The Information Commissioner’s Office (ICO) has fined British Airways (BA) £20m for its data breach in 2018, which involved the personal and financial details of 400,000 customers. But victims won’t see a penny.
The ICO found the airline broke data protection law by processing a significant amount of personal data without adequate security measures.
ICO investigators found that BA should have identified and resolved these weaknesses with security measures that were available at the time.
Fines might deter firms from neglecting their cybersecurity again, but that’s little reassurance for victims who often go on to experience fraudulent activity.
Which? is calling on changes to the General Data Protection Regulation (GDPR) law to make it easier for consumers to seek compensation after a breach.
Data breach fines: how are they calculated and where does the money go?
Under GDPR, which came into force in 2018, the ICO can impose a maximum fine equivalent to €20m or 4% of a company’s global turnover, whichever is higher, for a data breach.
The ICO, however, is yet to issue one of these larger GDPR-era fines.
It did announce its intention to fine BA £183m last year for the 2018 breach, but the fine issued only amounts to £20m. It also announced its intention to fine Marriott just under £100m after the hotel chain lost 339 million guest records, but this fine is yet to be finalised and issued.
The ICO determines a fine by looking at the scale of the breach and how long the organisation took to report it.
The fines go to the UK Treasury, rather than to affected consumers.
- Find out more: your rights after a data breach
‘The government should provide a much clearer route to redress’
A Which? survey of 1,369 members in July 2020 found that 23% of people have had their data compromised following a cyberattack on a company or organisation.
And 46% of those members later experienced fraudulent activity.
Despite consumers’ exposure to fraud following a breach, it’s not easy to secure compensation for any financial loss or distress suffered after an attack.
Under the current system, consumers have to bring court claims themselves and it can be difficult to prove distress was caused by a specific breach.
Which? believes that consumers should have easy access to effective redress and is calling on the government to implement Article 80(2) GDPR.
This would allow not-for-profit organisations such as Which? to bring collective redress actions on behalf of people on an ‘opt-out’ basis without those consumers each having to bring an individual case against the company involved.
Kate Bevan, Which? Computing editor, said: ‘It’s good to see the Information Commissioner sending a clear message to companies that it’s unacceptable to play fast and loose with people’s personal data. However, our research suggests British Airways still has serious vulnerabilities on its websites that are leaving customers potentially exposed to opportunistic cybercriminals.
‘Some customers will also be frustrated where they’ve suffered financially and emotionally from this data breach and had no redress. The government should provide a much clearer route by allowing for an opt-out collective redress regime that deals with mass data breaches.’
How to protect yourself and your data
Whether we’re booking a holiday or shopping online, we hand over our data to companies on a weekly (or even daily) basis.
Here are some tips on how to protect yourself and your data from a cyberattack:
- Passwords Always set strong passwords for your accounts and use a different password/email combination for every account.
- Password manager Many services now alert you if your passwords have been compromised. As services such as LastPass and Dashlane can be used for free, there’s no reason not to use a password manager.
- Two factor/multi-factor authentication (2FA/MFA) 2FA/MFA is worth activating to increase security if it’s available, particularly if your account holds your financial information.
- Be wary of fraudulent texts, calls and emails Always be cautious if a company requests personal or sensitive information from you, particularly after a breach. Report anything suspicious to Action Fraud.
- Sign up to Cifas protective registration If you do fall victim to a breach, Cifas’ service (£25 for two years) means banks and financial companies will take extra steps if they see your details being used to apply for products and services.
- Read more: how data breaches lead to fraud