Airline hit by record GDPR fine for data breach

The UK’s data privacy authority intends to issue a record-breaking GDPR fine against one of the largest airlines in the world after a cyber incident where customers’ personal and financial details were compromised. The substantial fine clearly shows that firms have to invest in their IT infrastructure and in complying with data protection laws.

The airline, British Airways, will have to pay £183.39 million ($230 million, €205 million) to the Information Commissioner’s Office (ICO) for failing to protect its customers’ data. The proposed fine relates to a data breach that compromised the personal information of approximately 500,000 customers and it was notified to the ICO by British Airways in September 2018.

“When an organisation fails to protect [personal data] from loss, damage, or theft, it is more than an inconvenience,” says Information Commissioner Elizabeth Denham. “When you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

The risks of data breaches increased sharply on 25 May 2018, when the General Data Protection Regulation (GDPR) was introduced. Under the legislation, an organisation that does not protect its customers’ data, depending on the nature, gravity, duration of the infringement, the number of data subjects affected and several other factors, can be fined up to €20 million (£17.5 million, $22.5 million) or four per cent of annual global revenue – whichever is the greater. The ICO fine is the highest one issued so far by a European Union data protection supervisory authority for a personal data breach under the GDPR, but still considerably less than the maximum it could have levied, as it represents 1.5 percent of the company’s global turnover in 2017.

The GDPR requires organisations to report a data breach within 72 hours of becoming aware of it. British Airways managed to announce the data breach within a day of discovery, as well as providing specific details of who had been affected, and the kind of data that could have been compromised which included bank card numbers, expiry dates, and CVV codes.

Since GDPR came into effect, a number of fines have been issued all over the European Union, the biggest one imposed on Google by French data privacy body CNIL back in January. The search engine giant was hit with a  €50 million ($57 million) fine for “lack of transparency” and “inadequate information” about how ads are personalized for each user. The UK watchdog issued its second announcement about plans to fine a large organization for GDPR violations. The international hotel chain Marriott is to be fined almost £100 million ($123 million, €111 million) by ICO after records of 339 million guests have been breached last year.

Airlines have become frequent targets for cyberattacks in recent years, including the giant US airline, Delta, and Cathay Pacific of Hong Kong. Organisations handling large amounts of sensitive data, including tourism, healthcare, and finance are also among the most vulnerable ones when it comes to data breaches and they need to be on guard against cyber attacks and incidents. In order to comply with the growing number of regulations, they need to ensure their IT security posture is robust and they comply with the requirements.

Data breaches are among the most common and costly cybersecurity risks that can happen both due to an outside attack or inside carelessness; either way companies must be prepared to protect sensitive data. Best practices include more general steps, like training and educating employees, having a data security policy and a layered approach to security. Furthermore, essential security aspects need to be prioritized, including proper data access restrictions and secured devices, which can prove to be a lifesaver for any organization. Solutions, such as Endpoint Protector DLP software can help organizations in fighting against data leakage, data loss and data theft as well as reaching compliance with GDPR and other similar regulations.