Airlines, like other businesses, are handling large amounts of data, including personal data falling within the scope of the EU General data protection regulation (GDPR). The case of the breach of the GDPR by British Airways illustrates the necessity for airlines to strengthen data protection compliance. Failure to comply with the GDPR can have a significant impact on firms. Besides the fines, there are risks that airlines are being exposed to reputational damage or loss of customer trust.
The British Airways Case
Mid-October, the data protection authority of the United Kingdom (The Information Commissioner’s Office, or the ICO) fined the airline company British Airways £20 million (EUR 24 million). This fine was the biggest to date, and coming from an initial amount of £183.39 million (EUR 204 million). But the ICO decided to reduce this amount in the penalty notice of October 16, 2020.
The ICO invoked the failure by British Airways to protect the personal and financial details of more than 400,000 of its customers. During 2008, British Airways was the subject of a cyber-attack. The investigators concluded that the identified weaknesses in the security of British Airways were at the origin of the cyber-attack. In addition, the ICO also found that British Airways was processing a significant amount of personal data without adequate security measures. Among the details compromised in the cyber-attack, were customers’ names, addresses, payment card numbers and ‘CVV’ security numbers.
Breaches of articles 5 (1) (F) and 32 of the GDPR
British Airways failed to comply with its obligations under Article 5 (1) (F) and article 32 of the GDPR.
In accordance with article 5, personal data has to be processed in a manner which ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures. Therefore, British Airways, as the data controller, had to comply with these requirements.
In accordance with article 32, the controller has to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures may include encryption of personal data and a process for regularly testing, assessing, and evaluating the effectiveness of such technical and organizational measures.
In light of these provisions, the ICO concluded: ‘that the personal data stored within and processed by British Airways’s system, including the British Airways website, were not being processed in a manner that ensured appropriate security of that personal data, using appropriate technical or organizational measures. British Airways failed to implement appropriate technical and organizational measures to protect the rights of data subjects and comply with the data protection principles.’
British Airways Data Breach – Technical shortcomings
The decision listed numerous technical measures that British Airways could have used to mitigate or prevent the cyber-attack, and thus the breach of the GDPR.
Among these measures, we highlight:
- The attackers gained access to the British Airways’s network by using the compromised credentials of a user within a third-party supplier (‘supply chain attack’). The ICO listed appropriate measures that British Airways could have considered to mitigate the risk of an attacker being able to access the British Airways network by compromising a single username and password. These measures are, for instance, Multi-Factor Authentication (MFA), external public IP address, whitelisting, and IPSec VPN.
- British Airways used hardcoded passwords, which means that those passwords were in an unencrypted plain text file. The ICO stressed that passwords should be protected with encryption functions.
- Another example given is file integrity monitoring. This type of monitoring allows the system to detect and alert an organization if the code is being altered. While it does not stop an attacker, it allows the organization to detect any changes and to establish whether they are unauthorized.
The ICO emphasized that data controllers should follow the principle of least privilege, which requires that any user, program, or process should have only the bare minimum privileges necessary to perform its function.
Cross-border processing
This decision is also interesting at the European level as the investigation was held on behalf of all EU authorities by the ICO as the lead supervisory authority under the GDPR. Therefore, all national Data Protection Authority within the EU approved the penalty and the action through the GDPR’s cooperation process.
Our advice:
Lexing Belgium has been active in the field of data protection for many years. If you are interested in our practices and would like to learn more about how we can assist with your GDPR compliance projects, please contact us.