Businesses that handle personal data but fail to take appropriate steps to guard against cyber attacks expose themselves to grave financial and reputational damage. That was certainly so in the case of an international airline whose flawed systems compromised the security of millions of its clients.
The airline collected the personal data of all its passengers, including their passport numbers, names, contact details, dates of birth and nationalities. After one of its databases came under brute force attack, an investigation revealed that it had been targeted by two separate groups of hackers and that its systems had been vulnerable to unauthorised entry for over three and a half years.
A total of about 9.4 million data subjects were affected by the breach. Although there had been no confirmed misuse of the hacked data, 12,000 complaints had been received. So-called phishing attacks on the airline's clients were likely to succeed as the confidential information could be used to convince victims of legitimacy. Following the incident, the airline reported itself to the Information Commissioner's Office (ICO).
Ruling on the matter, an ICO case officer identified numerous frailties in the airline's systems. Amongst other things, database backups were not encrypted, an internet-facing server was accessible due to a known and publicised vulnerability, and multi-factor authentication was not required to access the network. Anti-virus protection was inadequate and personal data was retained for excessively long periods.
The officer found that the airline's breaches of data protection rules were serious and, whilst not deliberate, they arose from negligence. It had neither followed its own security policies nor had it implemented measures which were known to be necessary. Data subjects were likely to have suffered substantial distress.
The airline had acted promptly and forthrightly after it became aware of the data breach and had gone above and beyond its legal obligations in issuing information to data subjects and cooperating with the ICO investigation. However, the officer noted that such steps were to be expected of such a large and well-resourced business.
Given the scale and duration of the breaches, the officer found that a £500,000 fine – the maximum monetary penalty available under Section 55A of the Data Protection Act 1998 – was reasonable and proportionate.