British Airways has reached an agreement to settle a High Court claim brought by thousands of people affected by a major personal data breach in 2018.
The court-appointed law firm overseeing the claim, PGMBM, announced this week that the litigation with the airline had been resolved on confidential terms and following mediation. While BA will not have had to admit liability as party of the settlement, the total amount of the compensation paid to the claimants is likely to have been significant, this in addition to the Information Commissioners Office ("ICO") fine issued.
The data breach in June 2018 exposed to hackers the personal details of nearly 430,000 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers as well as usernames and passwords of BA employee accounts.
BA's stance was that it acted promptly when it discovered the problem. However, the breach resulted in the ICO fining the airline £20m for processing a significant amount of personal data without adequate security measures in place, in breach of data protection law. In fact, the fine could well have been significantly greater as the ICO had proposed a fine of £183.39m for the GDPR infringements.
Announcing the final decision and fine in October 2020, Information Commissioner Elizabeth Denham said:
“[BA's] failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.
“When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”
BA has deep pockets but it also has its reputation to think of. Trusted brands cannot afford to be seen as lazy, or worse irresponsible, when it comes to their customer's data.
The story is a stark reminder of how seriously organisations need to take their responsibility to protect the data they hold. In this case, the vulnerabilities in remote access to BA's IT systems were in particular exposed. Never has that been a more relevant issue than now, with so many more working, shopping and connecting online during the pandemic.
There will always be new scams and techniques being developed by hackers, but reacting swiftly once a breach or theft has occurred, while essential, is unlikely to be enough. Businesses need to look at what more they can do to prevent and mitigate the risk.
In the BA penalty notice, the ICO identified a number of measures that could have been implemented. These included:
- limiting access to applications, data and tools to only that which are required to fulfil a user’s role;
- undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems;
- protecting employee and third party accounts with multi-factor authentication.
It is incumbent upon businesses and other organisations to look at the security measures they have in place and consider whether they are adequate, in addition to ensuring readiness to deal with the varied challenges that can arise when a data breach occurs. Failing to meet your legal obligations in this regard could be very costly indeed.
Want to hear more from us? 
