British Airways plane

British Airways Hit With Record $229 Million Fine After 2018 Hack

The airline, along with Mariott International, is facing harsher penalties for not properly protecting customers’ personal data prior to cyberattacks.

  • By Haley Samsel
  • Jul 10, 2019

British Airways, the second largest airline in the United Kingdom, could have to pay a record fine of over 183 million pounds, or about $229 million, for a hack that exposed the private data of hundreds of thousands of customers. The penalty is the largest ever issued by the Information Commissioner’s Office, the British agency tasked with protecting citizens’ data privacy.

An investigation conducted by the ICO found that the airline’s lack of security measures allowed for hackers to “harvest” personal data of 500,000 customers for several months in the summer of 2018. The incident involved diverting customers from the British Airways website to a fraudulent site where users entered their names, email addresses, travel details and credit card information.

Since the attack, the company has made improvements to its security operation and cooperated with the investigation, according to the ICO.

“People’s personal data is just that – personal,” ICO commissioner Elizabeth Denham said in a Monday statement. “When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it.”

She added: “Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."

The announcement came in the wake of new regulations in the U.K., introduced last year, that make it mandatory for companies to report security breaches to the ICO. The changes to the General Data Protection Regulation (GDPR) also increased the maximum penalty to 4 percent of the corporation’s turnover, or yearly net sales. While the fine on British Airways was the largest ever levied by the agency, it was only about 1.5 percent of the airline’s turnover in 2017, according to the BBC.

“If there was any doubt that regulators would enforce GDPR, the ICO’s decision to hand down an unprecedented, if unexpectedly, stiff penalty will surely put that to rest and leave all companies under GDPR anxious about data security and privacy,” said Alex Calic, the strategic technology partnerships officer for The Media Trust.

It doesn’t look like the regulator is slowing down anytime soon. On Tuesday, the ICO announced its intention to fine Mariott International over 99 million pounds, or $124 million, for a data breach that led to the exposure of 339 million sensitive guest records, 30 million of which were related to European residents.

The ICO investigators concluded that Mariott failed to undertake “sufficient due diligence” when it bought Starwood, a group of hotels that had its reservation database hacked in 2014, eventually exposing the data of over 500 million guests. The attack was only discovered and reported to the regulator in November.

Tim Erlin, the vice president of product management and strategy at cybersecurity company Tripwire, said the regulations “walk a fine line” between improving security and blaming the victim of criminal activity.

“In order for GDPR to remain effective, the supervisory authorities have to levy fines appropriately, and specifically in cases where clear negligence was present,” Erlin said. “It’s fair to expect organizations to safeguard sensitive data, but even an organization delivering above average protection can fall victim to a sophisticated attacker. Very simply, cybersecurity isn’t a solved problem.”

Both companies will have the opportunity to argue for a reduction in the fine before the ICO makes its final decision. Regardless of the outcome, security experts say the severity of the British Airways penalty should be a wake-up call to companies about the importance of data security.

“The message is clear,” Calic said. “If you collect consumer data, you’d better make sure it’s safe and know who has access to it.”

Featured

  • Meeting Modern Demands

    Door hardware and access control continue to be at the forefront of innovation within the security industry, continuously evolving to meet the dynamic needs of commercial spaces. Read Now

  • Leveraging IoT and Open Platform VMS for a Connected Future

    The evolution of urban environments is being reshaped by the convergence of Internet of Things (IoT) technology and open platform VMS. As cities worldwide grapple with growing populations and increasing operational complexities, these integrated technologies are emerging as powerful tools for creating more livable, efficient, and secure urban spaces. Read Now

  • Securing the Future

    Two security experts sit down with Security Today’s editor in chief Ralph C. Jensen to discuss what they see emerging and changing over the next several years along with how security stakeholders can harness these innovations into opportunities. Read Now

  • Collaboration Made Easy Using a Work Management Platform

    Effective collaboration between security operators, teams and other departments is critical to the smooth functioning of organizations. Yet, as organizations grow in complexity, it becomes more difficult for teams to coordinate with each other. This is compounded by staffing shortages, turnover and ineffective collaboration tools. Read Now

Most   Popular

New Products

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction.

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.”

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings.