ICO finally bares its teeth

Written by Joseph Poppy on 08/07/2019

Record breaking fine

Cyber security may be about to become more than AOB for organisational boards across the country. British Airways has been struck with a record-breaking £183-million fine as a result of its data breach last year in which around 500,000 customers had their data stolen, including credit card and CVV numbers. This is perhaps the first example of the ICO really flexing their fining muscles post-GDPR, which allows for a maximum fine of up to €20-million or 4% of annual turnover (whichever is greater) for non-compliance.

We spoke briefly about BA’s data breach when it happened. The crux of our article was that compliance does not equate to security and our stance has not changed. Whether it’s PCI DSS, ISO 27001 or Cyber Essentials, compliance isn’t a magic shield that wards off hackers. Of course, they help, but businesses need to be continually reviewing and testing their security strategy throughout the year regardless. If they don’t, they’ll get breached no matter how many signed certificates they have.

This is perhaps the first example of the ICO really flexing their fining muscles post-GDPR

Why the large fine?

Contrary to what you might think, regulatory bodies don’t tend to go for the scarily large numbers just because they can. BA’s £183 million might seem a touch steep if you compare it to Facebook’s relatively paltry fine of £500,000 for its role in the Cambridge Analytica scandal. Considering the social media giant racked up $40 billion in revenue in 2017, they probably didn’t notice a casual half a million slip away to the ICO. However, it’s worth noting that this case had to be reviewed under the Data Protection Act, not GDPR. £500,000 was the maximum fine back then in the careless heyday of a pre-GDPR world. Had the whole thing occurred just a short while later, things could have been a lot worse for Zuckerberg and crew.

The BA data breach occurred after that fateful day of May 25th 2018 and, therefore, was subject to the full wrath the legislation allowed. It should be noted that the airline plans to dispute the decision, which is legal speak for spluttering “how much?” However, the ICO have been quoted as saying British Airways had “poor security arrangements” where customer information was concerned. Seeing as customers were unwittingly being diverted to a fraudulent website, it seems hard to argue with this statement. Best practices were probably not being followed.

Whilst BA has cooperated fully with the ICO, they were still responsible for the protection of their customers’ personal data. If there were indeed “poor security arrangements” in place, then they did not take this responsibility seriously enough. Article 32 of GDPR stipulates that the “appropriate technical and organisational measures” should be in place to ensure the security of personal data. At this point in time, it doesn’t seem like this was the case for BA. That is one possible reason for the large fine.

A Physically locked up hard drive next to a laptop with ransomware
Transferring £183 million

The ICO have been quoted as saying British Airways had “poor security arrangements”
A scam alert on a desktop email client
Ticking all the positives.

Look at the positives

Whilst it may be difficult for BA to see the positives in this, there are some to be seen from a cyber security perspective. If there’s one thing the higher-ups at companies hate, it’s losing money. The more zeroes on a loss, the more they hate it. It could well be that the ICO has implemented such a large fine to wake businesses up to the severity of the situation. They have a duty to protect their customers’ data and, if they fail in this duty, there’ll be more than just reputational damages to consider.

I can see various suited board members across the country – perhaps even the world – leaning forward and taking note. This note will be ‘get better at cyber security’. It will be in capital letters and underlined twice.

An example has been made and if companies don’t react, they’ll suffer a similar fate. Ripples may already be in motion. Cyber security will rapidly move up the agenda for all businesses, regardless of the size, and customers will benefit from knowing their data is in safe hands.

As Bulletproof MD, Oliver-Pinson Roxburgh states “businesses need to get cyber security right, and it’s not necessarily that costly a process, especially when you consider the potential cost of a breach. Regulatory fines are just one aspect, there’s the cost of mitigation, the potential loss of customers and reputational damages to consider.”

It could well be that the ICO has implemented such a large fine to wake businesses up to the severity of the situation.

There's no going back

GDPR is with us to stay and organisations will have to take their responsibility over customer data seriously. This means having the right tech and management processes in place to ensure security is as tight as it can be. This fine levied at British Airways may well encourage others to get it right before it’s too late. Penetration tests, effective log monitoring, active threat hunting and proper training are all integral to a strong security strategy and will help your organisation avoid these hefty fines.


  • Bulletproof are CREST approved

    CREST approved

  • Bulletproof are ISO 27001 and 9001 certified

    ISO 27001 and 9001 certified

  • Bulletproof are Tigerscheme qualified testers

    Tigerscheme qualified testers

  • Bulletproof are a PCI DSS v3.2 Level 1 service provider

    PCI DSS v3.2 Level 1
    service provider

  • Bulletproof have 24/7 on-site Security Operations Centre

    24/7 on-site Security
    Operations Centre

Get a quote today

If you’re interested in our services, get a free, no obligation quote today by filling out the form below.

By submitting this form, I agree to the Bulletproof privacy policy.