GDPR: Data Storage and consequences of Data Security FailuresBritish Airways (“BA”) stored confidential data including names, addresses and card details (“Data”) of its employees and customers on its website, ‘www.britishairways.com’. In June 2018, an unidentified individual (“Attacker”) surreptitiously accessed the BA e-mail account of Swissport, a cargo services provider hired by BA, which was accessing BA’s system remotely. After accessing the Swissport account, the Attacker thenbroke into BA’s core network and thus, gained access to BA’s entire system.
The Attackerthen added a setting to ‘www.britishairways.com’ to copyallexisting Data andanyfresh Data entered bycustomers accessingit to ‘www.BAways.com’ (the Attacker’s website) withoutBA’s detection.In September, BA learnt about the Attack from a third-party and soon blocked all data transmissions to ‘www.BAways.com’.By then, the Attackeris believed to have accessed Data of 429,612 individuals from BA’s website.
Shortly thereafter, BA notified the Information Commissioner (“IO”) and customers about the Attack. After an investigation, the IO sent a notice intending to penalize BAfor data security failures. From July 2019 to June 2020, BA provided technical clarifications to the IO.Finally, in October 2020, the IO sent a penalty notice.
BA breached the EU General Data Protection Regulation by failing to process the Data with appropriate security and to implement technical measures to ensure enough security. There was detailed guidance available publicly on implementing data security mechanisms, some of which featured in BA’s own policies.Processes like ‘multi-factor authentication’ (requiring a user to enter a combination of data to access a server) or ‘application whitelisting’ (restricting remote access to select applications) were missing from BA’s network.Had even one such process been present, the Attack could have been prevented or at least, mitigated. At first, the IO decided to impose a penalty of £180 million.
BA argued that the IO had imposed an unduly high standard while judging BA’s security systems.The IO was applying the benefit of hindsight to say that BA could have prevented the Attack, but actually, the Attack was highly sophisticated which could permeate even the high-end security systems of BA. Thus, it was the Attacker who ought to be held responsible. Moreover, no actual financial harm was caused to anybody.
BA could not use the apparent sophistication of the Attack to shield itself. The Attacker’s entry into BA’s website was through the Swissport e-mail account, which admittedly did not have multi-factor authentication, showing BA’s unpreparedness to guard itself against third-party remote accounts. Furthermore, BA could not even detect the Attack by itself; it had to be alerted by a third-party. If BA hadn’t been so alerted, greater harm could have been caused to its customers and employees.Whether any actual financial harm was caused was irrelevant, as over 400,000 people ought to have suffered mental distress upon learning that their Data was compromised.
The IO considered the following factors to decide the penalty amount: mental distress suffered, the Attacker having unfettered access to BA’s systems for 103 days, andinadequate data security from an organisation of BA’s stature.Equally, the IO acknowledged that BA took immediate steps to block unauthorized Data transmissions, promptly notified all concerned parties upon learning of the Attack and activelyreported it to alert other organisations holding sensitive data. The IO also considered the impact of the Covid-19 pandemic on businesses,and imposed a penalty of £20 million on BA.
Although the Attack was not intentionally done by BA, it happened because of its negligence. The penalty notice set a precedent to others to securely process and store sensitive data.
Should you wish to discuss any similar issues that your business is facing please feel free to contact us and a member of our team will seek out cost effective solutions if you are faced with a litigation or wish to ensure that appropriate safeguards are put in place to protect your position.