The long-running saga of the BA data breach reached its conclusion (probably) last week with the announcement by the Information Commissioner’s Office (ICO) of a £20m fine. Initial comments focused on the huge reduction from the £183m fine that the ICO initially proposed last year; but this is still a significant fine, both in total and in terms of a penalty per compromised record of nearly £50. This is only the second fine that the ICO has issued under GDPR, the first being the £275 000 penalty for Doorstep Dispensaree in December 2019 (which works out at less than £1 per compromised record). So have we learnt anything from this second fine?
In its ruling the ICO cites two aggravating factors that contributed towards the size of the fine:
- Failing to prevent the attack; and
- Failing to respond in a timely fashion.
The ICO ruling was highly critical of BA’s failure to put appropriate information security measures in place ahead of the attack, although acknowledges that BA has made significant improvements now. Perhaps more importantly, the ICO highlights that BA were unaware of the attack until they were contacted by a third party over two months later. Given that the compromised data includes customers’ bank details, this delay in informing those affected created a risk of fraud on a huge scale. Arguably though, neither of these arguments are new: pre GDPR the ICO would regularly cite these factors in its rulings.
Potentially this ruling points towards a pattern of announcing an enormous fine and then settling, many months later, for a much more modest punishment. However, the BA fine must be viewed in the context of the complete collapse of the aviation sector in the last six months. We may know more when we see what the final penalty imposed upon Marriott Hotels will be, the ICO having initially proposed a fine of £99m last year.