The ICO has issued a notice of its intention to fine British Airways £183.39m for infringements of new Data Protection laws. This follows an investigation by the ICO into a cyber incident involving the personal data of 500,000 customers. The incident involved British Airways website users being directed to a fraudulent site which collected log in, payment card and travel booking details, as well as names and addresses.
British Airways initially reported that the incident, which was believed to have begun in June 2018, included credit card numbers, expiry dates and the three-digit CVV code found on the back of the card.
This suggests that this data was accessed at the point of entry as protection should be applied to the cardholder data and the CVV data is not permitted to be stored. The card verification values (CVV) are considered sensitive authentication data (SAD), which, in accordance with PCI DSS Requirement 3.2, must not be stored after authorisation.
The ICO has made it very clear that if you are processing payment card data you are obliged to comply with PCI DSS, and that if you process card data and suffer a personal data breach, the ICO will consider the extent to which you have put in place measures that PCI DSS requires – particularly if the breach related to a lack of particular control or process mandated by the standard.
Information Commissioner Elizabeth Denham said:
“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
This is the largest fine levied under the new data protection rules and equates to 1.5% of global turnover for BA in 2017.