The fine is the first to be made public under The General Data Protection Regulation (GDPR) which went into effect last year.
The attack was the result of customers being diverted from British Airways’s site to a fraudulent site where threat actors harvested customer data in what was described as a “sophisticated, malicious criminal attack," BA said on its website at the time.
British Airway officials first disclosed the attack on Sept. 6, 2018 and initially said approximately 380,000 transactions were affected, but said the stolen data did not include travel or passport details, according to an IAG, the airlines parent company, press release.
The ICO however, said the incident was believed to have begun in June 2018 and said login, payment card, travel booking details, name, and address information were compromised in the incident.
Philip Greaves, director and GDPR lead, at Protiviti pointed out the lack of details concerning how the attack was carried out.
“The press release from the ICO does not release any significant information in relation to how the breach was perpetrated by the hackers, although some reports pointed towards a vulnerability in payment systems,” Greaves said. “The fine is clearly very significant and so the ICO must feel that the cyber security controls in place were not sufficient to protect BA customer data.”
BA has 28 days to appeal the discussion and Willie Walsh, chief executive of IAG, told the publication British Airways would be making representations to the ICO.
Tripwire Vice President of Product Management and Strategy Tim Erlin said the size of the fine certainly sends a clear message for GDPR enforcement that organizations should protect their customers’ data or pay.
“Regulations like GDPR can be used to raise the bar on information security across whole industries, but we are fundamentally talking about criminal activity here, and these regulations also walk a fine line between improving security and blaming the victim,” Erlin said.
“In order for GDPR to remain effective, the supervisory authorities have to levy fines appropriately, and specifically in cases where clear negligence was present," he said. "It’s fair to expect organizations to safeguard sensitive data, but even an organization delivering above average protection can fall victim to a sophisticated attacker.”
Erlin added that cybersecurity isn’t a solved problem and said that if anyone was unclear on how GDPR would be enforced, this fine should deliver clarity.
Alex Calic, strategic technology partnerships officer for The Media Trust added to Erlin sentiment and said the stiff penalty will surely put enforcement doubts to rest and leave all companies under GDPR anxious about data security and privacy.
“The message is clear,” Calic said. “If you collect consumer data, you’d better make sure it’s safe and know who has access to it. Moreover, reporting a breach and cooperating with regulators after the fact won’t guarantee immunity from the penalties.”
In addition, most third parties are strangers to site and mobile app owners, yet often have access to user data and operate outside the site or app owner's IT perimeter, Calic said adding, companies under GDPR and other data privacy laws on the horizon should retake control of their digital ecosystems.
Tim Mackey, principal security strategist CyRC at Synopsys called the incident a cautionary tale.
“Under GDPR, fines for breaches can reach 4 percent of the global revenue of an organization,” Mackey said. “In the case of this fine, the ICO imposed a fine of 1.5 percent of 2017 revenue. In doing so the ICO joins CNIL with its fine on Google of 50 million euro in stating that data privacy is serious business requiring serious attention,” he said.