The price of our privacy… that’s almost GBP185 million to British Airways

10 July, 2019

We often hear the words "data is the new oil" from conference speakers and industry whitepapers. While this is seemingly become truer by the day, and there are clear parallels with data powering much of the technological and digital transformation of business life today, many still argue that it is nothing more than a smart attention grabbing marketing soundbyte.

What is clear is that data is an important factor behind automation and the advanced, predictive machine learning analytics that drive artificial intelligence, which could be the lifeblood of future business processes. Away from the analogies, when it comes to travel information about our preferences, experiences and purchases can be as valuable to a business as our private information could be to a hacker.

This all highlights the importance of protecting our data and why privacy concerns are one of the biggest hurdles regularly highlighted by surveys to the ongoing automation of business processes. You wouldn't give a stranger a key to your house, or the password to your computer, so why would you share your personal data with an online system?

Tougher data privacy laws now require companies to have clearer and more robust processes in place when handling personal data relating to their customers, their staff or other persons who come into contact with their business and this has impacted how businesses collect, use, manage and store their customers' and employees' personal data.

The Blue Swan Daily reported last year on how the European General Data Protection Regulation (GDPR) was being met with as much global dread as the Y2K millennium bug. But, while the latter proved impotent, GDPR has a powerful bite as British Airways has discovered this week.

Following a extensive investigation into a data breach last year that affected 500,000 of the airline's customers, the UK independent body set up to uphold information rights, the Information Commissioner's Office (ICO) says it intends to fine British Airways GBP183.39 million for infringements of the General Data Protection Regulation (GDPR).

The proposed fine relates to a cyber incident which in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers and personal data of approximately 500,000 customers were compromised in this incident. ICO investigations have found this is believed to have begun in Jun-2018, but was not publicly disclosed until Sep-2018.

The ICO's investigation found that "a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information". It says British Airways "has cooperated" with the investigation and has made improvements to its security arrangements since these events came to light.

The proposed penalty imposed on British Airways is the largest and one of the first to be made public since the GDPR rules were introduced, and which make it mandatory to report data security breaches to the information commissioner. The fine amounts to 1.5% of the airline's worldwide turnover in 2017, which is actually less than half the maximum penalty of 4% of turnover.

As Anna Russel, VP at enterprise data security provider, Comforte, explains, "companies need to realise that GDPR is a data privacy regulation that has teeth." We have already seen seen Google find EUR50 million in France earlier this year.

Until now, the biggest penalty in the UK has been GBP500,000, the maximum allowed under the old data protection rules and imposed on Facebook for its role in the Cambridge Analytica data scandal. According to ICO Equifax has also faced a GBP500,000 penalty due to a data breach, while Uber, TalkTalk, Carphone Warehouse, Yahoo and Sony are among the global brands also hit with fines.

The ICO says British Airways will "have opportunity to make representations to the ICO as to the proposed findings and sanction" and that it will "consider carefully" these representations and opinions of other concerned data protection authorities before it takes its final decision.

British Airways CEO Alex Cruz says he is "surprised and disappointed in this initial finding from the ICO" given the airline responded quickly to the criminal act and has found no evidence of fraud/fraudulent activity on any of the accounts linked to the theft. Willie Walsh, CEO of the airline's parent company IAG confirms that it will be "making representations" to the ICO in relation to the proposed fine" and that it will "take all appropriate steps to defend the airline's position vigorously, including making any necessary appeals".

These actions from ICO and the strong regulation of GDPR highlight just how important the safeguarding of data has become. "People's personal data is just that - personal, says the UK's Information Commissioner Elizabeth Denham. "When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That's why the law is clear - when you are entrusted with personal data you must look after it."