British Airways is one of the largest carriers in the United Kingdom. This airline is regarded as the 2nd largest UK-based carrier on fleet size and passengers carried behind the easy jet. The airline is developed to connect Britain with the world and the world with Britain by keeping customers as well as sustainability at heart. It also provides excellent service.
How was British Airways fined for GDPR?
In the extensive awaited announcement, The Information Commissioner Officer issued a fine against British Airways for violation of the General Data Protection Regulation (GDPR). The fine imposed on British Airways was $183 Million but reduced to $20 Million underscoring the critical role that representations can play in such cases.
British Airways completely failed to safeguard and protect the personal as well as the financial data of more than 4,00,000 customers. According to the investigation, ICO found that the airlines processed a notable amount of personal data of the customers that didn’t have any protection and security measures that needs to be looked after. The company had totally broken the data protection law. It was all related to the cyber attack.
The specialized ICO investigators were appointed to look into the case. The investigators at the time of investigation recognized its weakness that is related to its security. They also tried to settle and implement different types of security measures that were available at that point in time.
What is Information Commissioner Officer?
The Information Commissioner Officer is regarded as the non-departmental public body that reports directly to the Parliament of the United Kingdom. It’s sponsored by the department for different types like the digital, culture, media, etc. It is an independent regulatory office that deals with the Data Protection Law and General Data Protection Rules. The Commissioner’s mission is to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
The Information Commissioner Officer initiated to promote good practices, works on the eligible complaints as well as t provides each and every piece of information to individuals and organizations.
Main Aim to Reduce the Fine
One of the Cyber Security Firms involved in the case was of the opinion that the cyber attack must have taken place due to the entry of the criminal hackers that may have injected the malicious code of the British Airways website that diverted traffic in a fraudulent way.
At the time of investigation, the authority observed that all the information of the customers saved in the data of the company had gone into the hands of the fraudsters. Once they entered their login details, payment card information goes directly to the fraudsters. The Information Commissioner Officer confirmed the same. This breach is regarded as the most comprehensive. The payment card information like the CVV number fetched by the fraudsters.
It also included the usernames and passwords generated of the British Airways employees as well as the administrator account. The fraudsters accessed the PIN generated. While investigating ICO found that the company had not implemented the Data Protection Policy in the company.
However, ICO reduced the penalty imposed to almost 90% by analyzing the company and also considering the Covid-19 effect. So the penalty was reduced to $20 M.
Breach Detection Delay
At the time of investigation, ICO said that the company is futile to detect the breach. it had received the information from a third party more than two months after the attack. The company has developed a first-rate strategy. At regular intervals of times, the process and procedures are tested. The company also has top-level management. To contend against the breach the required technical measures were followed.
British Airways Statement on the case
British Airways has agreed to the fine imposed on them for GDPR. The company agreed to first implement the Data Protection Policy. They have also decided to improvise the security measures. Data Protection and privacy are regarded as essential issues in modern business. The company would look into deeply the steps to safeguard the data of the customers and the users.
