The Information Commissioner’s Office (ICO) has published its monetary penalty notice against British Airways (BA), in a sum of £20 million. This concludes a regulatory process announced last year. The final amount of the fine is a significant reduction on the initial 2019 headlines of a ‘notice of intent’ to fine £183 million. However, the fine is still the largest issued by the ICO to date. The fine issued equates to about £50 per affected data subject.

Background of the incident

In June 2018, BA was subject to a cyber-attack on its payment and IT systems. The hacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers. British Airways became aware of the attack in September 2018.

Key points of the penalty notice

The most important part of the monetary penalty notice is the central (and technical) discussion of what measures British Airways should have had in place to prevent and mitigate the attack – in the ICO’s views they were insufficient. The measures that the ICO says should have been in place include:

  • Greater role-based access restrictions to systems;
  • More multi factor authentication of IT systems;
  • Implementing application whitelisting/blacklisting;
  • Systems hardening (although BA disagree with the ICO's conclusions here);
  • Having regard to National Cyber Security Centre guidance – for instance on supply chain management;
  • Ensuring that system suppliers' recommendations on configurations are followed;
  • Not storing passwords and similarly sensitive information in plain text;
  • File integrity monitoring of payment card systems; and
  • Measures to automatically detect changes to website code.

British Airways has the option to further appeal the fine, which was reduced in part to take account of business pressures arising from the COVID-19 pandemic.

What to take away

We recommend passing parts 6 and 7 of the Monetary Penalty Notice (p. 29 onwards) on to information security teams/consultants, to consider which measures may be appropriate to your organisation. Whilst there isn't – and probably can't be - a single, “one size fits all” list of what security measures are 'sufficient' for any and all organisations, we think the ICO will say in the future that other organisations should be aware of (and where appropriate have in place) the matters that BA should have had in place here.

More generally, the ICO has recently published a “self-assessment toolkit” which provides a free-to-use self-inspection system for compliance measures. As a “one size fits all” tool, not all of the points within it will be relevant for all organisations, but the framework offers insights into the ICO's approach to audits (which can be requested voluntarily by data controllers, or required by the ICO) and some helpful ways of thinking about “demonstrable compliance” with many of the key parts of GDPR.

Many of our healthcare clients will be subject to the Data Security and Protection Toolkit and the audit/assurance arrangements that go with that, but for housing, regulatory and other organisations (or for NHS organisations considering other ways of demonstrating compliance with GDPR), the Framework has some useful tools.

How we can help

Our team at Capsticks consists of experts in all areas of information law, concerning healthcare and housing organisations, regulators and employees. We give practical advice on the full range of advisory, transactional, regulatory and litigated issues including effective information sharing between organisations, complex subject access requests, and responding to information security incidents and cyber-attacks.

For advice on any of the legal issues raised by this alert, please speak to Andrew Latham, Kate Dimes Letters or Serena Patel.