The ICO’s first public demonstration of power and its reverberations through the business community

The Information Commissioner's Office (ICO) has threatened British Airways (BA) with a record £183.4 million fine under the GDPR, following a well-publicised Magecart attack last year.

If it stands, the fine will be the largest handed down by the ICO and would amount to around 1.5% of the airline’s global turnover based on its 2017 figures. This is despite the fact that the ICO have publically stated that the airline has “cooperated with the ICO investigation and has made improvements to its security arrangements since these events came to light”, and BA has publicly stated that there has been no evidence of fraud activity on the accounts linked to the attack.

This is the ICO’s first public demonstration of its powers and the decision will reverberate across the EU.

What happened?

This was a payment card skimming attack which was designed to harvest customer payment card details for later use in fraud. It arose after the hackers inserted malicious JavaScript code onto BA’s website, which intercepted the card details being entered and secretly sent them on to the hackers. In the industry, this type of attack is called a “Magecart” attack.

Unfortunately, this is a type of attack that we are seeing all too often. Magecart attacks are hitting all types of e-commerce providers – from multi-national corporations to smaller, independent retailers – and it is big business. Put aside visions of teenagers in hoodies – this is sophisticated and serious organised crime.

What does the ICO’s decision mean for everyone else?

The key question here for the business community is whether the ICO’s decision stands as a precedent for all e-commerce businesses that are hit by payment card skimming attacks.

It is important to remember that BA is subject to a heightened level of scrutiny on the basis that air transport is classed as an “essential service” under the Network and Information Systems Regulations 2018. Those regulations require a more robust set of cybersecurity requirements, in order to improve the network security of essential services, which if disrupted, could cause significant economic and social damage, in addition to limiting the rights and freedom of individuals.

However, how will the ICO now react to notifications by other e-commerce providers, who have also fallen victim to Magecart type attacks? Our experience to date suggests that the ICO are willing to close off Magecart breach notifications that impact smaller retailers. However, it is possible that the BA decision will be seen as a line in the sand and a precedent for future notifications.

That will be a particularly unpalatable thought for SMEs, who are vulnerable to Magecart attacks and do not have the budget for top-end IT security.

Are there any unintended consequences?

The magnitude of the proposed fine may discourage other data controllers from notifying the ICO if and when they suffer a breach. In other words, data controllers may now be more willing to brush breaches “under the carpet” in the hope of avoiding substantial fines.

That however is a dangerous tactic. The notification obligations under GDPR are crystal clear and the ICO have previously warned that they will come down hardest on enterprises that seek to deceive them or tell half-truths.

We should have greater clarity once the ICO formalises its decision and releases its findings. Until then, e-commerce providers face a nervous wait.