British Airways was last week fined £20m by the Information Commissioner's Office over a data breach which saw the personal details of 400,000 of its customers being accessed by hackers.
Following an investigation, it was ruled the airline should have identified the security weaknesses which enabled the attack to take place.
Elizabeth Denham, the Information Commissioner, said: ‘People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure. Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That's why we have issued BA with a £20m fine - our biggest to date. When organisations take poor decisions around people's personal data, that can have a real impact on people's lives.’
The BA ruling provides the latest warning to businesses across the UK over the importance of protecting all the data it holds on its customers. At Harper James Solicitors, a commercial law firm designed to support businesses from start-up to scale-up, our team of experts regularly provide advice to companies on the practical steps they can take in this area.
David Sant, a commercial solicitor at Harper James, specialising in technology and data protection, said important lessons can be learned from the BA ruling: ‘The ICO now has the power to fine organisations for breaches of the GDPR up to 4% of the organisation’s worldwide annual turnover or €20m, whichever is bigger. This £20m fine to BA is the biggest fine issued to date by the ICO and contains many warnings for other organisations that handle customers’ personal data.
‘The key point here is that organisations must make sure that they have appropriate security measures in place to protect the integrity and confidentiality of the data. Those measures can be technical (eg penetration testing), but they can also be organisational (eg limiting access to data and systems to certain users).
‘It is also important that organisations have a plan in place in case a security breach takes place as it is now mandatory to report certain breaches to the ICO within 72 hours.’
Six lessons learned from BA's data breach
1. Limit access to databases and systems
It’s easy to grant wide access rights when setting up login details, just in case that user needs to access a certain system or database at a later date. But that’s a bit like giving a master key to everybody who needs to enter your office building and granting access to every room and cupboard. And if the key falls into the wrong hands (as with BA), then a malicious user can cause serious harm. A user should only have access to data and systems that are necessary for their role.
2. Check your log files
The ICO reported that BA was recording users’ full payment card details and CVV numbers in plain text in web server log files. This logging was apparently a hangover from the test phase and should never have been left enabled on the live service.
3. Check file integrity
The ICO highlighted that BA did not have any systems in place to alert them when software code had been changed. This meant that the attacker was able to place some malicious code on the BA website which skimmed payment card details and sent those details to the attackers. BA were criticised for not having automated systems to detect file changes.
4. Follow the ICO guidance on security measures
The points above are just a few of the security measures that organisations should consider. The ICO has published guidance on Protecting personal data in online services which sets out appropriate security measures. Although this predates the GDPR, it is still applicable. The ICO referred to this guidance in its penalty notice to British Airways, criticising them for failing to complete application/server hardening, as recommended by the guidance. The full ICO penalty notice is also very helpful in setting out the types of security measures the ICO considered appropriate.
5. Make sure you have all legal documentation in place to reduce your risk
If anything does go wrong and you do have a security breach, you will want to be able to say that you carried out Data Protection Impact Assessments where appropriate, that you had appropriate contracts in place with any sub-contracted data processors and that you were transparent with users about how their personal data was to be used. Getting this documentation in place is also a useful way to minimise data protection risk, by thinking through exactly how personal data is processed, why, by whom, and on what legal basis which are all necessary to comply with the GDPR and the Data Protection Act 2018. This could form part of a data protection audit.
6. Act swiftly if something goes wrong
If you suffer a security breach, you may be required to notify the ICO within 72 hours of becoming aware of the breach. In some circumstances you will need to inform the affected users. In practice, this means you will need to have appropriate internal measures to ensure that breaches are escalated rapidly. And you will need to quickly form a view on whether the breach is a type that requires notification.
Find out more about how Harper James Solicitors’ data protection experts can help your business comply with GDPR.