Record Proposed Fine Announced for BA Following 2018 Data Breach

The Information Commissioner’s Office (ICO) has today issued a notice of its intention to fine British Airways £183.39M for infringements of GDPR.  The proposed record-breaking fine relates to a well-publicised cyber incident in 2018, wherein user traffic to the British Airways website was diverted to a fraudulent site.  Personal data of approximately 500,000 customers were affected by the incident: the ICO’s investigation found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.  Although the headline figure is eye-watering, it still only represents a fraction of the maximum 4% of global revenue allowable under GDPR.

Meanwhile, we reported recently on the ransomware attack on Eurofins Forensic Services at the start of June which not only had devastating consequences for the firm itself; but has also impacted on the UK criminal justice system.  The company, which handles 50% of Police forensic work in the UK, now reports that operations are returning to normal.  However, the BBC and other media are reporting that a ransom was paid by the company to restore access to their data.  Needless to say, Eurofins was not prepared to comment on this.  Interestingly, a recent report by Forrester Research found that many firms are paying ransoms; indeed it states that paying a ransom can ‘be a valid recovery option based on business need and circumstances’!