British Airways plane

British Airways Hit With Record $229 Million Fine After 2018 Hack

The airline, along with Mariott International, is facing harsher penalties for not properly protecting customers’ personal data prior to cyberattacks.

British Airways, the second largest airline in the United Kingdom, could have to pay a record fine of over 183 million pounds, or about $229 million, for a hack that exposed the private data of hundreds of thousands of customers. The penalty is the largest ever issued by the Information Commissioner’s Office, the British agency tasked with protecting citizens’ data privacy.

An investigation conducted by the ICO found that the airline’s lack of security measures allowed for hackers to “harvest” personal data of 500,000 customers for several months in the summer of 2018. The incident involved diverting customers from the British Airways website to a fraudulent site where users entered their names, email addresses, travel details and credit card information.

Since the attack, the company has made improvements to its security operation and cooperated with the investigation, according to the ICO.

“People’s personal data is just that – personal,” ICO commissioner Elizabeth Denham said in a Monday statement. “When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it.”

She added: “Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."

The announcement came in the wake of new regulations in the U.K., introduced last year, that make it mandatory for companies to report security breaches to the ICO. The changes to the General Data Protection Regulation (GDPR) also increased the maximum penalty to 4 percent of the corporation’s turnover, or yearly net sales. While the fine on British Airways was the largest ever levied by the agency, it was only about 1.5 percent of the airline’s turnover in 2017, according to the BBC.

“If there was any doubt that regulators would enforce GDPR, the ICO’s decision to hand down an unprecedented, if unexpectedly, stiff penalty will surely put that to rest and leave all companies under GDPR anxious about data security and privacy,” said Alex Calic, the strategic technology partnerships officer for The Media Trust.

It doesn’t look like the regulator is slowing down anytime soon. On Tuesday, the ICO announced its intention to fine Mariott International over 99 million pounds, or $124 million, for a data breach that led to the exposure of 339 million sensitive guest records, 30 million of which were related to European residents.

The ICO investigators concluded that Mariott failed to undertake “sufficient due diligence” when it bought Starwood, a group of hotels that had its reservation database hacked in 2014, eventually exposing the data of over 500 million guests. The attack was only discovered and reported to the regulator in November.

Tim Erlin, the vice president of product management and strategy at cybersecurity company Tripwire, said the regulations “walk a fine line” between improving security and blaming the victim of criminal activity.

“In order for GDPR to remain effective, the supervisory authorities have to levy fines appropriately, and specifically in cases where clear negligence was present,” Erlin said. “It’s fair to expect organizations to safeguard sensitive data, but even an organization delivering above average protection can fall victim to a sophisticated attacker. Very simply, cybersecurity isn’t a solved problem.”

Both companies will have the opportunity to argue for a reduction in the fine before the ICO makes its final decision. Regardless of the outcome, security experts say the severity of the British Airways penalty should be a wake-up call to companies about the importance of data security.

“The message is clear,” Calic said. “If you collect consumer data, you’d better make sure it’s safe and know who has access to it.”

Featured

  • Mall of America Deploys AI-Powered Analytics to Enhance Parking Intelligence

    Mall of America®, the largest shopping and entertainment complex in North America, announced an expansion of its ongoing partnership with Axis Communications to deploy cutting-edge car-counting video analytics across more than a dozen locations. With this expansion, Mall of America (MOA) has boosted operational efficiency, improved safety and security, and enabled more informed decision-making around employee scheduling and streamlining transportation for large events. Read Now

  • Security Industry Association Launches New “askSIA” AI Tool

    The Security Industry Association (SIA) has unveiled a brand-new SIA member benefit – askSIA, a conversational AI agent designed to help users get the most out of their SIA membership, easily access SIA resources and find the latest information on SIA’s training and courses, reports and publications, events, certification offerings and more. SIA members can easily find askSIA by visiting the SIA homepage or looking for the askSIA icon in the top left of webpages. Read Now

    • Industry Events
  • Industry Embraces Mobile Access, Biometrics and AI

    A combination of evolving workplace dynamics, technology innovation and new user expectations is changing how people enter and interact with physical spaces. Access control is at the heart of these changes. Combined with biometrics and AI, mobile access control has become increasingly crucial for deploying entry solutions that are seamless, secure and adaptive to user needs. Read Now

  • Sustainable Video Solution Delivered for Landmark City of London Office Development

    An advanced, end-to-end video solution from IDIS, with a focus on reducing waste and costs, has helped a major office development in the City of London align its security with sustainability objectives. Read Now

  • DHS to End ‘Shoes-Off’ Travel Policy

    Homeland Security Secretary Kristi Noem announced a new policy today which will allow passengers traveling through domestic airports to keep their shoes on while passing through security screening at TSA checkpoints. Read Now

New Products

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file.

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles.

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction.