m for breaches of data protection law thought to have occurred in June 2018 and reported in September 2018.

What happened?

The attack, perpetrated by cybercriminal gang Magecart, contained a number of different factors that contributed to the problem:

  1. Scammers created a false website. BA customers logged into this and inadvertently shared their logins (and possibly more security information).
  2. 500,000 customer records were compromised over a period of time starting in June 2018.
  3. Poor security arrangements allowed customer information to be compromised, including payment card details, travel itineraries, names and addresses.

The final amount has yet to be determined as BA and other EU data protection bodies now have to make representations about the scale of the fine. The airline has 28 days to appeal, and in a statement declared itself “surprised and disappointed” by the ICO’s initial finding.

“British Airways responded quickly to a criminal act to steal customers’ data,” continued the statement. “We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.”

If the figure is confirmed, it will be the largest GDPR penalty to date. The fine seems huge, but is unlikely to be terminal for BA and is less than half the 4% of worldwide turnover the ICO is entitled to make. The maximum could have been up to £489m.

Fines received by the ICO are due to go to the Treasury, but the body is exploring whether to ring-fence its penalty income to cover potential litigation costs to defend its decisions.

Could this happen to an accountancy firm?

There are few professional firms with 500,000 customers and prospects on a database. But if you start looking at say 50,000, or even 5,000 customer records, it is quite possible for a similar breach to happen to an accountancy practice.

While the scammers have historically targeted big consumer sites, as those sites progressively lock down their security (or get fined), criminals will move onto smaller databases and sites where the security may be easier to crack.

What should you do?

Check and search

  • Do an anonymous Google search for your firm (while you are not logged into your Google browser) and see if any fake websites are using your business name, or your keywords appear.
  • Check variations of your URL (website address) carefully. Scammers can clone your logos and words, and the look and feel of your site. All they need to do is change one letter.
  • Set up Google alerts for copy that is identical to your opening lines, brand name and so on to get informed if any copy appears that closely resembles yours.

Monitor and review client logins

Require authentication

If you have a portal or website where clients log in and view their own documentation, talk to your supplier about making sure they have two-factor or double-authenticated logins (using an authenticator app or texts), and that this is triggered whenever they attempt to log in from a new device/location/IP address.

This step will make it more difficult for people who have stolen the login information to gain access since they will also have to have stolen their phone or other authentication device.

Set up monitoring and reporting

Sites with customer data on them should have security software that offers you reports. Make sure those are set to notify you of an unusual number of failed logins (those that fail the authentication test). This pattern can indicate that customer login information is compromised. Make sure someone with authority is tasked with identifying what has caused the upsurge.

Discuss with your IT provider what a normal level of security failures is on your site would and make sure that both your and the customer login information is encrypted and securely stored.

Active monitoring is key

GDPR and data security is a process, not a deadline. It is not enough to say, “We were secure a year ago, so we must be now.” The essence of security is to check and monitor regularly.

You will also want to look at whether new security options are available within the software and platforms you use. 

There has been a massive improvement in many mainstream software packages and tools, but many require you to turn them on or require their use. Not all security upgrades are automatically applied if they require a change in end-user or customer behaviour.


Replies (2)

Please login or register to join the discussion.

By dgilmour51
11th Jul 2019 11:36

... and a £99m or so fine to Marriott today...
BA ... not so massive, around a quarter of what it could have been.
One can but hope that this bucks up the response of Banks etc. to GDPR - so far they have been visibly inept in conforming to even the most basic consent requirements.

Thanks (0)
By tedbuck
11th Jul 2019 11:54

AbFab! Now HMG can look at a new tax stream - doesn't matter if BA were to go bust as long as HMG has a few quid to waste on making people's life more difficult.
Net result air fares go up and Jo Public pays the price or cost cut and shed a few jobs to cover it. Pity they aren't in the GDPR shop which cannot even get its own stuff right. Bet they didn't fine themselves!
Personally I think we should go back to cash think of the wheelbarrows full of plastic fivers that would be needed to pay that fine. Now there is an idea.

Thanks (1)