Menu

Filter by
content
PONT Data&Privacy
  • PONT home
    • mill

    0

    Data breach
    Een datalek is een inbreuk die plaatsvindt op de beveiliging van persoonsgegevens binnen een organisatie. Hierbij is bijvoorbeeld sprake van ongeoorloofde toegang, vernietiging of verandering van persoonsgegevens.

    British Airways gets £20M instead of £183M fine, among other reasons because of Covid-19

    The UK regulator Information Commissioner's Office (ICO) has fined British Airways (BA) £20 million for a major data breach from 2018.(1) As recently as July 2019, the ICO announced that a fine of £183 million would be imposed. Now, upon the actual imposition of the fine, the fine amount comes to £20M partly because of the economic impact of COVID-19 on BA's operations.

    Rosalie Brand

    October 19, 2020

    Article

    The incident in question involved a violation of the General Data Protection Regulation (GDPR) in that the security of BA's customer data was (far) below par. This subsequently led to a cyber attack on BA's systems in 2018, in which the data of more than 400,000 customers was compromised. The affected data included credit card data, often in combination with the CVV code.

    In addition, BA did not itself notice the cyber attack, which occurred on June 22, 2018. Only on Sept. 5, after being alerted to the data breach by a third party, did BA take action. Of concern is BA's apparent inability at the time to detect the weakness and a subsequent misuse thereof. The ICO rightly questions how long it would have taken BA itself to detect the cyber-attack, if it detected it at all.

    The ICO further charges BA seriously that the state of the art at the time of the cyber-attack was such that the weakness in BA's security was unnecessary. Had BA employed a level of security common at the time, it could have prevented the successful cyber-attack in 2018 in a relatively simple manner.

    Incidentally, after BA did become aware of the weakness in its system and the cyber-attack, it acted energetically and correctly by reporting the incident to the ICO and making significant improvements to its IT security. That, along with the additional information provided by BA and the tough times the airline has faced since then due to COVID-19, led to the significantly reduced fine ultimately imposed by the ICO.

    Footnotes

    (1) https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/10/ico-fines-british-airways-20m-for-data-breach-affecting-more-than-400-000-customers/

    More articles by Kennedy Van der Laan

    Kennedy Van der Laan

    Share article

    Comments

    MORE REACTIONS

    Leave a comment

    You must be logged in to post a comment.

    ARTICLES

    Lisa van Ginneken (D66): "Involve Personal Data Authority earlier in legislation"

    Background articles

    The mega fine for Meta, what's in it for us?

    Background articlesEXPERT

    Interview on five years of AVG: barking privacy watchdogs don't bite

    Background articlesEXPERT

    Is an app builder a data controller and is intent required for an AVG fine?

    Legal ArticlesEXPERT

    During the corona crisis, corona apps shot up like mushrooms. These corona apps allowed users to be notified when they were (potentially) in contact with...

    5 years of AVG - Data Protection Officer & Privacy Officer indispensable

    Background articlesEXPERT
    Micha Groeneveld

    Data breaches: is your organization well prepared?

    Background articles

    AP fine for Social Insurance Bank: importance of 'risk-based' security level

    Legal Articles

    European Parliament committee not enthusiastic about new transatlantic privacy shield

    Legal ArticlesEXPERT

    Avg and international transfer: what does it mean for your organization?

    Legal ArticlesEXPERT
    Corine d'Hulst

    KENNISPARTNER

    Rosalie Brand

    Contact

    Privacy in the workplace in-depth course.

    Ensuring privacy in the workplace has become a complex challenge. Employers have increasing opportunities to collect and use employee personal data. Often to increase efficiency but in some cases decisions can be made that have major implications for data subjects. In this course, based in part on current case law, the do's and dont's regarding privacy in the workplace will be discussed. Can you fire an employee in the event of a data breach? And what do you do if an employee has recorded conversations in connection with a labor dispute? When does the employer's interest outweigh an employee's privacy rights? How do you deal with AI in job application procedures?

    Learn more

    Privacy policies in practice: implement, maintain, persuade

    In one day, you'll learn how to roll out a privacy policy and go home with a practical roadmap for doing it yourself. Do you already have a privacy policy in place? You'll also learn if you have all the elements of your privacy policy in place.

    Learn more

    The AVG and public sector basic records

    Upon completion of this course you will have an understanding of the system of basic registrations, you will know its application in the primary processes of your organizations and you will be able to advise your organization on this mandatory data exchange, both at the case level and in bulk processing and new ict applications.

    Learn more

    Undermining and Processing of Personal Data.

    This course discusses the legal framework for data processing when dealing with undermining. It discusses how to determine which processing of personal data is and is not permitted and why. In particular, the sharing of personal data within and outside one's own organization will be discussed, as well as the requirements for processing personal data. After this course you will be fully aware of the main issues, recent experience and case law and you will be able to identify problems in this area in practice.

    Learn more

    Privacy AVG checklist: privacy policies in 57 checklists

    View book

    Join PONT | Data & Privacy

  • Access to Knowledge Base
  • Read e-books
  • Contact with peers
  • Own news overview
    • BECOME A MEMBER

    General

    Service

    Navigate

    Berghauser Pont Media Group

    CONTACT

    𝕏

    Copyright 2025 Berghauser Pont | Website created by Buro Zero